Why is Sophos nearly impossible to quit?!

Recently I've been using the streaming quotes window on a brokerage website. It needs to load a Java app each time it runs.
With Sophos running, the Java can not load. Yesterday it took a lot of work to get Sophos to quit so the java would load. Today I was unable to use streaming quotes at all. Even when I remove Sophos from my login items, Intercheck still runs. There seems to be no way to stop Intercheck from running!  :smileymad:
Since the Java app wouldn't run, I kept clicking the link to start it, and I discovered that In Activity Monitor, each Java app that was being prevented from loading, uses close to 100% CPU and the fans race to keep things cool. Thus, 8 clicks = nearly 800% CPU!

Of course you can't quit Intercheck-it just starts again, and the Java can't load. I tried quitting Sophos Anti-Virus in Activity Monitor, but it won't stay quit! I quit the Sophos GUI, but that didn't help.
There should be an option in the Sophos menu bar icon to disable Sophos, since it's sometimes necessary. Once the Java loads, Sophos can be enabled again. Quiting Sophos should quit ALL of Sophos-INCLUDING Intercheck!
What's needed is for Sophos to allow exemptions, but I don't see any place to add them. Scottrade gave me 2 addresses to enter into an exemption window, but I can't use them.
Perhaps I could enter Java into the Excluded items window, but I don't want to exclude all Java.

Just now I discovered other issues: Java Preferences will not launch successfully unless Intercheck is quit. And in Java Preferences, in the Network tab, if you press the Delete Files button the app hangs until Intercheck is quit, even when the files have already been deleted - happens every time.


Sophos 7.3.12C

OS X 10.7.3

:1007709
  • First off: have you disabled archive scanning for on-access scans?

    Secondly, why do you want to disable Intercheck?  Are you having Intercheck issues even with on-access scanning disabled via preferences?

    In answer to your main question, "Why is Sophos nearly impossible to quit!" I'll provide a simple answer: malware is going to have just as difficult a time bypassing Intercheck as you are having.  However, it will have a harder time than you only disabling the scanning feature associated with this process.

    :1007721
  • 1. No, why would I? I have it checked for Local Drives, so why would I uncheck it for on-access? Wasn't that the default setting? What's that got to do with running Java? Are you telling me that Sophos can't tell the difference between a harmless Java app and a virus?
        I'm already sick of Sophos continually warning me about what it thinks is malware on my computer: Mal/JavaGen-F.
    Whatever this is, it was included as part of free software on several Western Digital Passport drives I own: .../MioNet/MioNet Program Files/Senvid.jar.


    2. I thought I needed to disable Intercheck so the Java could load. I had forgot about turning off the on-access scanner, maybe that's how I was finally able to load the Java the other day. I just tried it and successfully loaded the quotes window, so maybe Intercheck wasn't the culprit.


        I still say there should be a quick way to temporarily disable Sophos when necessary. I'm was going to uninstall Sophos completely, because it froze my system today when I tried running the streaming quotes window again - had to do a manual reboot. I'd rather deal with malware/virus if and when it arises than to fight with Sophos every day and be unable to view streaming quotes. It's really tough to watch your stocks when the quotes are unavailable.

        So what about exemptions for those that need them? If I could add exemptions, I wouldn't have to disable then enable the scanner every time I watch the ticker.

    :1007747
  • It sounds like we've got multiple issues here.

    Sophos Anti-Virus has two parts: the first is an on-access scanner, controlled by Intercheck.  The second is on-demand scanning, controlled via the Sophos Anti-Virus app in your Applications folder.

    The on-access scanner, by default, scans inside all archives and scans every file as it is accessed for reading or writing.  Java jar files are really just Zip archives with a bunch of java class files inside; every time you read from a jar file, it gets unzipped and all the contents are analysed.  This is a simplified description, as there are all sorts of optimizations etc. but what it comes down to is that contantly reading/writing into jar files causes a LOT of scanning to occur.  Disabling archive scanning in the on-access component will fix this, while not disabling general on-access scanning (which means if a full jar file is known to be bad, or something other than an archive-based piece of malware is found, you're still protected).

    The on-demand scans set for scanning local drives are scheduled or performed manually.  These are useful to do on a semi-regular basis if, for example, you disable archive scanning in the on-access scanner to improve performance.

    There should never be a need to disable the Intercheck process itself; it controls other processes, but if on-access scanning and automatic updates are disabled, it basically does nothing other than sit there as a registered process doing a quick poll of its state from time to time.  It should never affect your system in any noticeable way.

    If Mal/JavaGen-F is firing on a file on your computer, it is either malicious and should be deleted, or you've got a "false positive", and we'd recommend submitting it to Sophos so that we can prevent it from giving you a false alert in the future.

    The quick way to temporarily disable Sophos is to disable on-access scanning (and optionally, automatic updates).  With those disabled, the product is effectively disabled.  At that point, all that Intercheck does is prevent some malicious software from coming in and messing with Sophos itself.

    I agree that software should not freeze your system; that implies that there is a serious issue here, either incompatability between Sophos and your ticker software, or some other more complicated issue.  When things froze, did you get a grey kernel panic window, or did some part of the interface just become unresponsive?  Once again, does disabling archive scanning in the on-access component stop this from happening?

    My guess is that you just need to exclude the folder that your stock software uses for temporary data storage from on-access scanning.  Without knowing what software package you're using, I won't know what you need to exclude, but if it's Java, you could start by excluding the jar file itself.

    :1007749
  • The problem with disabling the on-access scanner, is that's it's easy to forget to enable it again. Makes no sense to me that I'd want to leave it disabled, because then I'm wide-open to anything I click on or in email attachments. What's the point of having anti-virus software installed if you're just going to disable it?

    The Java in question isn't coming from any software I have installed, it opens directly from the website when I click the link.       

    It's temp files are here: /Users/Bob/Library/Caches/Java/cache/6.0.

    I excluded the entire Caches/Java folder, then enabled on-access, but it wouldn't run. I then excluded the Caches/Java/Cache/6.0 folder and it loaded successfully.

    That should do it, now I can leave on-access enabled and still see the quotes window.

    I previously submitted the file causing the false alerts, and I received this reply:

    The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions.
     B9031d01 -- already detected (Mal/ObfJS-B (all product versions))

    Yes, I know they're detected, that's the problem, so why wasn't it fixed? Why is this Western Digital software still causing alerts?

    :1007753
  • Scratch that:

    The quotes window wouldn't open today - I had on-access enabled and the cache file excluded.

    Tried twice, so Intercheck was using 200% CPU. After disabling on-access, the Java loaded and CPU usage dropped to normal.

    :1007757
  • I'll see if someone can duplicate the scottrade issue so we can come up with a reasonable fix.  For the sample you submitted, do you have a submission ID?  I can get it flagged up here for re-analysis.

    :1007769
  • @Agile, you answered Rebel1's justified complaint about the difficulty of simply quitting the Intercheck process by asking "why do you want to disable Intercheck"

    The answer is: None of your business!

    Users have every right to stop and start processes on their machines at will

    The fact that you replied this way perfectly illustrates why Sophos have failed here and why I'm uninstalling this tool - when your Anti-malware software behaves invasively like this - it becomes Malware!

  • In reply to George Francis:

    Hi  

    Sorry for the inconvenience caused.

    The thread which you are referring is almost 7 to 8 years old. I'd suggest you open a new thread and post your query, we'll try to help you to resolve your issue.