This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9 causes Mavericks to freeze

Hi Everyone,

I recently got the top of the line iMac, which I was very happy with.

As I was a Mac user before, I knew which software is great and Sophos Anti-Virus for Mac was one of those.

So I had Sophos installed, from the beginning and over the time I noticed one big annoying issue:

The Mac froze from time to time. Whenever the Mac was running the whole day, it wouldn't survive without a hard-reboot any day.

It always showed the same behavior:

1. Internet connectivity drops

2. The beachball begins to appear, when hovering some icons in the top menu bar

3. Programs that are connected to the internet begin to freeze (beachball)

I can't open any other programs after the Mac is in that state, the only way out is a hard reboot.

One of the last entries in the console after such a freeze is always from Sophos, like:

30.11.13 13:41:04,607    SophosWebD[106]    <SMENode: 0x7fedaac7a6d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:42:16,742    SophosWebD[106]    <SMENode: 0x7fedac51d7d0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:43:34,626    SophosSXLD[107]    20131130 124334.626 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 31 has 9568 ms before it should time out\n
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
30.11.13 13:44:37,225    SophosSXLD[107]    20131130 124437.224 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 29 has 9275 ms before it should time out\n
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL

23.11.13 11:48:54,983    SophosWebD[92]    <SMENode: 0x7fa7a141c300> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,719    SophosWebD[92]    <SMENode: 0x7fa7a4500160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,727    SophosWebD[92]    <SMENode: 0x7fa7a400c410> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,735    SophosWebD[92]    <SMENode: 0x7fa7a444acd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_destination_prepare_complete 6783 connectx to IP_REMOVED_BY_ME#80 failed: 65 - No route to host
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_handle_destination_prepare_complete 6783 failed to connect
23.11.13 12:28:19,935    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:19,937    SophosSXLD[107]    daemon is running
23.11.13 12:28:21,593    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:24,000    kernel[0]    Notice - new kext com.sophos.kext.sav, v9.0.53 matches prelinked kext but can't determine if executables are the same (no UUIDs).
23.11.13 12:28:25,373    SophosAutoUpdate[112]    AlreadyRegistered
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,860    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,869    SophosSXLD[107]    sxl started
23.11.13 12:28:25,870    SophosSXLD[107]    sxl configuration succeeded
23.11.13 12:28:28,000    kernel[0]    Sophos Anti-Virus on-access kext activated
23.11.13 12:28:59,660    SophosWebD[106]    <SMENode: 0x7ff010d031e0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...
23.11.13 12:29:24,610    SophosWebD[106]    <SMENode: 0x7ff012a1e070> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,116    SophosWebD[106]    <SMENode: 0x7ff01290e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,123    SophosWebD[106]    <SMENode: 0x7ff0128550f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=54 "Der Vorgang konnte nicht abgeschlossen werden. Verbindung wurde von der Gegenstelle zurückgesetzt"
23.11.13 12:29:26,130    SophosWebD[106]    <SMENode: 0x7ff010c1e1f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...

("Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe" means "The operation couldn't be completed. Broken pipe.")

I was hoping desperately, that Sophos isn't the root cause for that freeze-behavior. I tried to remove it completely, and then re-installed again - this did not solve the issue. I then completely removed Sophos again, this appeared to be the solution. Sophos is gone, and I'm not experiencing the freezes anymore.

I'm now using a different Mac AV product, not from Sophos (:smileysad: which I'm not too happy about).

So my question: Has anyone experienced the same behavior, is this a known issue?

Another thing I'm not too happy about, is that there are still residues from the Sophos AV on my system.

For example, I'm getting those errors in the console:

08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
...

And there is a keychain access object, which is read only and can't be removed at all!

I tried everything - also from /System/Library/Keychains I can't remove it, as it's not listed.

Does anyone know, how to remove those leftovers?

Many thanks & best regards,
symt

This thread was automatically locked due to age.

0 symt over 10 years ago

I don't think that Stanford's VPN solution will check for an active AV system. I'd just try to uninstall Sophos.
But yeah, very sad that there doesn't seem to be a solution yet. I'm assuming that you're using the Enterprise version of Sophos AV?
The Sophos Home version here was always a good solution for myself at home.
And also always a good reference point, when rating AV systems, as I'm working as an IT representative in an environment where we might be searching for a new AV solution.
But if the Enterprise version of Sophos might have the same issues, it's definitely xed out of my list now.
:1015655
Cancel
Vote Up 0 Vote Down

Cancel
0 bobcook over 10 years ago

Its been really difficult to understand what is happening. The "crash log" that was posted in the beginning of this thread hasn't really shed light on what might be going on, but it certainly confirms your machine is having network communications problems. Which is what you described.

