This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Antivirus and Time Machine

Does anyone else find that the default "Scan This Mac" option gets stuck unless you exclude your Time Machine backup volume from the scan? I was really disappointed with the speed of the scan until I thought to try this, as I was finding it would get stuck about a third of the way in and stay there for hours until I gave up. The only reason I can think of for this though would be if it's scanning the full contents of every backup, but that would be a staggering number of files to get through (my system has millions of files as it is, totalling around 2.5tb).

I would think that an antivirus product for Mac would be aware of Time Machine's file structure and have methods for accelerating the scan. For example, it's pretty easy to figure out which files have changed between two Time Machine backups by comparing inodes, since Time Machine uses hard-links, so only original files and changed files should need to be scanned. Also, since a Time Machine backup is just a snapshot of the rest of your system, it should be easy enough for Sophos antivirus to determine if the file is identical to one already scanned (or waiting to be scanned) on the main system or not, so that copies don't need to be scanned more than once.

Does Sophos antivirus already account for these things? Otherwise I can't figure out why excluding my Time Machine backup would solve the problem. Should I submit a support ticket somewhere?

:1015215


This thread was automatically locked due to age.

  • kevs40 wrote:

    Thanks Bob, can somene ping someone off! What a cool feature, never heard of that before. Photoshop forums should get that... lot of rude people over there.

    Ok, Sophos suddenly cannot scan time machine volume. What happened, why is this and is there something that can be done or do Mac people have to live with that?


    Hi kevs40,

    I used the word "ping" in the same sense as the word "contact". Just terminology I use regularly, in my case it originates from the network activity resulting from the "ping" command line tool. That tool sends out small packets on the network to test reachability.  http://en.wikipedia.org/wiki/Ping_(networking_utility)

    The scanner can scan Time Machine volumes however it will likely be quite slow; we don't attempt to optimize scanning identical files - we simply scan each and every copy of every file for every backup as if it was a unique entry. Earlier in this thread it was suggested that we could do better. I agree, but its not at the top of our priority list. Note that we do have issues cleaning up anything found in the Time Machine volume - again this is something we could improve.

    Recommendation is to add an exclusion to your on-demand / scheduled scan to not scan your Time Machine backup volume. You can double-click or right-click the "Scan This Mac" panel to get access to its settings.

    :1020232

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • Ok Bob thanks, you are with Sohpos cool.

    Ok, I added Time Machine to the excluded items tab.

    But didn't it scan Time Machine effeciently a few months ago, did something happen?

    And it does identity threats there. Can something in Time Machine be a problem?

    :1020234

  • kevs40 wrote:

    Ok Bob thanks, you are with Sohpos cool.

    Ok, I added Time Machine to the excluded items tab.

    But didn't it scan Time Machine effeciently a few months ago, did something happen?

    And it does identity threats there. Can something in Time Machine be a problem?


    Don't think anything significant has changed in the product, we haven't released anything significantly new since last October.

    As for potentially bad things contained in your Time Machine backup, here is a good way to think about it:

    (1) by design, you cannot use things from the Time Machine backup directly, you always have to restore / export the content back to your regular drive

    (2) when you try to use that restored item, our on-access scanner will inspect it - it will be blocked if its considered a threat

    (3) this is true even if we didn't consider that item a threat when it was backed up, we will scan it again after the restore

    Hopefully that makes sense.

    :1020235

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • ok Bob, that's cool. What you are saying is that the threat has no power inside the close backup folders...

    Also, had another question about Sophos-- about the vanishing threats, did you see that thread? no one has reponsded well to it:

    http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Detected-Thread-disappears/td-p/20162

    :1020236
  • Sophos Home Edition 9.2.2 running under OS X 10.9.5

    I'm not sure how to interpret what you are writing...

    In the "OnAccess" settings the exclusion list is empty.

    In the "On Demand" (manual) settings the exlusion list is empty.

    The log shows me every hour 2 times:

    com.sophos.intercheck: Info: Exclusion: /Volumes/MyTimeMachineBackupVolume at time date

    Will the Time Machine Volume be scanned?

    OnAccess (which I would interpret as every time Time Machine does it's backup)?

    On Demand?

    And if it is a default setting that the Time Machine Volume(s) are excluded, why is the user not informed (i.e. on mentioning the Volume(s) in the OnAccess exclusion list?

    Cheers

    Andreas

    :1020616

  • macandreas wrote:

    And if it is a default setting that the Time Machine Volume(s) are excluded, why is the user not informed (i.e. on mentioning the Volume(s) in the OnAccess exclusion list?


    The exclusion list is designed to show you the settings you entered. I see your point about why it can be confusing, its something we will review in the future. Thank you for the feedback.

    :1020619

    ---

    Bob Cook (bob.cook@sophos.com) Director, Software Development

  • The slowness with Time Machine remains an ongoing problem. There are two parts to this problem. The first part, excluding the Time Machine backup volume is well-addressed in this thread. However, the other part, disabling on-access scanning while Time Machine is running is barely touched on.

    Even after excluding the Time Machine volumes, if on-access scanning is enabled, Time Machine backups take from 3 to 6 hours on my rig. Without on-access scanning enabled, we observe a relatively low number of minutes for the Time Machine backup.

    Yes, you want to decide if scanning your backup is relevant. For me it is not. But apparently while Time Machine is backing up, Sophos is apparently scanning a large amount of the main hard drive as each file is accessed. As pointed out by others, it seems this behavior could be greatly improved in the design of Sophos. I am not going to rehash those discussions.

    In the meantime, there are two courses for me:

    1. Just let it take 3 - 6 hours. The downside of that is that the "every hour" backup is no longer happening.
    2. Temporarily disable on-access scanning during a backup. This is not practical as it requires frequent intervention with settings that should be left alone.

    Neither of these course are acceptable.

    On a related issue, if on-access scanning is enabled, entering Time Machine is very slow, and navigation within Time Machine is very, very, very slow.. Like plan to take 20 - 40 minutes to populate and navigate, depending on the context. This has been a giant annoyance for me for years until I discovered that temporary disabling of on-access scanning restores Time Machine to its previous, pretty good responsiveness. Since entering Time Machine is an infrequent manual process, it is pretty easy to do the manual disable/re-enable of on-access scanning.

  • I'm giving up on Sophos--with On-Acess Scanning enabled, my incremental Time Machine backup takes days to complete, so it never catches up with my daily work (without Sophos, it takes about 30 minutes). And yes, my Time Machine volume is excluded.

    I tried a clean drive for a brand new Time Machine backup, and according to the math, it would take 17 years. But if I turn off "On-Access" scanning, it finishes up in about 8 hours.

    This issue has been around for a while, and not even an ETA for a fix...

    So, given the choice between not having anti-virus, not using Time Machine, or not using Sophos, there's really not much of a decision for me.

  • I decided the solution is to disable on-access scanning. Instead I have a more thorough scan scheduled daily. I used to only scan email spam and deleted folders as that is where 99.9% of all malware is detected. So now I scan everything except external volumes and certain other specific areas. Machine runs better this way, and probably protection does not suffer too much.