This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central, High Sierra, Files "Held" before appearing

On High Sierra, latest version, when I drag a file from an email, or do any sort of File / Save operation in any program, the file is "held" for a period of time before appearing on the desktop or wherever I save the file. After 5 to 30 seconds, the file appears. Larger files take longer amounts of time to appear.

My guess is that Sophos is "holding" these files and scanning them before they're showing up in their folder. The faster and more modern the Mac, the faster the files appear in their destination. It's a huge problem because you save a file, check the destination, it's not there, so you save it again, still not there, wonder what you're doing wrong, save it again, and then all of a sudden 5 of the files appear all at once.

It's not to a network drive, it's to anywhere on my local computer. I can duplicate this over multiple laptops.

How do I fix this?



This thread was automatically locked due to age.
  • I'm also experiencing this issue and first noticed it with doing screen caps.  Since updating to the latest OS, screencaps take anywhere between 5-18 seconds to appear on the desktop. This issue also coincides with the latest update to the Endpoint app, because when we were testing High Sierra, we never experienced any of these issues with the previous version of Sophos Anti-virus. We've tried temporarily disabling real-time scanning, but that didn't seem to help much.

  • Only work-around I found, is to turn off the Sophos Endpoint UIServer extension in the system preferences.  The annoying thing is, it turns back on after a restart.  Not sure why this extension is causing the holdup.

  • Where is this extension and how did you disable it? Any other ill effects on the system after you disable it?

    If it keeps opening every startup I'll just remove permissions to the actual file to prevent Sophos from opening it. Pretty ridiculous, saving a PDF or copying a file to the desktop on my 2014 MBP literally takes 30+ seconds.

  • You can find the extension within the main OS System Preferences ->Extensions.  Apparently, it just adds the option to scan files on-demand from the right-click menu, that's it.

      

    You can also try to disable it by trashing the Sophos Endpoint UIServer.plist file in the LaunchAgents folder (Macintosh HD/Library/LaunchAgents), but it keeps regenerating.  The only workaround is to avoid saving files to the desktop entirely (ie. save to your documents folder).  Sophos informed me that they hope to fix this with the next version (9.7.6) but that will be some time in Q3 of this year.

  • Thanks!

    I just edited the .plist file in a Text Editor and changed the file location in the /array variable to a file location that doesn't exist. I'll see if that "sticks". I have many computers effected by this bug and it's been driving the users insane for months.

    Shame they won't be fixing it until Q3. My contract is up in Q2, and I won't be renewing for multiple reasons, with this bug just being the icing on the horrible tasting Sophos cake that we've been choking down the past 2 years.

  • Ah, it was a sly one and after a reboot, it figured out how to edit itself and turn itself back on even after editing the .plist file. The end result was to edit the .plist file (I just added "-donotuse" to the executable listed in the /array field). Then, Lock the file to prevent Sophos from changing it, by using:

    sudo chflags uchg com.sophos.endpoint.uiserver.plist

    After a reboot, the Extension remained disabled and I was able to save to my Desktop without a 20 second delay.

  • Dang, it has unlocked itself, changed the /array field on the .plist file, and thwarted my plans. Time to hit it with a huge hammer.

    Oh, how I hate you Sophos. Can't wait to give your salespeople a piece of my mind when you try in vain to sell me on another year.

  • LOL!  To re-iterate a previous reply I made to Sophos support, "...your product is more VIRUS than anti-virus."  We too have sent a complaint with our sales vendor about our negative experiences with Sophos so far.

  • Looking down my list of endpoints in the Sophos Central console I don't see a single report of any actual virus or malware. Just hundreds of false positives that I have no ability to mass Acknowledge. The Dashboard looks nice but it's actual functionality is a joke.

    One of my favorite non-features is that I can't setup distribution lists for various alerts. Every time a computer goes out of date, it emails every single Sophos administrator, from the lowliest helpdesk employee to the top IT manager. There's no way to tell it to only email certain people for certain alerts, so in the end everyone just spam filters them, except for the IT managers who of course worry that their systems suddenly got infected because Sophos sent yet another false positive.

    I flat out despise this product.

  • Yes, email alerts are annoying and most of them are false positives.  I couldn't believe I don't have the ability to turn any of those off.  I had to VOTE to turn that "feature" to turn it off.  So odd.

    In lighter news, just got an update from Sophos support.  Here's what they wrote:

    "9.7.6 is starting release late next week through the end of the month. It includes the change to keep the Finder Extension off if the user has turned it off. Note that this is a per user setting, so each user would need to un-select it. I'll let you know when it finishes release."