The SXL process (SophosSXLD) cannot by itself hang your machine. Its a user-space process that does not interact with the kernel. The log messages from that process are a symptom of whatever else is happening, not the cause.

However, there are things you can experiment with, to better isloate the issue. As you can guess from this thread, its not something we can reproduce in the lab. If we could reproduce it, we could fix it. So far we've received only the info in this thread, which hasn't really been specific enough to identify the root cause.

Firstly, turn off all of the features that interact with the network: Web Protection (both settings) and Live Protection. This will rule out any issues that involve the network. Run in this configuration long enough to convince yourself its either better, worse, or no different. Assuming its different (and perhaps better), turn on one feature at a time to see which is the culprit.
:1015659

---

Bob Cook (bob.cook@sophos.com) Director, Software Development
Cancel
Vote Up 0 Vote Down

Cancel
0 symt over 10 years ago

Hi Bob,

I'm sorry, but as there isn't a kernel panic happening, I can't provide any other log.

Please setup a Mountain Lion system in your "lab", with Sophos 9 installed. Then upgrade to Mavericks and spend a day browsing the web.

That's exactly what many other users have described here. They upgraded to Mavericks and then those issues started to occur.

Please look at all the posts here.

Thanks and have a great week!

And please excuse me for my bad problem description, as you probably could guess, English is not my main language.
:1015661
Cancel
Vote Up 0 Vote Down

