Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 120 replies
  • Subscribers 6 subscribers
  • Views 1044646 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9 causes Mavericks to freeze

symt

Hi Everyone,

I recently got the top of the line iMac, which I was very happy with.

As I was a Mac user before, I knew which software is great and Sophos Anti-Virus for Mac was one of those.

So I had Sophos installed, from the beginning and over the time I noticed one big annoying issue:

The Mac froze from time to time. Whenever the Mac was running the whole day, it wouldn't survive without a hard-reboot any day.

It always showed the same behavior:

 1. Internet connectivity drops

 2. The beachball begins to appear, when hovering some icons in the top menu bar

 3. Programs that are connected to the internet begin to freeze (beachball)

I can't open any other programs after the Mac is in that state, the only way out is a hard reboot.

One of the last entries in the console after such a freeze is always from Sophos, like:


 

30.11.13 13:41:04,607    SophosWebD[106]    <SMENode: 0x7fedaac7a6d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:42:16,742    SophosWebD[106]    <SMENode: 0x7fedac51d7d0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:43:34,626    SophosSXLD[107]    20131130 124334.626 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 31 has 9568 ms before it should time out\n
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
30.11.13 13:44:37,225    SophosSXLD[107]    20131130 124437.224 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 29 has 9275 ms before it should time out\n
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
23.11.13 11:48:54,983    SophosWebD[92]    <SMENode: 0x7fa7a141c300> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,719    SophosWebD[92]    <SMENode: 0x7fa7a4500160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,727    SophosWebD[92]    <SMENode: 0x7fa7a400c410> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,735    SophosWebD[92]    <SMENode: 0x7fa7a444acd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_destination_prepare_complete 6783 connectx to IP_REMOVED_BY_ME#80 failed: 65 - No route to host
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_handle_destination_prepare_complete 6783 failed to connect
23.11.13 12:28:19,935    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:19,937    SophosSXLD[107]    daemon is running
23.11.13 12:28:21,593    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:24,000    kernel[0]    Notice - new kext com.sophos.kext.sav, v9.0.53 matches prelinked kext but can't determine if executables are the same (no UUIDs).
23.11.13 12:28:25,373    SophosAutoUpdate[112]    AlreadyRegistered
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,860    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,869    SophosSXLD[107]    sxl started
23.11.13 12:28:25,870    SophosSXLD[107]    sxl configuration succeeded
23.11.13 12:28:28,000    kernel[0]    Sophos Anti-Virus on-access kext activated
23.11.13 12:28:59,660    SophosWebD[106]    <SMENode: 0x7ff010d031e0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...
23.11.13 12:29:24,610    SophosWebD[106]    <SMENode: 0x7ff012a1e070> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,116    SophosWebD[106]    <SMENode: 0x7ff01290e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,123    SophosWebD[106]    <SMENode: 0x7ff0128550f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=54 "Der Vorgang konnte nicht abgeschlossen werden. Verbindung wurde von der Gegenstelle zurückgesetzt"
23.11.13 12:29:26,130    SophosWebD[106]    <SMENode: 0x7ff010c1e1f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...

   ("Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe" means "The operation couldn't be completed. Broken pipe.")

I was hoping desperately, that Sophos isn't the root cause for that freeze-behavior. I tried to remove it completely, and then re-installed again - this did not solve the issue. I then completely removed Sophos again, this appeared to be the solution. Sophos is gone, and I'm not experiencing the freezes anymore.

I'm now using a different Mac AV product, not from Sophos (:smileysad: which I'm not too happy about).

So my question: Has anyone experienced the same behavior, is this a known issue?


Another thing I'm not too happy about, is that there are still residues from the Sophos AV on my system.

For example, I'm getting those errors in the console:

08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
...

  And there is a keychain access object, which is read only and can't be removed at all!

  I tried everything - also from /System/Library/Keychains I can't remove it, as it's not listed.

Does anyone know, how to remove those leftovers?

Many thanks & best regards,
symt

 

:1014893


This thread was automatically locked due to age.
  • 0

    I've noticed the trigger conditions prior to the beachball is often as follows:

    1. Running Safari 
    2. Open a Safari tab with a page including a streaming video.
    3. Click on video: a background or foreground pop up dialog opens in Safari.
    4. Stream content 
    5. Repeat until a new video causes 'power saver' in flash --which prevents video from playing without clicking ok on flash popup in video
    6. Stream content until wifi network icon in Mavericks turns from black to grey (beach ball shows up)
    7. Or simply close Safari after power saver will gnerally trigger beach ball. 
    8. Anytime beach ball shows up, power off is nearly always required (OS X restart is disabled by beach ball) 

    Somehow because the network pipe is broken any crash logs are very rarely reported to Apple for improvements to OS X Mavericks. Sophos on Mavericks is turning into Windows Vista like exhaustion. 

