Andoid: Sophos Intercept X for Mobile - ["" wurde gescannt.]

Hello,

since a couple of days I get every night a popup of an app scan which doesn't give me the name of the app, just "".

In german the popup says: ist sauber // "" wurde gescannt.

In englisch something like: is clean // ""was scanned.

 

I don't find any logs where I can see which apk was scanned to identify if it's malware or something else.

Any ideas how to get more information about the scan?

Thanks in advanced!

Best regards,

Tobias



Added TAGs
[edited by: Qoosh at 10:59 PM (GMT -7) on 11 Jul 2022]
Parents
  • I get the same thing.  Started about 2 weeks ago or so.

    This is Pixel 4a

    Based on recommendation from Kushal "Qoosh" above I sent myself the logs

    smsec.sophos.log seems to be indicating this at about the correct time:

    Scanner; 2022/07/04 14:22:02; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.

    com.sophos.smsec.trace.sophos.log shows this:

    SMSecLog; 2022/07/04 14:22:02; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.
    SMSecLog; 2022/07/04 14:22:02; I; SD
    SMSecLog; 2022/07/04 14:22:02; I; SD
    ApplicationHelper; 2022/07/04 14:22:02; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.
    Persist; 2022/07/04 14:22:02; I; Command executed: persist_cmd_onInstall_scan id: 704399604

    I am guessing the relevant part is this: Loading AppName of com.google.android.trichromelibrary_463807433 failed

    Sounds like it scanned it ok but then failed to get the name from it or wherever it is trying to get that name from.

  • Looks like I did not include enough log lines before.  I sent myself logs again and here are all of the relevant logs entries in com.sophos.smsec.trace.sophos.log  for the most recent occurrence:

    SBR; 2022/07/05 15:15:30; I; On install scan started for package: com.google.android.trichromelibrary_463807433
    paHistory; 2022/07/05 15:15:30; I; Cannot find package
    Persist; 2022/07/05 15:15:30; I; inserted command='Command [type='persist_cmd_onInstall_scan', transitionId='-1', commandId='704399604', delay='null', parameter=[, parameter1='com.google.android.trichromelibrary_463807433']]' in queue.
    Persist; 2022/07/05 15:15:30; I; Executing command persist_cmd_onInstall_scan
    ApplicationHelper; 2022/07/05 15:15:30; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.
    SavEngineTask; 2022/07/05 15:15:30; W; File not found: com.google.android.trichromelibrary_463807433
    ScanThreadTask; 2022/07/05 15:15:30; E; No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'.
    SMSecLog; 2022/07/05 15:15:30; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.
    SMSecLog; 2022/07/05 15:15:30; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.
    SMSecLog; 2022/07/05 15:15:30; I; SD
    SMSecLog; 2022/07/05 15:15:30; I; SD
    ApplicationHelper; 2022/07/05 15:15:30; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.
    Persist; 2022/07/05 15:15:30; I; Command executed: persist_cmd_onInstall_scan id: 704399604
    Sophos; 2022/07/05 15:15:30; I; Start App protection watchdog
    AppProtection; 2022/07/05 15:15:30; I; App protection watchdog: load settings
    Sophos; 2022/07/05 15:15:30; I; No Apps to protect, run only monitor!
    Sophos; 2022/07/05 15:15:30; I; No monitor present
    Sophos; 2022/07/05 15:15:30; I; Leaving App protection watchdog

    It does not appear that the scan is succeeding after all. It looks more like the file goes missing from the scan engine view instead.  Also it says this is triggered by an "On install scan".  So this looks more concerning to me now.

    Cannot find package

    File not found: com.google.android.trichromelibrary_463807433

    No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'.

  • From the following forum link, I was able to gather some additional information on this. "trichromelibrary" is a system app pushed out to Android devices to aid in rendering web pages. Previously, this was handled using Google Chrome built into the OS.
    - Trichromelibrary was suddenly downloading from Google Play Store

    This application should be treated as a system app. Do you know if you have the option "Scan system apps" enabled?

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
  • Scan system apps is not enabled.  This is occurring when I am not using the device usually just once a day around the same time.  I researched that app as well.  Some people were suggesting to update Android System WebView but when I go to that in the play store it doesn't seem to actually be installed.  I updated all of my apps that offered updates including chrome and it still happened again today.  I removed and reinstalled sophos yesterday as well but still happening.

    It sounds similar to this issue related to bitdefender: https://community.bitdefender.com/en/discussion/89223/bitdefender-security-keeps-uninstalling-com-google-android-trichrome-library

    In that case bitdefender devs rolled out a fix of some kind.

    Not sure it matters but when I go to apps >> show system apps - This com.google.android.trichromelibrary is not listed.  Many other system apps seem to follow that same sort of naming pattern, com.android.whatever, com.google.android.whatever, etc...  But com.google.android.trichromelibrary is not there.

  • Thank you for helping and verifying that I'm not alone.

    My logs doesn't helped anyway, I didn't found a log entry that would help to find the app.

    I even didn't had scan system app enabled, but enabled for test, but same issue comes up.

    [EDIT]

    Tonight, I've got finally the same log as  

    SDCard ObserverWrapper; 2022/07/08 03:51:22; I; Removed 3 recently scanend file(s) from list.
    SBR; 2022/07/08 03:51:34; I; On install scan started for package: com.google.android.trichromelibrary_463807433
    paHistory; 2022/07/08 03:51:34; I; Cannot find package
    Persist; 2022/07/08 03:51:34; I; inserted command='Command [type='persist_cmd_onInstall_scan', transitionId='-1', commandId='704399604', delay='null', parameter=[, parameter1='com.google.android.trichromelibrary_463807433']]' in queue.
    Persist; 2022/07/08 03:51:34; I; Executing command persist_cmd_onInstall_scan
    ApplicationHelper; 2022/07/08 03:51:34; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.
    SavEngineTask; 2022/07/08 03:51:34; W; File not found: com.google.android.trichromelibrary_463807433
    ScanThreadTask; 2022/07/08 03:51:34; E; No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'.
    SMSecLog; 2022/07/08 03:51:34; I; Automatischer Scan von App „trichromelibrary_463807433“ (com.google.android.trichromelibrary_463807433) beendet. Keine Bedrohungen oder PUAs gefunden.
    SMSecLog; 2022/07/08 03:51:34; I; Automatischer Scan von App „trichromelibrary_463807433“ (com.google.android.trichromelibrary_463807433) beendet. Keine Bedrohungen oder PUAs gefunden.
    SMSecLog; 2022/07/08 03:51:34; I; SD
    SMSecLog; 2022/07/08 03:51:34; I; SD
    ApplicationHelper; 2022/07/08 03:51:34; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.
    Persist; 2022/07/08 03:51:34; I; Command executed: persist_cmd_onInstall_scan id: 704399604
    Sophos; 2022/07/08 03:51:36; I; Start App protection watchdog
    AppProtection; 2022/07/08 03:51:36; I; App protection watchdog: load settings
    Sophos; 2022/07/08 03:51:36; I; No Apps to protect, run only monitor!
    Sophos; 2022/07/08 03:51:36; I; No monitor present
    Sophos; 2022/07/08 03:51:36; I; Leaving App protection watchdog

    [/EDIT]

  • Thank you both for sharing additional information on this. I have reached out internally to inquire further into this so changes can be made to recognize the app correctly. I will follow up on this thread with any information I'm able to share.

    Kushal Lakhan
    Global Community Support Engineer
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Updated my last post, because I've got finally the same log entries.

    It seems that the app "com.google.android.trichromelibrary_463807433" get's an update (install scan) but was removed directly so the scan doesn't get the name of the app.