Cancel
0 cliveb over 10 years ago

I checked, Web Protection (both settings) and Live Protection were off (unchecked). I'm using Stanfords default settings (I think). So I reset each tab to default settings (which seem to be off), as you requested (i dont think I made any changes).
Here's the only crash log I managed to collect + network and hardware summary. I'm open to trying out a beta or anything to resolve this. THX
Anonymous UUID:       D4B218E4-DEFA-B1D3-0D74-2C8AB39D611A
Thu Dec 5 19:31:14 2013
panic(cpu 0 caller 0xffffff801300d4f4): slab_nextptr_panic: mcache.cl buffer 0xffffff8091363800 in slab 0xffffff807e66bed8 modified after free at offset 0: 0x656230d801404a88 out of range [0xffffff808e914000-0xffffff8092914000)
Backtrace (CPU 0), Frame : Return Address
0xffffff801b5e3770 : 0xffffff8012c22f69
0xffffff801b5e37f0 : 0xffffff801300d4f4
0xffffff801b5e3860 : 0xffffff801300cc2f
0xffffff801b5e38a0 : 0xffffff8013005247
0xffffff801b5e3950 : 0xffffff8012febce7
0xffffff801b5e3a00 : 0xffffff801300452d
0xffffff801b5e3ab0 : 0xffffff8012febce7
0xffffff801b5e3b60 : 0xffffff8013006f16
0xffffff801b5e3c00 : 0xffffff80130086ad
0xffffff801b5e3c20 : 0xffffff8012fe7f81
0xffffff801b5e3c40 : 0xffffff7f9365a04a
0xffffff801b5e3c80 : 0xffffff7f93665d36
0xffffff801b5e3cf0 : 0xffffff7f935f3915
0xffffff801b5e3d50 : 0xffffff7f936123ae
0xffffff801b5e3da0 : 0xffffff7f93610226
0xffffff801b5e3df0 : 0xffffff7f93615f8c
0xffffff801b5e3e40 : 0xffffff7f9365b763
0xffffff801b5e3e70 : 0xffffff7f936a21ee
0xffffff801b5e3ec0 : 0xffffff80130b05fb
0xffffff801b5e3f20 : 0xffffff8012c4a15a
0xffffff801b5e3fb0 : 0xffffff8012cd6aa7
      Kernel Extensions in backtrace:
         com.apple.driver.AirPort.Atheros40(700.74.5)[2F5C3DED-44C1-36EC-B09B-13FFB36DFB E7]@0xffffff7f935c3000->0xffffff7f9370cfff
            dependency: com.apple.iokit.IO80211Family(600.34)[5B1818BB-0831-3BD1-B7E2-3D9BD0FD3818]@0xf fffff7f9354b000
            dependency: com.apple.iokit.IONetworkingFamily(3.2)[1EAD69CB-6AB4-387F-94C4-8FAAFF28354C]@0 xffffff7f934d9000
            dependency: com.apple.iokit.IOPCIFamily(2.8)[447B4896-16FF-3616-95A2-1C516B2A1498]@0xffffff 7f931fe000
BSD process name corresponding to current thread: kernel_task
Mac OS version:
13A603
Kernel version:
Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64
Kernel UUID: 1D9369E3-D0A5-31B6-8D16-BFFBBB390393
Kernel slide:     0x0000000012a00000
Kernel text base: 0xffffff8012c00000
System model name: iMac11,3 (Mac-F2238BAE)
System uptime in nanoseconds: 13756700047311
last loaded kext at 22948219682: com.apple.driver.AppleBluetoothHIDKeyboard          170.15 (addr 0xffffff7f94428000, size 20480)
last unloaded kext at 204321373816: com.apple.driver.AppleUSBUHCI          650.4.0 (addr 0xffffff7f93464000, size 65536)
loaded kexts:
org.openafs.filesystems.afs          1.4.11
com.sophos.kext.sav          9.0.53
com.sophos.nke.swi          9.0.53
com.apple.driver.AppleBluetoothMultitouch          80.14
com.apple.driver.AudioAUUC          1.60
com.apple.filesystems.msdosfs          1.9
com.apple.driver.AppleHWSensor          1.9.5d0
com.apple.filesystems.autofs          3.0
com.apple.filesystems.ntfs          3.11
com.apple.iokit.IOUserEthernet          1.0.0d1
com.apple.iokit.IOBluetoothSerialManager          4.2.0f6
com.apple.driver.AppleUpstreamUserClient          3.5.13
com.apple.driver.AGPM          100.14.11
com.apple.driver.AppleMikeyHIDDriver          124
com.apple.kext.AMDFramebuffer          1.1.4
com.apple.driver.AppleHDA          2.5.2fc2
com.apple.Dont_Steal_Mac_OS_X          7.0.0
com.apple.driver.AppleMikeyDriver          2.5.2fc2
com.apple.AMDRadeonX3000          1.1.4
com.apple.driver.AppleBacklight          170.3.5
com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport          4.2.0f6
com.apple.driver.AppleHWAccess          1
com.apple.driver.ACPI_SMC_PlatformPlugin          1.0.0
com.apple.driver.AppleLPC          1.7.0
com.apple.kext.AMD5000Controller          1.1.4
com.apple.driver.AppleMCCSControl          1.1.12
com.apple.driver.XsanFilter          404
com.apple.iokit.IOAHCIBlockStorage          2.4.0
com.apple.iokit.SCSITaskUserClient          3.6.0
com.apple.driver.AppleUSBCardReader          3.3.5
com.apple.driver.AppleIRController          325.7
com.apple.BootCache          35
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib          1.0.0d1
com.apple.AppleFSCompression.AppleFSCompressionTypeDataless          1.0.0d1
com.apple.driver.AppleFWOHCI          4.9.9
com.apple.driver.AirPort.Atheros40          700.74.5
com.apple.iokit.AppleBCM5701Ethernet          3.6.9b9
com.apple.driver.AppleUSBHub          650.4.4
com.apple.driver.AppleAHCIPort          2.9.5
com.apple.driver.AppleUSBEHCI          650.4.1
com.apple.driver.AppleACPIButtons          2.0
com.apple.driver.AppleRTC          2.0
com.apple.driver.AppleHPET          1.8
com.apple.driver.AppleSMBIOS          2.0
com.apple.driver.AppleACPIEC          2.0
com.apple.driver.AppleAPIC          1.7
com.apple.driver.AppleIntelCPUPowerManagementClient          216.0.0
com.apple.security.quarantine          3
com.apple.nke.applicationfirewall          153
com.apple.driver.AppleIntelCPUPowerManagement          216.0.0
com.apple.driver.AppleBluetoothHIDKeyboard          170.15
com.apple.driver.AppleHIDKeyboard          170.15
com.apple.driver.IOBluetoothHIDDriver          4.2.0f6
com.apple.driver.AppleMultitouchDriver          245.13
com.apple.kext.triggers          1.0
com.apple.iokit.IOSurface          91
com.apple.iokit.IOSerialFamily          10.0.7
com.apple.iokit.IOBluetoothFamily          4.2.0f6
com.apple.driver.DspFuncLib          2.5.2fc2
com.apple.vecLib.kext          1.0.0
com.apple.iokit.IOAudioFamily          1.9.4fc11
com.apple.kext.OSvKernDSPLib          1.14
com.apple.iokit.IOAcceleratorFamily          98.7.1
com.apple.driver.AppleBacklightExpert          1.0.4
com.apple.iokit.IONDRVSupport          2.3.6
com.apple.iokit.IOBluetoothHostControllerUSBTransport          4.2.0f6
com.apple.iokit.IOFireWireIP          2.2.5
com.apple.driver.AppleHDAController          2.5.2fc2
com.apple.iokit.IOHDAFamily          2.5.2fc2
com.apple.driver.AppleSMBusPCI          1.0.12d1
com.apple.driver.AppleSMC          3.1.6d1
com.apple.driver.IOPlatformPluginLegacy          1.0.0
com.apple.driver.IOPlatformPluginFamily          5.5.1d27
com.apple.kext.AMDSupport          1.1.4
com.apple.AppleGraphicsDeviceControl          3.4.12
com.apple.driver.AppleSMBusController          1.0.11d1
com.apple.iokit.IOGraphicsFamily          2.3.6
com.apple.iokit.IOSCSIMultimediaCommandsDevice          3.6.0
com.apple.iokit.IOBDStorageFamily          1.7
com.apple.iokit.IODVDStorageFamily          1.7.1
com.apple.iokit.IOCDStorageFamily          1.7.1
com.apple.iokit.IOAHCISerialATAPI          2.6.0
com.apple.iokit.IOUSBMassStorageClass          3.6.0
com.apple.iokit.IOSCSIBlockCommandsDevice          3.6.0
com.apple.iokit.IOSCSIArchitectureModelFamily          3.6.0
com.apple.iokit.IOUSBHIDDriver          650.4.4
com.apple.driver.AppleUSBMergeNub          650.4.0
com.apple.driver.AppleUSBComposite          650.4.0
com.apple.iokit.IOFireWireFamily          4.5.5
com.apple.iokit.IO80211Family          600.34
com.apple.iokit.IOEthernetAVBController          1.0.3b3
com.apple.driver.mDNSOffloadUserClient          1.0.1b4
com.apple.iokit.IONetworkingFamily          3.2
com.apple.iokit.IOUSBUserClient          650.4.4
com.apple.driver.AppleEFINVRAM          2.0
com.apple.iokit.IOAHCIFamily          2.6.0
com.apple.iokit.IOUSBFamily          650.4.4
com.apple.driver.AppleEFIRuntime          2.0
com.apple.iokit.IOHIDFamily          2.0.0
com.apple.iokit.IOSMBusFamily          1.1
com.apple.security.TMSafetyNet          7
com.apple.security.sandbox          278.10
com.apple.kext.AppleMatch          1.0.0d1
com.apple.iokit.IOReportFamily          21
com.apple.driver.DiskImages          371.1
com.apple.iokit.IOStorageFamily          1.9
com.apple.driver.AppleKeyStore          2
com.apple.driver.AppleFDEKeyStore          28.30
com.apple.driver.AppleACPIPlatform          2.0
com.apple.iokit.IOPCIFamily          2.8
com.apple.iokit.IOACPIFamily          1.4
com.apple.kec.pthread          1
com.apple.kec.corecrypto          1.0
Model: iMac11,3, BootROM IM112.0057.B01, 4 processors, Intel Core i5, 2.8 GHz, 4 GB, SMC 1.59f2
Graphics: ATI Radeon HD 5750, ATI Radeon HD 5750, PCIe, 1024 MB
Memory Module: BANK 0/DIMM0, 2 GB, DDR3, 1333 MHz, 0x80CE, 0x4D34373142353637334648302D4348392020
Memory Module: BANK 1/DIMM0, 2 GB, DDR3, 1333 MHz, 0x80CE, 0x4D34373142353637334648302D4348392020
AirPort: spairport_wireless_card_type_airport_extreme (0x168C, 0x8F), Atheros 9280: 4.0.74.0-P2P
Bluetooth: Version 4.2.0f6 12982, 3 services, 23 devices, 1 incoming serial ports
Network Service: AirPort, AirPort, en1
Serial ATA Device: OPTIARC DVD RW AD-5680H
Serial ATA Device: APPLE SSD TS256B, 251 GB
USB Device: Hub
USB Device: SNA-DC/U
USB Device: Internal Memory Card Reader
USB Device: BRCM2046 Hub
USB Device: Bluetooth USB Host Controller
USB Device: Hub
USB Device: USB Mass Storage Device
USB Device: IR Receiver
USB Device: Built-in iSight
Thunderbolt Bus:
Here's network

