This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosAVAgent not quitting, preventing sleep

MacBook Pro (late 2011), Yosemite 10.10.3, SAV Home Ed. 9.2.4

In the last few days, my MB Pro would not sleep fully.  When put to sleep, the display would turn off and it appeared most processes paused, but the power LED remained on and the fan continued to run.  This meant that some background processes stayed active, so every so often the fans would spin up as some housekeeping event took place - kinda annoying when the Mac is in the room where you're trying to sleep.  Rebooting the Mac had no effect - this has happened occasionally in the past, but a reboot always fixed it

Some trawling through the logs showed that the Mac was entering the DarkSleep state rather than system sleep, due to a process refusing to allow the system sleep request.  Using the Terminal command:

pmset -g assertions

I got the following response:

Assertion status system-wide:
    BackgroundTask 0
    ApplePushServiceTask 0
    UserIsActive 1
    PreventUserIdleDisplaySleep 0
    PreventSystemSleep 1
    ExternalMedia 0
    PreventUserIdleSystemSleep 0
    NetworkClientActive 0
Listed by owning process:
    pid 75315(SophosAVAgent): [0x0000559000070880] 96:41:28 PreventSystemSleep named: "Sophos On-Demand Scan"
    pid 105(hidd): [0x00059561000907ea] 00:55:04 UserIsActive named: "com.apple.iohideventsystem.queue.tickle"
          Timeout will fire in 3593 secs Action=TimeoutActionRelease
No kernel assertions.

So, SophosAVAgent had set the PreventSystemSleep flag.  I tried turning off on-demand scanning, but the flag remained asserted until I quit SophosAVAgent via Activity Monitor.

The flag stayed 0 after I re-enabled on-demand scanning, because SophosAVAgent doesn't run until needed.  When I forced a scan of a file, thus reactivating SophosAVAgent, the flag was set again.  Once I closed the scan window, SophosAVAgent quit and the assertion was cleared.

So, it appears that SophosAVAgent asserts PreventSystemSleep, presumably to make sure the system doesn't sleep during a scan.  It is supposed to quit once it has finished the scan, which would clear the assertion, but it is occasionally failing to do so.

This may possibly be related to some odd behaviour that SAV has been exhibiting - reported threats, which then vanish from Quarantine Manager before they can be cleaned, then get reported again within a few minutes.  Is there perhaps a probem with the SophosAVAgent in the current version of SAV?

:1020925


This thread was automatically locked due to age.
  • Hi ,

    Interesting find. My guess is something is preventing the scan from completing, which in turn prevents the PreventSystemSleep flag from being reset to 0.

    One thing I would recommend would be checking both the scan logs, as well as Sophos Antivus Log. Look for anything that indicates what could be interferring with the scan completing. 

    :1020929
  • I did look at the Sophos logs, but the only scan logs I could find (which were in ~/Library/Logs/Sophos AntiVirus/Scans/) are for manual scans, and there are none for the approx date when insomnia started.  In fact, there are only a few, and the only recent ones are for test scans I did to check SophosAVAgent's normal behaviour.  If this was a failed scan, I'm not sure how it was triggered.

    There's nothing of interest in the /Library/Logs/Sophos AntiVirus.log file, just auto updates & Intercheck runs.

    :1020930
  • So, we're many months on, and now I'm on El Cap 10.11.3 and SAV 9.4.1, and it's started happening again:

    - Threat alerts that, when I open Quarantine Manager, aren't listed - the virus name is there, but no infected files, and if I hit Cleanup, it says 'No Files Quarantined'
    - SophosAVAgent stays running, and leaves the PreventSystemSleep flag set, so the system goes into DarkSleep rather than full sleep

    Previously, I thought that the insomnia happened only after I'd manually scanned a file, but it now happens when Live Protection triggers a scan. There's no SAV logging for Live Protection scans; however, the system log shows:

    SophosAVAgent[45133]: <IPCConnection: 0x1009116b0> exception raised in delegate's message handler: *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil
    SophosAVAgent[62535]: <IPCConnection: 0x100d0b3c0> exception raised in delegate's message handler: *** -[__NSArrayM insertObject:atIndex:]: object cannot be nil

    The latter PID is still running, and it's still asserting PreventSystemSleep:

    pid 62535(SophosAVAgent): [0x00061fdf00070315] 00:00:29 PreventSystemSleep named: "Sophos On-Demand Scan"

    Basically, I have to remember to check whether SophosAVAgent is running before I sleep the system; I'm considering writing a script that kills any instance of SophosAVAgent, then initiates sleep.