Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 120 replies
  • Subscribers 6 subscribers
  • Views 1044719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9 causes Mavericks to freeze

symt

Hi Everyone,

I recently got the top of the line iMac, which I was very happy with.

As I was a Mac user before, I knew which software is great and Sophos Anti-Virus for Mac was one of those.

So I had Sophos installed, from the beginning and over the time I noticed one big annoying issue:

The Mac froze from time to time. Whenever the Mac was running the whole day, it wouldn't survive without a hard-reboot any day.

It always showed the same behavior:

 1. Internet connectivity drops

 2. The beachball begins to appear, when hovering some icons in the top menu bar

 3. Programs that are connected to the internet begin to freeze (beachball)

I can't open any other programs after the Mac is in that state, the only way out is a hard reboot.

One of the last entries in the console after such a freeze is always from Sophos, like:


 

30.11.13 13:41:04,607    SophosWebD[106]    <SMENode: 0x7fedaac7a6d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:42:16,742    SophosWebD[106]    <SMENode: 0x7fedac51d7d0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:43:34,626    SophosSXLD[107]    20131130 124334.626 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 31 has 9568 ms before it should time out\n
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
30.11.13 13:44:37,225    SophosSXLD[107]    20131130 124437.224 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 29 has 9275 ms before it should time out\n
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
23.11.13 11:48:54,983    SophosWebD[92]    <SMENode: 0x7fa7a141c300> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,719    SophosWebD[92]    <SMENode: 0x7fa7a4500160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,727    SophosWebD[92]    <SMENode: 0x7fa7a400c410> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,735    SophosWebD[92]    <SMENode: 0x7fa7a444acd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_destination_prepare_complete 6783 connectx to IP_REMOVED_BY_ME#80 failed: 65 - No route to host
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_handle_destination_prepare_complete 6783 failed to connect
23.11.13 12:28:19,935    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:19,937    SophosSXLD[107]    daemon is running
23.11.13 12:28:21,593    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:24,000    kernel[0]    Notice - new kext com.sophos.kext.sav, v9.0.53 matches prelinked kext but can't determine if executables are the same (no UUIDs).
23.11.13 12:28:25,373    SophosAutoUpdate[112]    AlreadyRegistered
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,860    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,869    SophosSXLD[107]    sxl started
23.11.13 12:28:25,870    SophosSXLD[107]    sxl configuration succeeded
23.11.13 12:28:28,000    kernel[0]    Sophos Anti-Virus on-access kext activated
23.11.13 12:28:59,660    SophosWebD[106]    <SMENode: 0x7ff010d031e0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...
23.11.13 12:29:24,610    SophosWebD[106]    <SMENode: 0x7ff012a1e070> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,116    SophosWebD[106]    <SMENode: 0x7ff01290e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,123    SophosWebD[106]    <SMENode: 0x7ff0128550f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=54 "Der Vorgang konnte nicht abgeschlossen werden. Verbindung wurde von der Gegenstelle zurückgesetzt"
23.11.13 12:29:26,130    SophosWebD[106]    <SMENode: 0x7ff010c1e1f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...

   ("Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe" means "The operation couldn't be completed. Broken pipe.")

I was hoping desperately, that Sophos isn't the root cause for that freeze-behavior. I tried to remove it completely, and then re-installed again - this did not solve the issue. I then completely removed Sophos again, this appeared to be the solution. Sophos is gone, and I'm not experiencing the freezes anymore.

I'm now using a different Mac AV product, not from Sophos (:smileysad: which I'm not too happy about).

So my question: Has anyone experienced the same behavior, is this a known issue?


Another thing I'm not too happy about, is that there are still residues from the Sophos AV on my system.

For example, I'm getting those errors in the console:

08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
...

  And there is a keychain access object, which is read only and can't be removed at all!

  I tried everything - also from /System/Library/Keychains I can't remove it, as it's not listed.

Does anyone know, how to remove those leftovers?

Many thanks & best regards,
symt

 

:1014893


This thread was automatically locked due to age.
  • 0

    Hi Bob,

    I've switched from Sophos Enterprise to Home Edition for about a month now and have not experienced the hangs.
    Thanks for looking into this.

    Cheers,

    K.

    :1018517
  • 0

    Thanks for the update, good to hear. You should be able to go back to the enterprise version as of 9.1.6 (which starts rollout to all customers this week).

    :1018535

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Had been experiencing intermitent freeze on my MacBook Pro for the past few weeks, which in the end has lead me to believe something was wrong with the hardware (just  coulnd't pinpoint the problem). Ended up buying a brand new retina 15" yesterday (my machine going down is my office going down), and it just frooze as well....So this basically told me it was a software issue. One of the thing I did install recenty was Sophos Home Edition, and I'm reading here all the symptoms Ive been seeing. A colleague of mine has also been reporting similar issues.  Have not confirmed yet Sophos is the culprit but looks likely. Not too happy about the wasted hours and to have made a $ investment in a new machine, though may opt to return it. If 9.1 is addressing all this, what do I need to get access to the preview edition?

    best

    *K

    :1018617
  • 0

    Hello kulnor,

    Upgrading to the 9.1 version is simple. See this post: http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/SAV-for-Mac-9-1-Preview/td-p/18025

    :1018619

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Thanks all for this thread. I took two suggestions (to stop the local backup and exclude cache's from Sophos' scan) and the "hang everything until you can force quite and then reboot" problem seems to have gone away.

    Using Home 9.1.5 on a 2014 MacBook Air w/Chrome, Safari and Firefox browsers (in frequency of use order).

