Sophos for Mac not finishing scan

Hello everyone,

Do you think the scanner is stuck on a particular file? If so we'd really like to know which file. We have been investigating a problem reported when scanning a XAR archive file, but we are looking for more samples.

My Early 2011 17" MBP running El Capitan 10.11.2 was getting stuck on some of the .dmg files in my downloads folder (see most recent scan report below). I noticed it would spend about 5 minutes on each one of these. AND after it completed them, it would keep scanning them over and over! I found that when I put them all into "Exclusions", the scan completed. When I scanned them individually, they were fine. (FYI, I no longer have ClamXav, maccleanse, or avast installed.They were downloaded and used by my ISP in a recent remote control clean up session.)

What I'm concerned about now is:

a) the "Issues" (corrupted files) it keeps finding and how to deal with them and

b) the time it takes to finish the scan when I select "Scan inside archives and compressed files."

*************************************************

Sophos Anti-Virus

Product version: 9.4.1

Threat detection engine version: 3.63.1

Threat data version: 5.22

Release date: 08 December 2015

Detects 10437508 threats

Copyright © 1993-2012 Sophos Ltd. All rights reserved.

Using IDE files:

age-apdu.ide  age-apie.ide  age-apiq.ide  age-apiu.ide  age-apja.ide  age-apjc.ide  age-apjg.ide  age-apjy.ide  age-aplw.ide  

age-aplz.ide  age-apqp.ide  age-apts.ide  age-apui.ide  age-apuk.ide  age-apvn.ide   alina-f.ide  andro-ew.ide  andro-ez.ide  

andro-fq.ide  auto-bgq.ide  auto-bhi.ide  auto-bhn.ide  banbr-lz.ide  bank-gmw.ide  bank-gmx.ide  bank-gnf.ide  banl-cid.ide  

banl-cja.ide  banl-cjb.ide  banl-cjr.ide  banl-cjw.ide  banl-cka.ide  banl-cke.ide  banl-ckj.ide  bayro-ae.ide  bayro-af.ide  

bbind-ac.ide  bepush-a.ide  blada-as.ide  blada-at.ide  blada-au.ide  blada-aw.ide  bunit-ah.ide  ceein-ap.ide  chepro-z.ide  

chisb-ca.ide  cidox-aq.ide  cryakl-c.ide  darkc-bk.ide  delf-fzd.ide  denisc-a.ide  docd-ahr.ide  docd-aii.ide  docd-ajm.ide  

docd-ajn.ide  docd-ajs.ide  docd-aka.ide  docd-akj.ide  docd-akm.ide  docd-ali.ide  docd-alk.ide  docd-alq.ide  docd-amf.ide  

docd-amo.ide  docd-ano.ide  docd-anq.ide  docd-anu.ide  docd-aoc.ide  docd-aof.ide  docd-aou.ide  docd-apo.ide  docd-apq.ide  

docd-apr.ide  docd-apu.ide  docd-aqe.ide  docd-aql.ide  docd-aqy.ide  docexp-l.ide  dofoi-ct.ide  dride-iu.ide  dride-iz.ide  

dride-je.ide  dride-ji.ide  dride-js.ide  dride-ky.ide  dride-ly.ide  dwnl-mxz.ide  dwnl-myk.ide  dwnl-nai.ide  dwnl-nas.ide  

dynam-cg.ide  dynam-ck.ide  dynam-cl.ide  dynam-cp.ide  ecckrp-c.ide  farei-uh.ide  farei-ul.ide  farei-um.ide  farei-un.ide  

farei-uq.ide  farei-vd.ide  farei-vr.ide  farei-wu.ide  farei-wz.ide  farei-xn.ide  farei-xs.ide  farei-xy.ide  farei-yt.ide  

farei-zb.ide  farei-zk.ide  farei-zp.ide  farfl-co.ide  fsysna-g.ide   gatak-y.ide   gozi-ae.ide    gozi-t.ide  hawkey-h.ide  

inje-bth.ide  inje-btl.ide  inje-btv.ide  java-abh.ide  java-abq.ide  jsdld-ct.ide  jsdld-cw.ide  jsdow-bm.ide  jsdow-bn.ide  

kazy-cy.ide  kelih-ag.ide   kimsu-a.ide  krypt-fz.ide  limit-es.ide  limit-fb.ide  limit-fo.ide  macout-g.ide  malage-t.ide  

miner-at.ide  msil-exk.ide  msil-exl.ide  msil-exn.ide  msil-exp.ide  msil-eyi.ide  msil-eyt.ide  msil-ezg.ide  msil-ezx.ide  

msil-fai.ide  msil-faj.ide  msil-fax.ide  msil-fay.ide  msil-fdq.ide  msil-ffy.ide  msil-fgg.ide  msil-fgv.ide  msil-fhd.ide  

msil-fhk.ide  msili-jj.ide    nano-m.ide  netwi-ai.ide  neurev-z.ide  nivdo-ae.ide  nivdo-af.ide  nivdo-am.ide  nivdo-bg.ide  

