Sophos Antivirus and Time Machine

SAV has a default exclusion for on-access scanning and any Time Machine volume, however on-demand scanning doesn't have a predefined exclusion.

If using Time Machine some users may want to scan the Time Machine volume, some may not.  By default the volume is scanned with on-demand but automatic cleanup isn't enabled because TM backups have a complex structure and even encrypted.  There are quite a few posts on this forum from users scanning their Macs and TM volumes and finding things hence it's worth doing.  If you haven't already done so watch the scanning video for SAV for Mac HE which explains all local volumes are scanned and that this may not be desirable.

I think from a security point of view you're going to want to exclude as little as possible, however without the on-access exclusion the performance of the computer could be lowered.  Hence the balance struck is to exclude on-access scanning and leave on-demand up to the user.

Oh I agree that I should scan my Time Machine volume if I can, the problem is that Sophos Antivirus seems to get stuck while doing it, but I can't figure out why.

When it generates its count of files to be scanned Sophos doesn't seem to include my Time Machine volume, as the count is about right for my root volume. However, it must be scanning my Time Machine volume as leaving it included is what causes the problem, however without a file count I have no way of knowing how much progress it's making.

However, I've left the scan running for while over four times the length of time it takes to scan my system with Time Machine excluded, which seems like too long, as scanning the Time Machine volume should take closer to twice as long (since a majority of files are hard-links). I'm not sure if this means that Sophos antivirus is re-scanning file links or not though as I can't tell if it's actually doing anything at all other than the fact that it's still utilising CPU time.

As I say, there are several fairly easy tricks that should be in use to accelerate scans of a Time Machine volume, which means it shouldn't take much longer than scanning the root volume on which it's based. I don't know if these tricks are being used or not, though I'd normally be inclined to give Sophos the benefit of the doubt and assume it is, but all I know is that including my Time Machine volume causes my on-demand scans to seemingly never end; I say seemingly as I shut my Mac down at night, so I can't just leave the scan running long-term, but the logs don't include an verbose progress that I can see so I really don't know what's going on.

You may be interested in reading the post below - the video right at the bottom of the first page (no audio) shows the behavior of SAV with a file count when TM is connected but excluded (SAV counts files in TM but then quits the scan early).  There is also a post by myself at the top of page two explaining the logic that  provided, and a Terminal scan you can run to output the file names - just an idea.

http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Number-of-files-to-interrogate/td-p/14301

Ultimately exclude TM and don't worry about it - the files aren't live.

Apologies for dragging up an aging thread, however..

Can someplease please provide the current stance re. the default behaviour of SAV for Mac (Home Edition) v9.2.2 with Time Machine?

1) On install to two separate Yosemite machines their seemed to be *no* default exclusions re. Time Machine for neither On-Access or On-Demand scanning? Or are these exclusions within the code and not displayed within the interface?

2) If manual exclusions are required/recommended for On-Demand scans, which specific directories should be excluded?  On my setup I use two network backup targets - a Time Capsule and a NAS which has 3rd party support for Time Machine.

Additionally, if a BOOTCAMP partition is used should this also be exlcuded from On-Demand scans (on one machine I have this causes a irrecoverable lock-up, despite having run a chkdisk on the windows side).

Thanks in advance.

Simon

I've left the scan running for while over four times the length of time it takes to scan my system with Time Machine excluded, which seems like too long, as scanning the Time Machine volume should take closer to twice as long (since a majority of files are hard-links). I'm not sure if this means that Sophos antivirus is re-scanning file links or not though as I can't tell if it's actually doing anything at all other than the fact that it's still utilising CPU time.???

I'm in same boat, just posting to hear if there is a solution to the TM problem.

---

kevs40 wrote:

I'm in same boat, just posting to hear if there is a solution to the TM problem.

---

The suggestion is to exclude your backup volume. We don't do this automatically, and we probably won't do this automatically - its a tradeoff between doing things that appear smart vs. being fooled into not scanning something the user really wants to scan. This is a decision the user / owner of the computer really needs to make. The "Scan This Mac" option is a literal implementation - scan everything directly attached to your Mac, including external drives.

We are (finally) going to be revisiting the on-demand scanner implementation in the next few months. When we do, we'll have a look to see if we can better understand the performance impact with very large Time Machine volumes.

Thanks Bob, did not understand much of that.

---

kevs40 wrote:

Thanks Bob, did not understand much of that.

---

Hi kevs40,

Apologies if my message was confusing - which part? Happy to clarify, just not sure where to start. Feel free to ping me off list if you prefer.

Thanks Bob, can somene ping someone off! What a cool feature, never heard of that before. Photoshop forums should get that... lot of rude people over there.

Ok, Sophos suddenly cannot scan time machine volume. What happened, why is this and is there something that can be done or do Mac people have to live with that?