Version 9.4.0 Preview Now Available [Update: release candidate build published today]

---

catnip689 wrote:

As happened with the previous version, the new version worked for a day or two now won't stop downloading on iMac with Yosemite, can't even cancel the download.

---

Weird. Not heard of this type of issue in a long time. Can you get a sample of what the "SophosAutoUpdate" process is doing when its stuck like this? You can get one via the Activity Monitor. Switch to view all processes, find SophosAutoUpdate, and select "Sample Process".

You can kill SophosAutoUpdate through Activity Monitor as well.

I'm also be interested to get a network trace of what SophosAutoUpdate is doing when it gets stuck. Assuming its a reproducible problem (sounds like it is) then start up Terminal and run this command:

sudo tcpdump -i en0 -w ~/Desktop/sau-capture.pcap port 80

Note that command assumes your external network interface is en0. And this command will capture *all* HTTP traffic when its run, so be cautious about what you are doing when you run the capture command. I recommend stopping your web browser before stating the capture.

When the capture has finished, press Control-C then find the file on our desktop. You can send it to me directly, or post it here. Note that anything you post here can be read by pretty much the entire world.

Using Sophos 9.4.0 preview with System Integrity Protection turned off in El Capitan beta 6, the temperature rising in my 5,1 Mac Pro shortly after boot tipped me off to check Activity Monitor. With 6 cores and 12 threads available, Sophos InterCheck was using nearly four of them (380.6% CPU). The other Processes were mostly mdworker, mds and mds_stores and they were all under 5% utilization. I haven't seen usage like that with the release version of Sophos. Is that some new feature at work?

---

ZRL1 wrote:

Using Sophos 9.4.0 preview with System Integrity Protection turned off in El Capitan beta 6, the temperature rising in my 5,1 Mac Pro shortly after boot tipped me off to check Activity Monitor. With 6 cores and 12 threads available, Sophos InterCheck was using nearly four of them (380.6% CPU). The other Processes were mostly mdworker, mds and mds_stores and they were all under 5% utilization. I haven't seen usage like that with the release version of Sophos. Is that some new feature at work?

---

Its not anything we specifically added. That does seem suspicious. I haven't seen that in our own testing so far, but its something I'll get the team to look at specifically. Thanks for the info!

Curious - have you tried the PUA detection and authorization workflow? Its not precisely the same user workflow as our Windows endpoint product, so very interested to know whether we've made the right design choices.

---

bobcook wrote:

---

...Curious - have you tried the PUA detection and authorization workflow? Its not precisely the same user workflow as our Windows endpoint product, so very interested to know whether we've made the right design choices.

---

Hadn't tried it yet so I just tried it now, in a Yosemite Virtual Machine snapshot. I'd say it works quite well and the interfaces that pop up give helpful but not overwhelming information. My VM screen size is only 1600x1200 so the windows get a bit crowded, especially since the browser which makes the download connection fills a good portion of that screen, but the warning windows come forward, which is a good thing.

In my case, a portion of the file had made its way to my desktop before the download was blocked (I'm using Firefox so the download screening is browser-independent) and was visible.  I tried that a second time while running a full HD scan and it seemed not to slow down at all while again catching the PUA. One wrinkle is that Firefox was still asking me what I wanted to do with the file when Sophos caught and stopped it and then deleted it; the FIrefox dialog box with the choices was still open. As a test, I switched the option from opening with TextEdit to saving the file and clicked OK. The file appeared briefly on the desktop and then disappeared, presumably caught and deleted again by Sophos, but this time around there was no further notification. Since most people save downloads to the Downloads folder, it wouldn't be immediately apparent what happened. It's possible users would worry that the inadvertent download made it through the second time without being caught, though the Sophos log shows the capture and delete worked again, just not with the notifications.

The PUA intercept is definitely a valuable new feature.

BTW, I managed to take a screen shot of the Activity Monitor window with the high CPU usage I'd mentioned and I'll email it to you shortly.

Before the new forum ate recent messages I was have a conversation with Bob Cook about the following Scan Log message:

"Corrupt file: /Users/Specimen/Library/Containers/ca.kirara.poison.next/Data/Library/Mail/V2/IMAP-XXXXXXXXXX@imap.XXXXXXXXX.com/INBOX.mbox/D9B113E3-D5A6-4B54-A803-3DE2DB8A1676/Data/9/5/Attachments/59424/4/XXXXXXX.doc" (I redacted all personal information from the path)

This file is actually an alias to the original file, but it was the only alias that Sophos flagged, and Bob suggested I check the checksum of the alias and the original.
And I have checked (using shasum) and they give the exact same checksum.

So, it's still unclear why Sophos is specifically flagging this file (as it did not flag the original as a Corrupt file).

Hi Bob,

I just noticed that the 9.4.0 beta got a 35+MB update when I initiated "Update Now" and the beta symbol has been dropped. Is that now the release version for beta testers and/or the final build?