Thread Info
  • State Suggested Answer
  • Replies 10 replies
  • Answers 3 answers
  • Subscribers 7 subscribers
  • Views 13041 views
  • Users 0 members are here
Options
Suggested

Degraded performance with mounted disk images

Julian Müller1
  • What feature: File scanning with scanextension (Is the one showing up in activity monitor)
  • Severity: medium
  • Summary: Mounting dmgs is extemely slow and causes an unresponsive system.
  • Reproduce it: Mount a dmg. The bigger the better?
  • Frequency: Every time.
  • Desired behavior: It should at least not make the system unresponsive? Maybe waiting 20 seconds to mount a 50mb dmg is a bit log. w/o Sophos its takes less then 1 second.
  • Environment: MacBook Pro 15" 2018 - Running macOS 11.1 and Sophos 10.0.2 EAP
  • Info extracted from log: I searched the SophosDiagnostics log and looked for the SophosScanD ID that handles the checks of the mounting/mounted dmg. Only thing I noticed was that the log gets flooded with this message: [SophosScanD 424:3368 TID:918370 scand scanner] Threat retrieved from threat enumerator is NULLI can provide full logs if needed.
Parents
  • FormerMember
    0 FormerMember

    Hi,

    Thanks for reporting this. 

    For the investigation, please provide the following:

    • Go into Central, find the device, and click on the generate SDU button
    • Once the sdu is uploaded, post the file name here so we can extract it and take a look
    • Have you done any alterations to your policy?
      • if yes, has anything changed the symptoms?
      • Or have you just tested removing the product?
    • Are you mounting the dmg through terminal?
      • if yes, can you post the exact command you are using to mount it please
    • Have you allowed all the permissions for the product and rebooted the machine?
  • 0 in reply to FormerMember

    I have to expand the case above: This issue affects everything with high disk I/O.

    Newest case in point was a Gatekeeper (XprotectService) check on a very huge program (Xcode).

    The previous case was verifying disk images.

    However these issue does not arise every time. I have yet to pinpoint the cause of it.

    Playing with policies did not affect the issue. Processes that show very high activity are SophosScanD and scanextension (CryptoGuard to some degree)

    I am aware that on access scanning is a thing but it literally freezes the system. The tasks at hand also take more than 10-100x longer (not exaggerating here) 

    Rebooting seems to fix the problem until it shows again.

    I did an SDU upload while the problem showed itself. File is 87b7a70e-f62c-9405-6ba2-bb8e1998f735_2020-12-21-12-49-00.zip

     

    All permissions have been preapproved via configuration profiles, device has been restarted multiple times.

  • FormerMember
    0 FormerMember in reply to Julian Müller1

    is this on every machine in your environment or only specific ones? Could there be hardware faults in those machines?

    What are the physical specs of these machines?

  • 0 in reply to FormerMember

    This affects devices in our environment as well. 

    Checked on Macadmins Slack. Some reported similar issues.

    Device is a mid 2018" MacBook Pro i7 (8th Gen?), 16GB Rams, 500Gb SSD

  • 0 in reply to Julian Müller1

    Other finding I have to report:

    It seems to resolve around SophosScanD.

    With and w/o the error I always receive the following warning from trustd:

    Entitlement com.apple.security.application-groups=(

        "2H5GFH3774.com.sophos.endpoint.scan"

    ) is ignored because of invalid application signature or incorrect provisioning profile

    When the problem arises SophosScanD also reports:

    MacOS error: -67065

    - and -

    MacOS error: -67034

  • FormerMember
    0 FormerMember in reply to Julian Müller1

    I will have the development team look at this when they are back in the new year. Thank you for reporting it.

Reply Children
No Data
Unfiltered HTML