    :1016675
  • FormerMember
    0 FormerMember

    My Mac also is freezing, but I'm not sure if the problem is the same as this thread. Somebody suggested I cross-post here, in case y'all can help me. Here's my other post:

    http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/quot-InterCheck-thread-caught-burning-CPU-quot/td-p/16741

    ----------------------

    Twice my MacBook Air running ox x 10.9.2 and Sophos home edition 9.0.8 has gone unresponsive with a beachball, requiring restart, with the following in the logs:

    "InterCheck[32673] thread 516075 caught burning CPU! "

    and

    "InterCheck[32673] caught causing excessive wakeups"

    Here's these lines in context:

    Apr 7 11:14:20 haywire.local com.sophos.intercheck[32673]: Info: On-access scanner started at 11:14 on 07 April 2014
    Apr 7 11:44:49 haywire kernel[0]: process InterCheck[32673] thread 516075 caught burning CPU! It used more than 50% CPU (Actual recent usage: 80%) over 180 seconds. thread lifetime cpu usage 91.382063 seconds, (89.651012 user, 1.731051 system) ledger info: balance: 90008073040 credit: 91368350374 debit: 1360277334 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 112342164928
    Apr 7 11:45:16 haywire kernel[0]: process InterCheck[32673] caught causing excessive wakeups. Observed wakeups rate (per sec): 824; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 47330

    I'm blaming InterCheck for the hanging, because they were the last log entries before the restart was required. Can someone tell me what these log entries mean, if this is a known problem, and a possible way to avoid this situation?

    Thanks!

    :1016745
  • 0
    quinncom wrote:

    My Mac also is freezing, but I'm not sure if the problem is the same as this thread. Somebody suggested I cross-post here, in case y'all can help me. Here's my other post:

    http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/quot-InterCheck-thread-caught-burning-CPU-quot/td-p/16741

    ----------------------

    Apr 7 11:14:20 haywire.local com.sophos.intercheck[32673]: Info: On-access scanner started at 11:14 on 07 April 2014

    Apr 7 11:44:49 haywire kernel[0]: process InterCheck[32673] thread 516075 caught burning CPU! It used more than 50% CPU (Actual recent usage: 80%) over 180 seconds. thread lifetime cpu usage 91.382063 seconds, (89.651012 user, 1.731051 system) ledger info: balance: 90008073040 credit: 91368350374 debit: 1360277334 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 112342164928
    Apr 7 11:45:16 haywire kernel[0]: process InterCheck[32673] caught causing excessive wakeups. Observed wakeups rate (per sec): 824; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 47330

    I'm blaming InterCheck for the hanging, because they were the last log entries before the restart was required. Can someone tell me what these log entries mean, if this is a known problem, and a possible way to avoid this situation?

    This message is pretty straightforward (its exactly as stated: InterCheck is very busy). InterCheck is the on-access scanner, and if you end up scanning very large files (or very complex files) this can happen. I'd be really interested to know more about what sort of files you might be accessing regularly that could be causing InterCheck to work very hard. Do you have "Scan inside archives and compressed files" enabled? That particular setting can make InterCheck's life very busy.

    :1016747

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • FormerMember
    0 FormerMember
    bobcook wrote:

    This message is pretty straightforward (its exactly as stated: InterCheck is very busy). InterCheck is the on-access scanner, and if you end up scanning very large files (or very complex files) this can happen. I'd be really interested to know more about what sort of files you might be accessing regularly that could be causing InterCheck to work very hard. Do you have "Scan inside archives and compressed files" enabled? That particular setting can make InterCheck's life very busy.

    Is there a log which would show which files are being accessed? I haven't been doing anything that would require heavy files. When it crashed, I think I was writing emails in Gyazmail. The other programs I had running were Chrome, TextMate, YoruFukurou, nvAlt, Terminal, Calendar, Skype, KeePassX and iTunes. 

    I do have "Scan inside archives and compressed files" enabled, but I will disable that now.

    Quinn

    :1016749
  • 0
    quinncom wrote:

    Is there a log which would show which files are being accessed? 

