Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 120 replies
  • Subscribers 6 subscribers
  • Views 1044613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9 causes Mavericks to freeze

symt

Hi Everyone,

I recently got the top of the line iMac, which I was very happy with.

As I was a Mac user before, I knew which software is great and Sophos Anti-Virus for Mac was one of those.

So I had Sophos installed, from the beginning and over the time I noticed one big annoying issue:

The Mac froze from time to time. Whenever the Mac was running the whole day, it wouldn't survive without a hard-reboot any day.

It always showed the same behavior:

 1. Internet connectivity drops

 2. The beachball begins to appear, when hovering some icons in the top menu bar

 3. Programs that are connected to the internet begin to freeze (beachball)

I can't open any other programs after the Mac is in that state, the only way out is a hard reboot.

One of the last entries in the console after such a freeze is always from Sophos, like:


 

30.11.13 13:41:04,607    SophosWebD[106]    <SMENode: 0x7fedaac7a6d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:42:16,742    SophosWebD[106]    <SMENode: 0x7fedac51d7d0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:43:34,626    SophosSXLD[107]    20131130 124334.626 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 31 has 9568 ms before it should time out\n
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
30.11.13 13:44:37,225    SophosSXLD[107]    20131130 124437.224 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 29 has 9275 ms before it should time out\n
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
23.11.13 11:48:54,983    SophosWebD[92]    <SMENode: 0x7fa7a141c300> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,719    SophosWebD[92]    <SMENode: 0x7fa7a4500160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,727    SophosWebD[92]    <SMENode: 0x7fa7a400c410> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,735    SophosWebD[92]    <SMENode: 0x7fa7a444acd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_destination_prepare_complete 6783 connectx to IP_REMOVED_BY_ME#80 failed: 65 - No route to host
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_handle_destination_prepare_complete 6783 failed to connect
23.11.13 12:28:19,935    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:19,937    SophosSXLD[107]    daemon is running
23.11.13 12:28:21,593    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:24,000    kernel[0]    Notice - new kext com.sophos.kext.sav, v9.0.53 matches prelinked kext but can't determine if executables are the same (no UUIDs).
23.11.13 12:28:25,373    SophosAutoUpdate[112]    AlreadyRegistered
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,860    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,869    SophosSXLD[107]    sxl started
23.11.13 12:28:25,870    SophosSXLD[107]    sxl configuration succeeded
23.11.13 12:28:28,000    kernel[0]    Sophos Anti-Virus on-access kext activated
23.11.13 12:28:59,660    SophosWebD[106]    <SMENode: 0x7ff010d031e0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...
23.11.13 12:29:24,610    SophosWebD[106]    <SMENode: 0x7ff012a1e070> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,116    SophosWebD[106]    <SMENode: 0x7ff01290e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,123    SophosWebD[106]    <SMENode: 0x7ff0128550f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=54 "Der Vorgang konnte nicht abgeschlossen werden. Verbindung wurde von der Gegenstelle zurückgesetzt"
23.11.13 12:29:26,130    SophosWebD[106]    <SMENode: 0x7ff010c1e1f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...

   ("Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe" means "The operation couldn't be completed. Broken pipe.")

I was hoping desperately, that Sophos isn't the root cause for that freeze-behavior. I tried to remove it completely, and then re-installed again - this did not solve the issue. I then completely removed Sophos again, this appeared to be the solution. Sophos is gone, and I'm not experiencing the freezes anymore.

I'm now using a different Mac AV product, not from Sophos (:smileysad: which I'm not too happy about).

So my question: Has anyone experienced the same behavior, is this a known issue?


Another thing I'm not too happy about, is that there are still residues from the Sophos AV on my system.

For example, I'm getting those errors in the console:

08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
...

  And there is a keychain access object, which is read only and can't be removed at all!

  I tried everything - also from /System/Library/Keychains I can't remove it, as it's not listed.

Does anyone know, how to remove those leftovers?

Many thanks & best regards,
symt

 

:1014893


This thread was automatically locked due to age.
Parents
  • 0

    I've had various forms of this issue across multiple versions of Sophos AV and MacOS for a while now. Same basic signature in the system.log. Now that said I have noticed that if you are patient and wait long enough the system will come back and become responsive again.

    Have you looked into time machine as being a portion of the magic that makes the problem happen? On my MacBook Air, the most recent occurance of the hang started when backupd tried to do it's thing while my MBA was connected to a network, but not the network where my Time Machine lives.