Type:   AirPort
Hardware:   AirPort
BSD Device Name:   en1
IPv4 Addresses:   192.168.0.101
IPv4:
Addresses:   192.168.0.101
ARPResolvedHardwareAddress:   00:18:e7:d5:17:a1
ARPResolvedIPAddress:   192.168.0.1
Configuration Method:   DHCP
Interface Name:   en1
Network Signature:   IPv4.Router=192.168.0.1;IPv4.RouterHardwareAddress=00:18:e7:d5:17:a1
Router:   192.168.0.1
Subnet Masks:   255.255.255.0
IPv6:
Configuration Method:   Automatic
DNS:
Domain Name:   hsd1.wa.comcast.net.
Server Addresses:   192.168.0.1
DHCP Server Responses:
Domain Name:   hsd1.wa.comcast.net.
Domain Name Servers:   192.168.0.1
Lease Duration (seconds):   0
DHCP Message Type:   0x05
Routers:   192.168.0.1
Server Identifier:   192.168.0.1
Subnet Mask:   255.255.255.0
Ethernet:
MAC Address:    redeacted
Media Options:
Media Subtype:   Auto Select
Proxies:
Exceptions List:   *.local, 169.254/16
FTP Passive Mode:   Yes
Service Order:   4
Hardware Overview:

