This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duplicate log entries

 Hi I installed/updated Sophos Mobile Security App for android version 7.1.2457 (18)

There appears to be duplicate entries in the log which shows 0 objects being scanned three times on the same date and time. This is around the same time as I had the Internet on my device switched on.

Here is the log details:-

10 Oct 2017 16:40 Initial scan finished. 152 objects scanned. No threats or PUAs found. 0 low reputation apps found.

10 Oct 2017 22:53 Schedules scan finished. 157 objects scanned. No threats or PUAs found. 0 low reputation apps found.

10 Oct 2017 23:53 Scan finished. 2 objects scanned. No threats or PUAs found. 0 low repution apps found.

11 Oct 2017 02:14 Manual scan finished. 159 objects scanned. No threats or PUAs found. 0 low repution apps found.

11 Oct 2017 02:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 low repution apps found.

11 Oct 2017 02:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 low repution apps found.

11 Oct 2017 02:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 low repution apps found.

The log entry on 10 Oct 2017 23:53 "Scan finished. 2 objects scanned " , above was around the time the Internet on my device was switched on. Also the log entry (x3) on 11 Oct 2017 02:20 stating "Scan finished. 0 objects scanned" was also around the time my Internet on my device was turned on.

does anyone know the reason why it states 0 or 2 objects was scanned on the log entries of 10 Oct 2017 23:53 and why the duplicate entries on 11 Oct 2017 02:20.. both these times I had switched the internet on my device on showing theog entries mentioned.  

If I perform a manual scan I get 159 objects scanned in the log entries. As the entries doesn't appear to be a scheduled or manual scan, what would have caused the scanner to run. The previous version does not appear to show duplicate entries mentioned above.  

Would the update of the Sophos Antivirus engine/data definition trigger the scan to scan the updated data definition files?

Thanks 

Heres some more observation from the log entries

11 Oct 2017 23:10 Scheduled scan finished. 158 objects scanned. No threats or PUAs found. 0 reputation apps found.

Sophos AV engine updated at 23:56 on 11 Oct 2017

log entry added with:

11 Oct 2017 23:56 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

Performed a manual scan with log entry of:

Manual scan finished. 158 objects scanned. No threats or PUAs found. 0 reputation apps found.

Then the following log entries which I assume is during the Sophos AV updates. Well from the settings page the last updated date of Sophos AV was 12 Oct 2017 00:57:

12 Oct 2017 00:08 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 00:30 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 00:57 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

With Internet on the device turned off I had another entry in the log

12 Oct 2017 02:21 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 02:21 Scan finished. 2 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 02:26 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

I then performed a manual scan and the log entries is

12 Oct 2017 02:29 Scan finished. 158 objects scanned. No threats or PUAs found. 0 reputation apps found.

Internet on device was then switched on and Sophos AV seems to perform another update as the last update in the settings page shows the date as 12 Oct 2017 02:30. I then have three log entries as :

12 Oct 2017 02:36 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 02:36 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

12 Oct 2017 02:36 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

I have no idea what Sophos is trying to do as it don't seem consistent. I can understand the scan performing when an update of the AV engine had been updated but not when my device internet is turned off or to show 0 objects being scanned when a scheduled or manual scan shows more than 0 objects scanned.

I have only noticed the scan entries at night though. Ie after 2300 hours. The schedule interval is set as every 6 hours. Think I might change to every 12 hours to see what it does.

Hmm just noticed when inserting external storage sd card into my device, Sophos seems to placed another duplicate in the logs:

13 Oct 2017 21:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

13 Oct 2017 21:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

13 Oct 2017 21:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 reputation apps found.

The entry below is the result of my storage sd card scan. Have no idea what's the duplicate log entry mentioned above is though: 13 Oct 2017

21:21 Scan finished. 273 objects scanned. No threats or PUAs found. 0 reputation apps found. 

does anyone know whats Sophos is doing with the duplicates entries



This thread was automatically locked due to age.
  • Been looking at the Sophos logs (back in October) to see if the logs gives me any details on the duplicate logs results and came across two apps that came preinstalled on the device, making suspicious calls:

    1) ES File Explorer V3.2.2.5 and

    2) Kingsoft Office V7.0

    According to the logs it seems ES File explorer is making suspicious shell commands and Super user commands

    And

    Kingsoft office is suspicious shell commands

    No idea what they are though as the logs don't mention any more details

    Here is the logs

    "Nge_sta;2017/10/13 17:19:45; I; App com.estrongs.android.pop calls suspicious shell commands"

    "Nge_sta;2017/10/13 17:19:45; I; App com.estrongs.android.pop calls Super User Commands"

    "Nge_sta;2017/10/13 17:19:45; I; App com.estrongs.android.pop has emulator detection"

    "Nge_sta;2017/10/13 17:20:12; I; App cn.wps.moffice_eng app calls suspicious shell command"

    Anyway on to the duplicate logs, it seems the duplicate log results in the Sophos app that I'm seeing seems to coincide with the detection of folder creation when opening/starting an app which results in Sophos outputting the results such as:

    "13 Oct 2017 21:20 Scan finished. 0 objects scanned. No threats or PUAs found. 0 low reputation apps found"

    I performed a small test to see if Sophos output any logs. I started the camera app (which has not been opened) and took a test photo.

    In the Sophos logs, contained two log entries stating

    "0 objects scanned. No threats or PUAs found. 0 low reputation apps found"

    These entries matches the time that I performed the camera test. think as the system creates the folders such as DCIM folder, Sophos gets alerted to the change and initiate a scan of some sort to see if the changes are suspiciousor malicious etc. hence the log results.

    Think it would be nice for the logs to state what's been detected and have one entry of the result instead of multiple entries as to the user it seems the duplicate logs are reporting the same results multiple times.

    some apps when opened seems to chuck out a dozen or so duplicate log entries though. As a example I opened a pdf file using Kingsoft Office via the email app.  the logs produced about 13 log entries with majority of tgose logs stating "0 objects scanned" as sophos detected changes in the system.