    Feb 6 16:28:36 gadget.local apsd[230]: Unrecognized leaf certificate
    Feb 6 16:31:05 gadget.local com.apple.backupd[9287]: Starting automatic backup
    Feb 6 16:31:06 gadget kernel[0]: nspace-handler-set-snapshot-time: 1391722268
    Feb 6 16:31:06 gadget.local com.apple.mtmd[55]: Set snapshot time: 2014-02-06 16:31:08 -0500 (current time: 2014-02-06 16:31:06 -0500)
    Feb 6 16:31:36 gadget.local com.apple.backupd[9287]: Attempting to mount network destination URL: afp://csdibiase@homenas.local/Time%20Machine
    Feb 6 16:41:06 gadget kernel[0]: sav: [EWOULDBLOCK][vnode:0xffffff80292563c0][original:0xffffff80292563c0][callback: 0 count:264 ] onaccessctl_check:1825 result:0 disconnected:0
    Feb 6 16:41:06 gadget kernel[0]: sav: current scan list:
    Feb 6 16:41:06 gadget kernel[0]: sav: (pid 55 [mtmd], vnode 0xffffff80292563c0 [/Users/csdibiase/Library/Application Support/Google/Chrome/Default/Session Storage/000935.log], [context 0xffffff80211eb5f0] [result 0] [setup 0] [disconnected 0] [vfsbusy 0]) - 1 waiter(s)
    Feb 6 16:41:06 gadget kernel[0]: sav: available kctl entries: 9
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:3 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: SAV_KCTL_REQ_COMPLETE, intercheck_done()
    Feb 6 16:41:06 gadget kernel[0]: nspace-handler-unblock: did not find token 232823
    Feb 6 16:41:06 gadget.local com.apple.mtmd[55]: handler unblock failed. (status=-1/errno=2/token=232823/fd=5)
    Feb 6 16:41:06 gadget com.apple.launchd.peruser.501[185]: Background: ?S?V[3141] disappeared out from under us (UID: 501 EUID: 501)
    Feb 6 16:41:07 gadget.local SophosWebD[82]: <SMENode: 0x7f8ebb7216c0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    Feb 6 16:41:12 gadget.local NetAuthSysAgent[9295]: ERROR: AFP_GetServerInfo - connect failed 64
    Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: NAConnectToServerSync failed with error: 64 for url: afp://csdibiase@homenas.local/Time%20Machine
    Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: Backup failed with error 18: The backup disk could not be found.

    The lock up condition only imacted apps that were attempting to access disk. As I had terminal open already I was able to monitor the system.log while Chrome and other apps (including force quit) were beach balled. In this case the event started at 16:31 and ended at 16:41 in line with backupd's log messages.

    :1015775
Reply
  • 0

    I've had various forms of this issue across multiple versions of Sophos AV and MacOS for a while now. Same basic signature in the system.log. Now that said I have noticed that if you are patient and wait long enough the system will come back and become responsive again.

    Have you looked into time machine as being a portion of the magic that makes the problem happen? On my MacBook Air, the most recent occurance of the hang started when backupd tried to do it's thing while my MBA was connected to a network, but not the network where my Time Machine lives.

    Feb 6 16:28:36 gadget.local apsd[230]: Unrecognized leaf certificate
    Feb 6 16:31:05 gadget.local com.apple.backupd[9287]: Starting automatic backup
    Feb 6 16:31:06 gadget kernel[0]: nspace-handler-set-snapshot-time: 1391722268
    Feb 6 16:31:06 gadget.local com.apple.mtmd[55]: Set snapshot time: 2014-02-06 16:31:08 -0500 (current time: 2014-02-06 16:31:06 -0500)
    Feb 6 16:31:36 gadget.local com.apple.backupd[9287]: Attempting to mount network destination URL: afp://csdibiase@homenas.local/Time%20Machine
    Feb 6 16:41:06 gadget kernel[0]: sav: [EWOULDBLOCK][vnode:0xffffff80292563c0][original:0xffffff80292563c0][callback: 0 count:264 ] onaccessctl_check:1825 result:0 disconnected:0
    Feb 6 16:41:06 gadget kernel[0]: sav: current scan list:
    Feb 6 16:41:06 gadget kernel[0]: sav: (pid 55 [mtmd], vnode 0xffffff80292563c0 [/Users/csdibiase/Library/Application Support/Google/Chrome/Default/Session Storage/000935.log], [context 0xffffff80211eb5f0] [result 0] [setup 0] [disconnected 0] [vfsbusy 0]) - 1 waiter(s)
    Feb 6 16:41:06 gadget kernel[0]: sav: available kctl entries: 9
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:3 kctl_entry:0xffffff8020537000
    Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: SAV_KCTL_REQ_COMPLETE, intercheck_done()
    Feb 6 16:41:06 gadget kernel[0]: nspace-handler-unblock: did not find token 232823
    Feb 6 16:41:06 gadget.local com.apple.mtmd[55]: handler unblock failed. (status=-1/errno=2/token=232823/fd=5)
    Feb 6 16:41:06 gadget com.apple.launchd.peruser.501[185]: Background: ?S?V[3141] disappeared out from under us (UID: 501 EUID: 501)
    Feb 6 16:41:07 gadget.local SophosWebD[82]: <SMENode: 0x7f8ebb7216c0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    Feb 6 16:41:12 gadget.local NetAuthSysAgent[9295]: ERROR: AFP_GetServerInfo - connect failed 64
    Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: NAConnectToServerSync failed with error: 64 for url: afp://csdibiase@homenas.local/Time%20Machine
    Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: Backup failed with error 18: The backup disk could not be found.

    The lock up condition only imacted apps that were attempting to access disk. As I had terminal open already I was able to monitor the system.log while Chrome and other apps (including force quit) were beach balled. In this case the event started at 16:31 and ended at 16:41 in line with backupd's log messages.

    :1015775
Children
No Data
Unfiltered HTML