Model Name:   iMac
Model Identifier:   iMac11,3
Processor Name:   Intel Core i5
Processor Speed:   2.8 GHz
Number of Processors:   1
Total Number of Cores:   4
L2 Cache (per Core):   256 KB
L3 Cache:   8 MB
Memory:   4 GB
Processor Interconnect Speed:   4.8 GT/s
Boot ROM Version:   IM112.0057.B01
SMC Version (system):   1.59f2
Serial Number (system):   YD0510A3GZQ
Hardware UUID:    redeacted.
:1015663
Cancel
Vote Up 0 Vote Down

Cancel
0 bobcook over 10 years ago

symt wrote:
Please setup a Mountain Lion system in your "lab", with Sophos 9 installed. Then upgrade to Mavericks and spend a day browsing the web.

Hi symt,

Yep we've been doing that for a long time now. We extensively test every release across many machines - some have 10.9 installed cleanly, others are upgrades as you describe. I've been running our V9 software 10.9 at home (upgraded from 10.8.5 the day that Mavericks was released) for many months. Many of the dev team has been doing the same. Internally we've been testing with pre-release builds of 10.9 since it was first available to developers. If this was a generic issue, or a simple issue to discover, we'd have reproduced it and fixed it already.

Please understand that we really am trying to better research this issue, such that we can reproduce it (and of course fix it). I believe this is a real problem, but so far we have not been able make it happen ourselves. Its not for a lack of trying though.

Can you send me a System Profile report of your affected system? Maybe we should try installing all of the same software you have installed on your system, as perhaps its an interaction issue. Note that although the System Profile report won't normally contain any personal information such as passwords, you should review it before sending it to me to ensure it doesn't accidentally disclose something you didn't want to disclose (it contains details of your user names, network environment, names of disks, etc).

If anyone having this problem is geographically close to Vancouver, BC, Canada then drop me a note, we can investigate your machine in person. Seriously.
:1015667

---

Bob Cook (bob.cook@sophos.com) Director, Software Development
Cancel
Vote Up 0 Vote Down

Cancel
0 symt over 10 years ago

Hey Bob,
At that time I didn't have much programs installed. I think, about the only one was Little Snitch.
I probably won't play around much with my running system.
But I can definitely organize some Macs and try to reproduce it, by exactly configuring them like the affected system, or even by cloning the disk to those.
If I can reproduce it, we could think about e.g. me sending you the disk - let's see.
Cheers,
symt
:1015689
Cancel
Vote Up 0 Vote Down