    :1019179
  • 0


    So is this actually going to be fixed in the Sophos AV code?

    I have the latest version and am still getting 10min lockups (exactly 10min) on a regular basis - today has been especially bad for some reason :(

    I've been trying to figure the problem for a while now and have just come across this thread!


    The system log stalls with no updates and the following are the last few entries:

      03/10/2014 15:54:59.304 com.apple.mtmd[54]: Set snapshot time: 2014-10-03 15:55:01 +0100 (current time: 2014-10-03 15:54:59 +0100)
      03/10/2014 15:54:59.320 com.apple.backupd[8959]: Attempting to mount network destination URL: afp://mylocation/TimeCapsuleBACKUP
      03/10/2014 15:54:59.611 NetAuthSysAgent[8961]: TUAMHandler:: SetUAMType setting UAMType to 13


    And these are then presented in the system log 10min later:

      03/10/2014 16:05:00.000 kernel[0]: sav: [EWOULDBLOCK][vnode:0xffffff803a906000][original:0xffffff803a906000][callback: 0 count:261 ] onaccessctl_check:1827 result:0 disconnected:0
      03/10/2014 16:05:00.000 kernel[0]: sav: current scan list:
      03/10/2014 16:05:00.000 kernel[0]: sav: (pid 54 [mtmd], vnode 0xffffff803a906000 [/Users/myname/Library/Application Support/Google/Chrome/Default/Session Storage/000483.log], [context 0xffffff8054570110] [result 0] [setup 0] [disconnected 0] [vfsbusy 0]) - 1 waiter(s)
      03/10/2014 16:05:00.000 kernel[0]: sav: available kctl entries: 9
      03/10/2014 16:05:00.000 kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff803fa2d000
      03/10/2014 16:05:00.000 kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
      03/10/2014 16:05:00.000 kernel[0]: sav: onaccess_send: NULL target or context; request:3 kctl_entry:0xffffff803fa2d000
      03/10/2014 16:05:00.000 kernel[0]: sav: onaccess_send: SAV_KCTL_REQ_COMPLETE, intercheck_done()
      03/10/2014 16:05:00.000 kernel[0]: nspace-handler-unblock: did not find token 623979
      03/10/2014 16:05:00.785 com.apple.mtmd[54]: handler unblock failed. (status=-1/errno=2/token=623979/fd=5)
      03/10/2014 16:05:01.317 xpcproxy[8991]: assertion failed: 13E28: xpcproxy + 3438 [D559FC96-E6B1-363A-B850-C7AC9734F210]: 0x2

    Exactly 10min after the lockup starts, this appears in the Sophos Anti-Virus.log

      com.sophos.intercheck: Issue: Could not scan /Users/myname/Library/Application Support/Google/Chrome/Default/Session Storage/000483.log
      com.sophos.intercheck: An unexpected error occurred
      com.sophos.intercheck:

    It seems that the simplest solution without losing functionality is to uninstall Sophos (Home Edition 9.1.5) and install another AV system (or have I misunderstood the root cause)??

    :1019387
  • 0
    cyberkryten wrote:


    So is this actually going to be fixed in the Sophos AV code? 

    If it was reproducible for us, we could fix it. We don't understand why its happening and we are a little baffled why its still happening for some people. The 9.1.5 update appeared to resolve it for most folks.

    You might try excluding "/Users/myname/Library/Application Support/Google/Chrome/" from Time Machine backups. The "mtmd" process is related to Time Machine.

    :1019389

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    I've added an attempt at logging the state of some things on the machine, but it didn't happen at all yesterday (after happening almost every hour when the Timemachine backup kicked in on Friday), so it is so I can see why it is hard to track as some days it happens constantly and can then go several without occuring at all

    Is the 10min mutex block for access to the file a Sophos timeout or a core OSX kernel one?  I just wondered if there was any way of reducing that as it is the long delay which is such a problem (one minute would be annoying, but far less so than ten minutes).

    If there's anything specific you think might help track it down let me know - obviously I'm limited in what I can do whilst it is hung (commands like 'ps' don't work and often 'ls' fails too)

    In case it helps tie things up with any other user reports, I rarely reboot my machine (uptime 22 days right now) and as an ex-Windows user I usually have MS Remote Desktop and Parallels running, with Mac versions of Word/Excel.  I also have Chrome and Firefox open, along with about 10-20 Terminal windows, most of which are SSHd onto other machines.

    I use the Macbook screen, alongside two external ones (one Displayport connected and the other HDMI).

    Martyn

    :1019409
  • 0

    Months later: Sophos 9.2.4 (fresh install -- first time). Yosemite 10.10.3. Hangs up the machine and requires a hard reset, every time I try to do a full scan. The last log message in Console of any kind is at 16:12, even though the machine sat there with a beach-ball cursor until 09:40 this morning, when I hard-reset it.

    :1020949
  • 0
    mshappe wrote:

    Months later: Sophos 9.2.4 (fresh install -- first time). Yosemite 10.10.3. Hangs up the machine and requires a hard reset, every time I try to do a full scan. The last log message in Console of any kind is at 16:12, even though the machine sat there with a beach-ball cursor until 09:40 this morning, when I hard-reset it.

    This is a curious case because you say "full scan" - previous efforts have involved the on-access scanner. Can you look in the Console app, in system.log, for entries containing "EWOULDBLOCK"? That message, plus the lines around it, might give some indicator to what has happened.

    :1020959

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

Unfiltered HTML