nivdo-bj.ide  nivdo-br.ide  nivdo-bx.ide  nivdo-dc.ide  nivdo-dg.ide  nivdo-dk.ide  nivdo-dm.ide  nivdo-dp.ide  nivdo-ed.ide  

pdfj-aiv.ide  psyme-lv.ide  ramdo-am.ide  ramni-ew.ide  rans-bpm.ide  rans-bpy.ide  rans-bqm.ide  rans-bqp.ide  rans-bqx.ide  

rans-bqz.ide  rans-bre.ide  rans-bro.ide  rans-bsb.ide  rans-bsk.ide  rans-bsm.ide  rans-bsp.ide  rans-bss.ide  rans-bsy.ide  

rans-btb.ide  rans-btv.ide  rans-buk.ide  rans-bvc.ide  rans-bvh.ide  rans-bvz.ide  rans-bwa.ide  rans-bwb.ide  rans-bwd.ide  

rans-bwe.ide  rans-bwq.ide  rans-bww.ide  rans-bwx.ide  rans-bwy.ide  rans-bxc.ide  rans-bxd.ide  rans-bxh.ide  rans-bxl.ide  

ranso-dl.ide  rarma-cm.ide     rat-e.ide  redlon-m.ide  remexi-a.ide  rootk-mc.ide  rovnix-s.ide  rovnix-v.ide  ruftar-i.ide  

shioto-g.ide  skeey-an.ide  skeey-ax.ide  slackb-d.ide  sofacy-h.ide   swfdl-n.ide  talmad-a.ide  teslac-a.ide  teslac-b.ide  

thudoo-a.ide  tinba-dc.ide  tinba-dk.ide  track-ar.ide  truste-g.ide  twexag-a.ide  upatr-wq.ide  vawtr-cq.ide  vawtr-cv.ide  

vawtr-cx.ide    vb-iwc.ide    vb-iwy.ide    vb-ixd.ide  vbinj-ma.ide  vbinj-mi.ide  vbinj-ml.ide    vbs-if.ide  vbzbo-de.ide  

vbzbo-di.ide  vbzbo-dw.ide  virtu-be.ide  vundo-br.ide  vundo-bs.ide  wonknu-b.ide  wonto-uz.ide  xtrat-am.ide  xtrat-aq.ide  

yakbee-g.ide  yakbee-u.ide  yakes-ct.ide  zbot-kgl.ide  zbot-kgp.ide  zbot-kgt.ide  zbot-kgy.ide  zbot-khd.ide  zbot-khx.ide  

zbot-kih.ide  zbot-kit.ide  zbot-kjp.ide  zbot-klb.ide  zegos-if.ide    zeus-c.ide  

Scan name: "Scan Local Drives"

Scan items:

Exclusions:

Path: "/Users/Jeff/Downloads/iWork_9.3_Update.dmg"

Path: "/Users/Jeff/Downloads/YummyFTP.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2014.4-AP-20-15.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2013.5-AP-21-14.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2012-2.1-AP-12-13.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2011-OC-2-12.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2010.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2009.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2008.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2007.dmg"

Path: "/Users/Jeff/Downloads/TaxTron2006.dmg"

Path: "/Users/Jeff/Downloads/MBAM-Mac-1.1.3.72.dmg"

Path: "/Users/Jeff/Downloads/maccleanse.dmg"

Path: "/Users/Jeff/Downloads/ClamXav_2.8.7.dmg"

Path: "/Users/Jeff/Downloads/avast_free_mac_security_online.dmg"

Path: "/Users/Jeff/Downloads/AlesisFirewireMountainLionDriver8:19:11[v3.5.6].dmg"

Configuration:

Scan inside archives and compressed files: No

Automatically clean up threats: Yes

Scan for adware and potentially unwanted applications (PUA): Yes

Automatically clean up adware and potentially unwanted applications (PUA): Yes

Action on infected files: Move to folder at path "/Users/Jeff/Desktop/Threats not cleaned"

Live Protection enabled: Yes

Scan started at 2016-01-09 09:00:07 -0500

New volume detected at /Volumes/iWork_9.3_Update(Manual)

New volume detected at /

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~Keynote/.ginger

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/Signatures/ubiquitous_19BBE9BE-199F-43A4-9551-F5282E781FA1.mailsignature

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/Signatures/ubiquitous_1EDFC9E2-28A5-4AB7-B270-231768908368.mailsignature

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/Signatures/ubiquitous_A26959AE-3F11-4720-9FF7-FA584D0A8BE0.mailsignature

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/Signatures/ubiquitous_AllSignatures.plist

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/Signatures/ubiquitous_FC0160A1-A280-4BE0-B127-ACE20285F7F1.mailsignature

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/ubiquitous_SyncedRules.plist

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~mail/Data/MailData/ubiquitous_SyncedSmartMailboxes.plist

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~Numbers/.ginger

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~Pages/.ginger

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~Pages/iWorkPreviews/Blank.jpg

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~Pages/iWorkPreviews/Untitled.jpg

2016-01-09 09:25:55 -0500 Corrupt file: /Users/Jeff/Library/Mobile Documents.127842904/com~apple~TextInput/Dictionaries/.baseline/UserDictionary/SAlQVUhF7208e6_gvZx_zdKx1U1AzKGem3HO2pLKjgY=/baseline.zip

Scan completed at 2016-01-09 09:26:41 -0500.