Cancel
0 stevemaser over 10 years ago

FWIW -- I just ran across a user having similar problems: Running Mac OSX 10.9.1 (upgrade over 10.8.5) with Sophos 8.0.x (Enterprise version).
User would be working on his computer and then would get SPODs that would make it unusable and he'd have to power down manually. This has happened multiple times this morning. Looking at his system log when these instances happened, it's chock full of these:
Jan 31 09:18:09 <hostnameredacted> SophosWebD[85]: <SMENode: 0x7f8f9c11f4c0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
as above. I have uninstalled Sophos 8 and installed Sophos 9 (now at 9.0.7) and am waiting to see if this problem recurrs.
But, according to the system log, these messages seem to happen about 2 minutes after an IDE update. Example:
Jan 31 10:32:32 <hostnameredacted> SophosSXLD[87]: sxl started
Jan 31 10:32:32 <hostnameredacted> SophosSXLD[87]: sxl configuration succeeded
Jan 31 10:32:32 <hostnameredacted> blued[73]: link key found for device: 10-9a-dd-7f-f1-17
Jan 31 10:32:33 <hostnameredacted> scanserver[88]: IDEs:
Using IDE files:
age-aesm.ide age-aety.ide age-aevt.ide age-aewo.ide age-aeyl.ide age-aeyx.ide age-aeyz.ide age-aezl.ide age-aezv.ide
age-afaf.ide age-afao.ide age-afap.ide age-afbi.ide age-afbk.ide age-afbu.ide age-afch.ide age-afci.ide age-afcm.ide
age-afco.ide age-afcp.ide age-afcr.ide age-afdj.ide age-afdk.ide age-afdy.ide age-afer.ide age-afes.ide age-affd.ide
age-affr.ide age-afgo.ide age-afgs.ide age-afgy.ide age-afha.ide age-afho.ide age-afhq.ide age-afhs.ide age-afhz.ide
age-afic.ide age-afie.ide age-afig.ide age-afih.ide age-afiv.ide age-afiy.ide age-afjm.ide age-afjo.ide age-afjq.ide
age-afkf.ide age-afkh.ide age-afko.ide age-afkq.ide age-afkw.ide age-afls.ide age-afmj.ide age-afms.ide age-afmx.ide
age-afng.ide age-afoa.ide age-afob.ide age-afoc.ide age-afoy.ide age-afpa.ide age-afpw.ide age-afqs.ide age-afqt.ide
age-afqv.ide age-afra.ide age-afrl.ide age-afro.ide age-afru.ide age-aftj.ide age-aftr.ide age-aftu.ide age-afuc.ide
age-afuh.ide age-afve.ide age-afvn.ide agen-ank.ide atrax-b.ide auto-aaf.ide auto-aax.ide auto-abj.ide auto-abo.ide
auto-abp.ide auto-acm.ide auto-acn.ide auto-aco.ide autoi-ys.ide automs-a.ide banc-bxc.ide banc-bxe.ide bank-fzh.ide
bank-fzi.ide bank-fzk.ide bank-fzs.ide banlo-al.ide banlo-rb.ide banlo-rr.ide banlo-rs.ide banlo-rt.ide banlo-sc.ide
banlo-sj.ide banlo-sl.ide bckd-rrk.ide bdoo-bfs.ide bibado-a.ide bicolo-a.ide blocke-v.ide bred-alb.ide bred-ale.ide
bred-alf.ide bred-alh.ide bred-alq.ide bred-als.ide bred-alv.ide bred-alx.ide bred-amg.ide bred-ami.ide bredo-ty.ide
bredo-vg.ide bubli-bj.ide burst-bt.ide capha-bg.ide capha-bh.ide chisbu-i.ide cride-dk.ide cride-dl.ide cride-do.ide
cride-du.ide cride-dv.ide cride-dw.ide cride-dx.ide cride-dz.ide cride-ec.ide cutwa-ax.ide cutwa-bc.ide dapat-av.ide
delf-fqr.ide delf-fqy.ide delf-fri.ide delf-fru.ide delf-fry.ide delf-fsj.ide delfdl-c.ide delfi-bv.ide delp-t.ide
dldr-hs.ide dloa-dtp.ide dloa-dtr.ide dloa-dtu.ide docdr-bg.ide dunihi-f.ide dwnl-lfh.ide dwnl-lfr.ide dwnl-lfv.ide
dwnl-lfy.ide dwnl-lfz.ide dwnl-lgf.ide dwnl-lhq.ide dwnl-lhz.ide dwnl-lid.ide dwnl-lih.ide dwnl-lij.ide etchfr-b.ide
expiro-t.ide expiro-v.ide expjs-kw.ide fake-gzj.ide fake-gzk.ide fake-gzs.ide fake-gzt.ide fake-gzw.ide fake-haa.ide
fake-hab.ide fake-hbe.ide fake-hbk.ide fake-hbl.ide fakems-n.ide fauxwm-a.ide fbjack-c.ide gamar-ce.ide hkmain-j.ide
ifram-ll.ide inje-ary.ide inje-arz.ide inje-asd.ide inje-asg.ide inje-asm.ide inje-aso.ide inje-asr.ide inje-ast.ide
inje-asw.ide inje-atf.ide inje-atg.ide inje-atl.ide inje-atv.ide ircb-alg.ide java-qx.ide javab-ri.ide jsred-mr.ide
jsred-mz.ide keyge-kw.ide keygen-y.ide keylo-pr.ide keylo-pt.ide killa-im.ide krypt-cd.ide krypt-ce.ide krypt-cq.ide
kuluo-ah.ide malit-e.ide malit-f.ide malit-m.ide matsn-az.ide matsn-ba.ide matsn-bd.ide mdro-fnn.ide mdro-foy.ide
mdro-fpe.ide mdro-fpp.ide mdro-fpq.ide mdro-fqx.ide mdro-fqy.ide mdro-fra.ide mdro-frc.ide mdro-fre.ide mdro-frg.ide
mdro-frj.ide mdro-frr.ide mdro-fsi.ide mdro-fss.ide mdro-fst.ide mdro-fte.ide mdro-ftg.ide miner-r.ide miuref-d.ide
mobiuk-a.ide morix-k.ide msil-hh.ide msil-ho.ide msil-hq.ide msil-ib.ide msil-id.ide msil-ii.ide msil-ir.ide
msil-it.ide msil-iy.ide msil-ji.ide msil-jn.ide msil-js.ide msilin-a.ide napola-d.ide neurev-d.ide neurev-f.ide
nimnul-a.ide obvod-g.ide pdfex-ii.ide pdfj-aff.ide peher-a.ide perldo-a.ide phpdoo-o.ide pws-cfq.ide pws-cft.ide
pwszbo-q.ide qakbo-bc.ide ramdo-d.ide ramni-ec.ide rans-aeg.ide rans-aeh.ide rans-aem.ide rans-afb.ide rans-afd.ide
rans-afe.ide rans-afh.ide rans-afi.ide rans-afj.ide rans-afk.ide rans-afm.ide rans-afn.ide rans-afp.ide rans-afq.ide
rans-aft.ide rans-afu.ide rans-afv.ide ranso-cd.ide rebot-a.ide revet-dn.ide revetr-a.ide rotbro-a.ide sefni-bq.ide
sharik-e.ide shipup-z.ide snifie-b.ide snuffy-b.ide spy-abz.ide ssuite-a.ide stealf-b.ide symmi-s.ide symmi-t.ide
tepfe-aq.ide tepfe-au.ide tepfe-av.ide tiotu-dx.ide tproxy-a.ide vb-gxq.ide vb-gxy.ide vb-gya.ide vb-gyj.ide
vb-gyq.ide vb-gyr.ide vb-gzb.ide vb-gzc.ide vb-gzg.ide vb-gzi.ide vb-gzl.ide vb-gzu.ide vb-haw.ide
vbagen-v.ide vbdro-ap.ide vbdro-at.ide vbdro-au.ide vbdwnl-d.ide vbinj-gy.ide vbinj-gz.ide vbinj-hb.ide vdl.dat
weels-cj.ide weels-cl.ide wonton-e.ide wonton-f.ide wonton-h.ide wonton-j.ide wowspy-c.ide zacce-rq.ide zacce-rr.ide
zacce-rt.ide zbot-gzx.ide zbot-hao.ide zbot-haq.ide zbot-hbp.ide zbot-hbr.ide zbot-hbu.ide zbot-hck.ide zbot-hcm.ide
zbot-hcq.ide zbot-hcw.ide zbot-hde.ide zbot-hdl.ide zbot-hdm.ide zbot-hdr.ide zbot-hdy.ide zbot-hef.ide zbot-heg.ide
zbot-hei.ide zbot-hep.ide zbot-het.ide zbot-hev.ide zbot-hfi.ide zbot-hfj.ide zbot-hfu.ide zbot-hfv.ide zbot-hfz.ide
zbot-hgd.ide zbot-hge.ide zbot-hgh.ide zbot-hgq.ide zbot-hgs.ide zbot-hhx.ide zbot-hij.ide zbot-hio.ide zbot-hit.ide
zbot-hiu.ide zbot-hjf.ide zbot-hjo.ide zbot-hjs.ide zbot-hjt.ide zbot-hkl.ide zbot-hko.ide zbot-hkp.ide zbot-hks.ide
zbot-hku.ide zbot-hlc.ide zbot-hlk.ide zbot-hlr.ide zbot-hlu.ide zbot-hlv.ide zbot-hmf.ide zbot-hni.ide zegos-cg.ide
zipma-dn.ide zusy-p.ide zusy-q.ide zusy-r.ide
and then two minutes later (again):
Jan 31 10:34:23 <hostnameredacted> SophosWebD[86]: <SMENode: 0x7f93ebd0f490> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
This happened 4 times this morning to the same user.
We're waiting to see what happens now that he's been upgraded to Sophos 9 (we've turned the On Access Scanner off for this test -- it was on with Sophos 8...)
:1015713
Cancel
Vote Up 0 Vote Down

