This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos 9 causes Mavericks to freeze

Hi Everyone,

I recently got the top of the line iMac, which I was very happy with.

As I was a Mac user before, I knew which software is great and Sophos Anti-Virus for Mac was one of those.

So I had Sophos installed, from the beginning and over the time I noticed one big annoying issue:

The Mac froze from time to time. Whenever the Mac was running the whole day, it wouldn't survive without a hard-reboot any day.

It always showed the same behavior:

 1. Internet connectivity drops

 2. The beachball begins to appear, when hovering some icons in the top menu bar

 3. Programs that are connected to the internet begin to freeze (beachball)

I can't open any other programs after the Mac is in that state, the only way out is a hard reboot.

One of the last entries in the console after such a freeze is always from Sophos, like:


 

30.11.13 13:41:04,607    SophosWebD[106]    <SMENode: 0x7fedaac7a6d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:42:16,742    SophosWebD[106]    <SMENode: 0x7fedac51d7d0> localNode csc:2ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
30.11.13 13:43:34,626    SophosSXLD[107]    20131130 124334.626 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 31 has 9568 ms before it should time out\n
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:43:36,420    SophosSXLD[107]    20131130 124336.419 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
30.11.13 13:44:37,225    SophosSXLD[107]    20131130 124437.224 P       107 T      1522 ------ 2             - Warning: EARLY TIMEOUT: dns context 29 has 9275 ms before it should time out\n
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522      2 2   - sxe_write_to(): Error writing to socket=7: (64) Host is down
30.11.13 13:44:38,652    SophosSXLD[107]    20131130 124438.652 P       107 T      1522 ------ 1   - Failed to send SXL request 4097: error=ERROR_INTERNAL
23.11.13 11:48:54,983    SophosWebD[92]    <SMENode: 0x7fa7a141c300> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,719    SophosWebD[92]    <SMENode: 0x7fa7a4500160> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,727    SophosWebD[92]    <SMENode: 0x7fa7a400c410> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 11:53:45,735    SophosWebD[92]    <SMENode: 0x7fa7a444acd0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_destination_prepare_complete 6783 connectx to IP_REMOVED_BY_ME#80 failed: 65 - No route to host
23.11.13 12:16:44,382    SophosWebIntelligence[92]    tcp_connection_handle_destination_prepare_complete 6783 failed to connect
23.11.13 12:28:19,935    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:19,937    SophosSXLD[107]    daemon is running
23.11.13 12:28:21,593    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:24,000    kernel[0]    Notice - new kext com.sophos.kext.sav, v9.0.53 matches prelinked kext but can't determine if executables are the same (no UUIDs).
23.11.13 12:28:25,373    SophosAutoUpdate[112]    AlreadyRegistered
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,857    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,860    SophosSXLD[107]    Unusable network configuration, sxl daemon is not listenning for queries.
23.11.13 12:28:25,869    SophosSXLD[107]    sxl started
23.11.13 12:28:25,870    SophosSXLD[107]    sxl configuration succeeded
23.11.13 12:28:28,000    kernel[0]    Sophos Anti-Virus on-access kext activated
23.11.13 12:28:59,660    SophosWebD[106]    <SMENode: 0x7ff010d031e0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...
23.11.13 12:29:24,610    SophosWebD[106]    <SMENode: 0x7ff012a1e070> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,116    SophosWebD[106]    <SMENode: 0x7ff01290e8d0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
23.11.13 12:29:26,123    SophosWebD[106]    <SMENode: 0x7ff0128550f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=54 "Der Vorgang konnte nicht abgeschlossen werden. Verbindung wurde von der Gegenstelle zurückgesetzt"
23.11.13 12:29:26,130    SophosWebD[106]    <SMENode: 0x7ff010c1e1f0> localNode csc:1ERROR! encountered an error while writing to outputstream| error:Error Domain=NSPOSIXErrorDomain Code=32 "Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe"
...