    We don't write such a log, this would consume a lot of system resources just trying to keep up. Your Mac is accessing a lot of files all the time. We run our scanning in memory, trying to avoid reading or writing anything to disk whenever possible (writing to disk is slow, in computer speeds).

    Really want to know what your Mac is doing with the filesystem? You can run the command "sudo fs_usage -e -f pathname" in Terminal to see a real-time listing of files accessed by the running applications (this will slow things down a bit, or maybe a lot). The usual caveats about running commands as "sudo" applies.

    :1016751

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • 0

    Just wanted to add my voice here. One Macbook Air laptop out of a few Mac laptops and desktops in our household is suffering this problem. Escalating beachball problems until forced to restart via power button.Last time left it for several minutes and it spontaneously came to life. Uninstalled Sophos and all fine.

    :1017083
  • 0

    I've been using SOPHOS because I am provided with an educational licence from my university. I had a good run with it, up until the damned SOPHOS 9! I've been frustrated with the exact same problems described above for months! And as far as I know, many of my schoolmates who also upgraded to SOPHOS 9 on their Mac machines experienced the same problem.  I really hope that it will be addressed in coming updates ASAP!

    P.S. I run Mavericks on a Macbook Pro 13-inch, and I strongly concur with  as to the descriptions of the "trigger conditions".

    :1017091
  • FormerMember
    0 FormerMember

    Since disabling  "Scan inside archives and compressed files" I have not experienced any further crashes.

    :1017095
  • 0

    Count me as a 'me too'.

    I've seen this for seveal weeks when streaming video over a few hours with both Chrome and Firefox. Video stalls, browser beachballs, attempts to open console or activity monitor beachball, force quit not effective. I have tried waiting for it to self resolve on one occasion, but gave up after a couple of hours.

    Trying to reproduce now with web surveilance off as suggested.

    MacBookPro9,2; 16GB; 500GB

    System Version: OS X 10.9.2 (13C1021)

    Kernel Version: Darwin 13.1.0

    Google Chrome Version 34.0.1847.131

    Firefox 28.0; Flash 13.0.0.201

    Sophos 9.0.8; Threat detection engine: 3.50.1; Threat data&colon; 4.98

     

    Logs show broken pipe errors in bursts for some time before hang.

    5/1/14 10:37:44.922 AM SophosWebD[66]: <SMENode: 0x7f823580fbf0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:37:45.545 AM SophosWebD[66]: <SMENode: 0x7f823592c160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:39:33.896 AM SophosWebD[66]: <SMENode: 0x7f8235927450> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:39:34.300 AM SophosWebD[66]: <SMENode: 0x7f823583fde0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:41:35.150 AM SophosWebD[66]: <SMENode: 0x7f823585da10> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"

    [...]

    5/1/14 10:47:10.781 AM SophosWebD[66]: <SMENode: 0x7f823580e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:47:10.794 AM SophosWebD[66]: <SMENode: 0x7f823591f090> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:48:14.174 AM SophosWebD[66]: <SMENode: 0x7f8233513d90> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:48:19.692 AM SophosWebD[66]: <SMENode: 0x7f8233582b20> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"

    [...]

    5/1/14 10:58:07.774 AM SophosWebD[66]: <SMENode: 0x7f823593aad0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"
    5/1/14 10:58:13.385 AM SophosWebD[66]: <SMENode: 0x7f8235909430> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "The operation couldn’’’’t be completed. Broken pipe"

    [...]

    5/1/14 11:00:10.000 AM bootlog[0]: BOOT_TIME 1398967210 0

    :1017145
  • 0

    Happy to help Sophos test the solution. I can produce the beachball nearly every time after playing video with Safari. Chrome, where I listen to the Gillmor Gang on Techcrunch via Ustream.tv for 90 minutes locks up after I move the cursor outside the browser frame, to the Mac OS X top menu controls (if the wi-fi network activity icon does not turn grey before hand). I thought Mavericks updates 10.9.1 or 10.9.2 may have corrected this issue, alas not. Sometimes even switching my machine off is hard, the beachball just spins and has interrupted all Mac shut down capabilites. So it's really a hard power down by holding the power button in until finally the Mac will reset by turning off. I have checked the Apple Corp support forums, and this is a rare issue, many more people are reporting similar beachball issues under Mavericks. Apple seems oblivous to replying to anyone at all (I have reported this issue 2 or 3 times). I wonder if the SSD HD will get corrupted with this action. 

    :1017147
Unfiltered HTML