Cancel
0 cliveb over 10 years ago

BWO update, I took Bob Cook up on his offer to visit Sophos Labs in Vancouver, BC yesterday driving up from USA with my iMac 27 inch. The painful issue that troubles a few of us here could not be duplicated on my machine in the lab (same as when you take your car into the shop). Then the investigation of a dedicated Sophos Software Engineer along with the expertise or others, looking beyond red herrings in the logs, a deeply interactive issue turned up. Involving a trifecta of update timing, watcher software, and power management (I think). It feels like all 3 have to fall into perfect alignment to trigger the issue. It was great seeing the initiative to action and attention given to pin-pointing this rare issue.
:1015715
Cancel
Vote Up 0 Vote Down

Cancel
0 bobcook over 10 years ago

maser wrote:

Jan 31 09:18:09 <hostnameredacted> SophosWebD[85]: <SMENode: 0x7f8f9c11f4c0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"

That error message is not really an error that (by itself) can cause the types of system instability reported in this thread. This error is being reported from our "proxy" (the software sitting between your browser and the remote web server) when on side of the connection is unexpectedly closed. This actually happens rather frequently from many web servers, as it turns out, because its faster to abruptly close a TCP socket than to perform an orderly shutdown. For very popular web servers, performance of the TCP socket communications is super important. Anyways, worse case situation is that your web browser (and only your web browser) would be affected.

