Real time on-access exclusions being ignored

---

santrix wrote:
I've been using Sophos AV on Mac for years, but I can't take it any more - it's a shame as it's an excellent product, but on all five of the macs used by my family, we have the same problem. Emails that arrive containing infected attachments always bring up an alert box, despite the ~/Library/Mail/V2/IMAP-me@redacted.com/[Gmail].mbox/Spam.mbox/ path being whitelisted in the preferences (note the trailing slash). As we use google apps for our mail, the spam folder receives a handful of malware every day, and having to deal with these alerts is unnecessarily distracting. It's functionality that has been broken now for over 2 years - snow leaopard, lion, mountain lion, mavericks, yosemite - all broken. Worse still, the actual quarantine window often doesn't even record a path for the files concerned, so it's laborious to track them down.

---

Thanks for the note, and the compliemnt. I strongly suspect the problem is that we don't support the tilde in exclusions - you would need to specify the full path explicitly or use wildcards. Just checked on my own machine, if I use the path of "/Users/bobcook/Mail/V2/" I'm able to avoid undesirable detections, and same if I use "/Users/*/Library/Mail/V2/". Obviously your exclusion of just the Spam.mbox directory is even better, but I just wanted to prove its working as implemented.

The reason for this limitation about the tilde is because the scanner is not running in the same context as a regular user, so the normal tilde meaning doesn't really apply. On the other hand, it could be argued that the software could be smarter about this - e.g. perhaps automatically map "~/" to be "/Users/*/" or something. Alternatively we could warn you or disallow entering the tilde character at the start of the path. Its definitely confusing.

Hi Bob and thanks for replying. Having just checked the other macs I use, they are all setup using absolute paths for the exclusions - i.e. no tilde shortcuts for home directories - They were, in fact, always setup this way, but I couldn't remember (dayjob as sysadmin, I lose track of how I setup stuff my wife uses at home!).

Yet, the software still reports hits within the excluded path - see screenshot. I'm also unsure why it always sits there with the "Cleanup in progress" status either, because the On-Access scanner options are set to "Deny Access", as opposed to "Clean up threat". Having seen this on so many instances of OSX I have worked on, both fresh installs and upgrades including customers of mine, I find it hard to believe nobody else has ever reported this behaviour.

Hope you can squish this bug. Steve.

Hi Steve,

Thanks for the image. Is there any chance these items are being found by a scheduled scan rather than the on-access scanner? They have different configuration for the exclusions and cleanup actions.

I definitely want to squish this bug. Next time you see this happening please open Activity Monitor, find "InterCheck" and grab a sample (there will be a Sample Process option in the contextual menu). Also find anything that says "SophosAVAgent" and do the same thing. You can send them to me direct.

Hi Bob. There are no schedules scans. I'll grab the data you requested when I next see this happen.