   ("Der Vorgang konnte nicht abgeschlossen werden. Defekte Pipe" means "The operation couldn't be completed. Broken pipe.")

I was hoping desperately, that Sophos isn't the root cause for that freeze-behavior. I tried to remove it completely, and then re-installed again - this did not solve the issue. I then completely removed Sophos again, this appeared to be the solution. Sophos is gone, and I'm not experiencing the freezes anymore.

I'm now using a different Mac AV product, not from Sophos (:smileysad: which I'm not too happy about).

So my question: Has anyone experienced the same behavior, is this a known issue?


Another thing I'm not too happy about, is that there are still residues from the Sophos AV on my system.

For example, I'm getting those errors in the console:

08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:08:11,860 com.apple.security.XPCKeychainSandboxCheck[1735]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
08.12.13 15:12:31,672 com.apple.security.XPCKeychainSandboxCheck[1973]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
09.12.13 14:06:40,338 com.apple.security.XPCKeychainSandboxCheck[280]: Can't get sandbox fs extension for /Library/Sophos Anti-Virus/Sophos.keychain, status=-1 errno=No such file or directory ext=(null)
...

  And there is a keychain access object, which is read only and can't be removed at all!

  I tried everything - also from /System/Library/Keychains I can't remove it, as it's not listed.

Does anyone know, how to remove those leftovers?

Many thanks & best regards,
symt

 

:1014893


This thread was automatically locked due to age.
  • Any solutions to this so far? I can't use Safari anymore and Chrome is horrible at battery management.

    :1017165

  • Abdiaziz wrote:

    Any solutions to this so far? I can't use Safari anymore and Chrome is horrible at battery management.


    I'm getting the same problems with Chrome. Unchecking the live shield and URL checking seemed to sort the issue out for a while.

    :1017177
  • Yup, got the same issue with Chrome. Switched to Avast! until further updates.

    :1017179
  • Do these system log entries shed any light on the matter? ...

    May 7 08:52:52 xxxxxx SophosAutoUpdate[75]: objc[75]: Class SAVCFReadStreamPersistentThreadManager is implemented in both /Library/Sophos Anti-Virus/Libraries/libSULObjC.dylib and /Library/Sophos Anti-Virus/SophosAutoUpdate.app/Contents/MacOS/SophosAutoUpdate. One of the two will be used. Which one is undefined.
    May 7 08:52:52 xxxxxx SophosAutoUpdate[75]: objc[75]: Class SAVCFReadStream is implemented in both /Library/Sophos Anti-Virus/Libraries/libSULObjC.dylib and /Library/Sophos Anti-Virus/SophosAutoUpdate.app/Contents/MacOS/SophosAutoUpdate. One of the two will be used. Which one is undefined.

    Mavericks 10.9.2, SAV 9.0.8

    :1017189

  • Eric wrote:

    Do these system log entries shed any light on the matter? ...


    We don't believe so. Those messages are coming from the loader, and it indicates that our software has multiple copies of the function named "SAVCFReadStreamPersistentThreadManager" - multiple doesn't mean different or problematic though. There is only one implementation, two copies though, which is why this message occurs. Although the message is technically correct, it doesn't matter which copy the loader picks.

    :1017191

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • I've been witnessing this issues also, along with a few other users, however it appears to be limited to laptops and possibly due to the local snapshots taken by Time Machine, that's when it appears to freeze up for exactly 10 minutes before it's usable again.  The freezing started at 2:02 and ended at 2:12, here is part of the log:

    5/8/14 2:02:09.000 PM kernel[0]: nspace-handler-set-snapshot-time: 1399572131
    5/8/14 2:02:09.781 PM com.apple.mtmd[55]: Set snapshot time: 2014-05-08 14:02:11 -0400 (current time: 2014-05-08 14:02:09 -0400)
    5/8/14 2:03:05.248 PM WindowServer[109]: disable_update_timeout: UI updates were forcibly disabled by application "Finder" for over 1.00 seconds. Server has re-enabled them.
    5/8/14 2:03:19.249 PM WindowServer[109]: disable_update_likely_unbalanced: UI updates still disabled by application "Finder" after 15.00 seconds (server forcibly re-enabled them after 1.00 seconds). Likely an unbalanced disableUpdate call.
    5/8/14 2:12:09.000 PM kernel[0]: sav: [EWOULDBLOCK][vnode:0xffffff806e348b40][original:0xffffff806e348b40][callback: 0 count:271 ] onaccessctl_check:1825 result:0 disconnected:0
    5/8/14 2:12:09.000 PM kernel[0]: sav: current scan list:
    5/8/14 2:12:09.000 PM kernel[0]: sav: (pid 55 [mtmd], vnode 0xffffff806e348b40 [/Users/bperri1/Library/Application Support/Google/Chrome/Default/Session Storage/000478.log], [context 0xffffff8053651350] [result 0] [setup 0] [disconnected 0] [vfsbusy 0]) - 1 waiter(s)
    5/8/14 2:12:09.000 PM kernel[0]: sav: available kctl entries: 9
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8053b53000
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8053b53000
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8053b53000
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: NULL target or context; request:0 kctl_entry:0xffffff8053b53000
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: not SAV_KCTL_REQ_COMPLETE, return ENOMEM
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: NULL target or context; request:3 kctl_entry:0xffffff8053b53000
    5/8/14 2:12:09.000 PM kernel[0]: sav: onaccess_send: SAV_KCTL_REQ_COMPLETE, intercheck_done()
    5/8/14 2:12:09.838 PM com.sophos.intercheck[594]: Issue: Could not scan /Users/bperri1/Library/Application Support/Google/Chrome/Default/Session Storage/000478.log
    5/8/14 2:12:09.838 PM com.sophos.intercheck[594]: An unexpected error occurred
    5/8/14 2:12:09.000 PM kernel[0]: nspace-handler-unblock: did not find token 13862
    5/8/14 2:12:09.937 PM com.apple.mtmd[55]: handler unblock failed. (status=-1/errno=2/token=13862/fd=5)
    5/8/14 2:12:10.158 PM WindowServer[109]: common_reenable_update: UI updates were finally reenabled by application "Finder" after 545.92 seconds (server forcibly re-enabled them after 1.00 seconds)
    5/8/14 2:12:10.377 PM Finder[311]: void CGSUpdateManager::log() const: conn 0xe713: spurious update.
    5/8/14 2:12:10.643 PM com.apple.prefs.backup.remoteservice[2030]: assertion failed: 13C1021: liblaunch.dylib + 25164 [38D1AB2C-A476-385F-8EA8-7AB604CA1F89]: 0x25
    5/8/14 2:12:10.659 PM com.apple.prefs.backup.remoteservice[2030]: assertion failed: 13C1021: liblaunch.dylib + 25164 [38D1AB2C-A476-385F-8EA8-7AB604CA1F89]: 0x25
    5/8/14 2:12:11.014 PM com.apple.prefs.backup.remoteservice[2030]: Bogus event received by listener connection:
    <error: 0x7fff791eeb50> { count = 1, contents =
    "XPCErrorDescription" => <string: 0x7fff791eee60> { length = 18, contents = "Connection invalid" }
    }
    5/8/14 2:12:14.644 PM InstallHelper[2037]: SophosAutoUpdate: Starting installation
    5/8/14 2:12:14.644 PM InstallHelper[2037]: SophosAutoUpdate: Installation Deployer
    5/8/14 2:12:15.806 PM scanserver[596]: Scan server shutting down...
    5/8/14 2:12:16.215 PM scanserver[596]: Server stopped
    5/8/14 2:12:17.750 PM com.sophos.intercheck[2047]: Info: ic_worker_start: kext already loaded at 14:12 on 08 May 2014
    5/8/14 2:12:17.790 PM scanserver[2049]: server started!
    5/8/14 2:12:17.989 PM SophosManagementAgent[2051]: objc[2051]: Class SAVGlobalSettingsClient is implemented in both /Library/Sophos Anti-Virus/RMS/Adapters/ALC.dylib and /Library/Sophos Anti-Virus/RMS/Adapters/SAV.dylib. One of the two will be used. Which one is undefined.
    5/8/14 2:12:17.989 PM SophosManagementAgent[2051]: objc[2051]: Class SophosDistantObject is implemented in both /Library/Sophos Anti-Virus/RMS/Adapters/ALC.dylib and /Library/Sophos Anti-Virus/RMS/Adapters/SAV.dylib. One of the two will be used. Which one is undefined.
    5/8/14 2:12:21.591 PM com.sophos.autoupdate[93]: Checked primary server http://sophos1-prod.cc.nd.edu/SophosUpdate/CIDs/S000/ESCOSX: Sophos Anti-Virus was updated