Yesterday, due to the very generous time and energy of another user, we discovered an avenue for further investigation. His machine is using a separate software package that is also watching for file system activity, but doing it via the disk arbitration interface rather than through a kext. We don't yet fully understand why its problematic, but we could see strong evidence of serious incompatiblitiy between this software package and ours.

If you are having instability problems on your Mac, it would be useful to hear about the third party software (non-Apple) you use which provide file system monitoring or user control features. The System Information tool (System Profiler) can list every installed application very easily.
:1015717

---

Bob Cook (bob.cook@sophos.com) Director, Software Development
Cancel
Vote Up 0 Vote Down

Cancel
0 csdibiase over 10 years ago

I've had various forms of this issue across multiple versions of Sophos AV and MacOS for a while now. Same basic signature in the system.log. Now that said I have noticed that if you are patient and wait long enough the system will come back and become responsive again.
Have you looked into time machine as being a portion of the magic that makes the problem happen? On my MacBook Air, the most recent occurance of the hang started when backupd tried to do it's thing while my MBA was connected to a network, but not the network where my Time Machine lives.
Feb 6 16:28:36 gadget.local apsd[230]: Unrecognized leaf certificate
Feb 6 16:31:05 gadget.local com.apple.backupd[9287]: Starting automatic backup
Feb 6 16:31:06 gadget kernel[0]: nspace-handler-set-snapshot-time: 1391722268
Feb 6 16:31:06 gadget.local com.apple.mtmd[55]: Set snapshot time: 2014-02-06 16:31:08 -0500 (current time: 2014-02-06 16:31:06 -0500)
Feb 6 16:31:36 gadget.local com.apple.backupd[9287]: Attempting to mount network destination URL: afp://csdibiase@homenas.local/Time%20Machine
Feb 6 16:41:06 gadget kernel[0]: sav: [EWOULDBLOCK][vnode:0xffffff80292563c0][original:0xffffff80292563c0][callback: 0 count:264 ] onaccessctl_check:1825 result:0 disconnected:0
Feb 6 16:41:06 gadget kernel[0]: sav: current scan list:
Feb 6 16:41:06 gadget kernel[0]: sav: (pid 55 [mtmd], vnode 0xffffff80292563c0 [/Users/csdibiase/Library/Application Support/Google/Chrome/Default/Session Storage/000935.log], [context 0xffffff80211eb5f0] [result 0] [setup 0] [disconnected 0] [vfsbusy 0]) - 1 waiter(s)
Feb 6 16:41:06 gadget kernel[0]: sav: available kctl entries: 9
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8020537000
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: NULL target or context; request:3 kctl_entry:0xffffff8020537000
Feb 6 16:41:06 gadget kernel[0]: sav: onaccess_send: SAV_KCTL_REQ_COMPLETE, intercheck_done()
Feb 6 16:41:06 gadget kernel[0]: nspace-handler-unblock: did not find token 232823
Feb 6 16:41:06 gadget.local com.apple.mtmd[55]: handler unblock failed. (status=-1/errno=2/token=232823/fd=5)
Feb 6 16:41:06 gadget com.apple.launchd.peruser.501[185]: Background: ?S?V[3141] disappeared out from under us (UID: 501 EUID: 501)
Feb 6 16:41:07 gadget.local SophosWebD[82]: <SMENode: 0x7f8ebb7216c0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
Feb 6 16:41:12 gadget.local NetAuthSysAgent[9295]: ERROR: AFP_GetServerInfo - connect failed 64
Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: NAConnectToServerSync failed with error: 64 for url: afp://csdibiase@homenas.local/Time%20Machine
Feb 6 16:41:12 gadget.local com.apple.backupd[9287]: Backup failed with error 18: The backup disk could not be found.
The lock up condition only imacted apps that were attempting to access disk. As I had terminal open already I was able to monitor the system.log while Chrome and other apps (including force quit) were beach balled. In this case the event started at 16:31 and ended at 16:41 in line with backupd's log messages.
:1015775
Cancel
Vote Up 0 Vote Down

Cancel