656959 files scanned, 0 items detected, 13 issues

Hello Jeff,

Thanks for the detailed information. When the scanner reports "Corrupt file" it means its a file that it cannot parse. This *usually* means the file is indeed damaged somehow. You could try opening JPEG and ZIP to see if the associated application can repair them. I don't know what the ".ginger" files are - you could try to open them in TextEdit to see if you can identify their source.

The time to scan DMG files can be very long when you enable the "Scan inside archives and compressed files" option because the product is going to decompress each file inside the DMG (disk image). Think of it as a recursive scan operation: open the DMG and scan each file; for each archive inside, open that and scan each file. I've seen larger DMGs take more than 30 minutes to scan with this option.

Re the corrupt files, I can't seem to find them. The paths do no exist beyond Users/Jeff. and when I look in Libraries, there's no "Mobile documents" path. Tried looking in Spotlight also. So I have no idea where these corrupted files are.

Also, did you notice the line "New volume detected at /Volumes/iWork_9.3_Update(Manual)" when the scan first starts? That volume doesn't exist. FYI, iWork_9.3_update.dmg was given to me by Apple after upgrading to to the latest release because they said I needed Pages '09 to open and re-save some older Pages documents I had archived (I think this is no longer necessary with the newer Pages 5.6.1 but I'm not sure). But regardless, why is Sophos seeing iWork as a "new volume"?

Finally, the issue with scanning the .dmg files was not so much the time it was taking, but the fact that Sophos was going back and re-scanning the same ones over and over without finishing BEFORE I put them into the Exclusions.

Re the corrupt files, I can't seem to find them. The paths do no exist beyond Users/Jeff. and when I look in Libraries, there's no "Mobile documents" path. Tried looking in Spotlight also. So I have no idea where these corrupted files are.

Also, did you notice the line "New volume detected at /Volumes/iWork_9.3_Update(Manual)" when the scan first starts? That volume doesn't exist. FYI, iWork_9.3_update.dmg was given to me by Apple after upgrading to to the latest release because they said I needed Pages '09 to open and re-save some older Pages documents I had archived (I think this is no longer necessary with the newer Pages 5.6.1 but I'm not sure). But regardless, why is Sophos seeing iWork as a "new volume"?

Finally, the issue with scanning the .dmg files was not so much the time it was taking, but the fact that Sophos was going back and re-scanning the same ones over and over without finishing BEFORE I put them into the Exclusions.

Hello Jeff,

Sounds like "iWork_9.3_update.dmg" is still mounted from when you installed it. If you go to the Finder, choose "Go to Folder" (press Command+Shift+G) and enter "/Volumes" you can likely find it.

Can you describe a bit more about the "going back and re-scanning the same ones over and over" behavior? Where did you see this? I'm just curious how I can try to reproduce the same phenomenon (it seems weird and sounds like a bug we should fix).

Nope. I wouldn't let that happen. Did as you suggested and the only volume is MacIntosh HD. So that doesn't explain the lines:

Scan started at 2016-01-09 09:00:07 -0500

New volume detected at /Volumes/iWork_9.3_Update(Manual)

New volume detected at /

The "re-scanning" was observed in the Scans window during the "Scan this Mac" scheduled scan. When the process slowed way down (which was after about 90% of my files were scanned) it would sit on each .dmg file for 5 or so minutes. I was getting so exasperated with the very long scan times (6+ hours with fans cycling on and off frequently) that I finally sat and watched the hang spot. You could see the file name while it sat on each one. But after doing each one for those 5 or so minutes each, it would start doing them again and then again! Seemingly hung there, I would just stop the scan. Then I hit on the idea of putting them all into Exclusions. And the scan finally completed as you see above.

Hi Jeff,

Very curious what the "mount" command prints: open Terminal, run the mount command, copy/paste the output back here. We *think* its going to show your mounted DMG image, as it uses the same info as what we use in our software to determine the list of volumes to scan.

Re: the constant re-scanning of DMG files, we are pretty baffled by this behavior in the product. Can't really explain it. There are more advanced diagnostics possible using the "opensnoop" command to trace what files are actually being opened by the AVAgent process, but its a bit tedious. Sort of depends how ambitious you are about wanting to dig deeper.

Here's the mount command result. No iWork volume:

Last login: Wed Jan 13 21:51:28 on console
LiveAbolitionistVegan:~ Jeff$ mount
/dev/disk1 on / (hfs, local, journaled)
devfs on /dev (devfs, local, nobrowse)
map -hosts on /net (autofs, nosuid, automounted, nobrowse)
map auto_home on /home (autofs, automounted, nobrowse)
LiveAbolitionistVegan:~ Jeff$

Re constant re-scanning, as I say that stopped when I added the .dmg files to the Exclusions so I'm not sure how much more digging I can do. If you can send simplified step by step instructions, I might be able.

Any news Bob. Or are you too busy with the El Capitan Beta problems?
.