    :1017203
  • My Sophos experince. My Macbook is awesome. My Mac is abysmal. I traced how SophosWebIntelli moves up the mem stack right behind com.apple.Webkit just prior to Safari beachballing. 

    Looks like a deadly embrace set up.  

    com.apple.WebKit 2572K+ 2467+ 141M+ 117M+ 3872M+ 484M+ 5579K+ 194M+
    SophosWebIntelli 0B 1374+ 19M+ 15M+ 2442M+ 52M+ 1338K+ -10M+
     
     
    ...there has to be a rare special condition, setting up the deadly embrace on very few Mac's, is it dropbox + google music loaded? 

    Run this terminal command on your Mac's... at bash prompt $ 

    top -l 1 -n 10 -o mreg -S -stats command,purg,mreg,mem,rprvt,vsize,vprvt,kprvt,kshrd

    :1017205
  • I signed up for Sophos just to chime in.

    Not that it helps contribute to the solution, but I'm very thankful to have found this thread when googling for why my brand new macbook was freezing up for 10 minutes at a time several times per day.  Some of the suggestions for disabling certain Sophos features didn't work, so I've just disabled Sophos altogether, and since then, everything runs smoothly.

    For what it's worth, many of my coworkers run the exact same set up but don't have this issue.

    I'll keep an eye on this thread.  I'm not very technical, but if there's more I can do to help, I'll follow along.  

    :1017215

  • tonywhite wrote:

    I signed up for Sophos just to chime in.


    Thanks, very appreciated.


    tonywhite wrote:

    freezing up for 10 minutes at a time several times per day.


    Ten minutes is a very interesting number. There is a built-in "last ditch" timeout in the on-access scanner that is exactly ten minutes long. Its long enough to be noticable, but its never supposed to be needed. There will be some info in your system log that uses the phrase "[EWOULDBLOCK]" that I'd be very interested to see.


    tonywhite wrote:

    For what it's worth, many of my coworkers run the exact same set up but don't have this issue.


    Also very, very interesting. Any ideas you have about the difference (e.g. run different software, use a different external drive, etc) might help pinpoint what is happening.

    :1017217

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • Thanks for responding Bob.

    I'm not in front of the same machine, but here's a post I made to the apple support forums last year:

    https://discussions.apple.com/message/23323769#23323769

    [EWOULDBLOCK] is mentioned within it.  Is that the kind of information you need?  When I get back to the same macbook, would you want me to just look for every instance of [EWOULDBLOCK] and post it?

    The macbook pro typically runs all this: Microsoft Office, Parallels, Dropbox, Photoshop, BBEdit, GitBox, Versions, Chrome.  I do have an external time machine drive via usb, but I only plug it in every week or so, and the freezeouts happen even when it's not plugged in.

    I hope that helps, and I'm happy to respond with more if you like.  Whatever diagnostics you'd like.

    :1017219