Hello,
since a couple of days I get every night a popup of an app scan which doesn't give me the name of the app, just "".
In german the popup says: ist sauber // "" wurde gescannt.
In englisch something like: is clean // ""was scanned.
I don't find any logs where I can see which apk was scanned to identify if it's malware or something else.
Any ideas how to get more information about the scan?
Thanks in advanced!
Best regards,
Tobias
This issue will be fixed in a future version of Sophos Intercept X Mobile.
I get the same thing. Started about 2 weeks ago or so.
This is Pixel 4a
Based on recommendation from Kushal "Qoosh" above I sent myself the logs
smsec.sophos.log seems to be indicating this at about the correct time:
Scanner; 2022/07/04 14:22:02; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.
com.sophos.smsec.trace.sophos.log shows this:
SMSecLog; 2022/07/04 14:22:02; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.SMSecLog; 2022/07/04 14:22:02; I; SDSMSecLog; 2022/07/04 14:22:02; I; SDApplicationHelper; 2022/07/04 14:22:02; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.Persist; 2022/07/04 14:22:02; I; Command executed: persist_cmd_onInstall_scan id: 704399604
I am guessing the relevant part is this: Loading AppName of com.google.android.trichromelibrary_463807433 failed
Sounds like it scanned it ok but then failed to get the name from it or wherever it is trying to get that name from.
Looks like I did not include enough log lines before. I sent myself logs again and here are all of the relevant logs entries in com.sophos.smsec.trace.sophos.log for the most recent occurrence:
SBR; 2022/07/05 15:15:30; I; On install scan started for package: com.google.android.trichromelibrary_463807433paHistory; 2022/07/05 15:15:30; I; Cannot find packagePersist; 2022/07/05 15:15:30; I; inserted command='Command [type='persist_cmd_onInstall_scan', transitionId='-1', commandId='704399604', delay='null', parameter=[, parameter1='com.google.android.trichromelibrary_463807433']]' in queue.Persist; 2022/07/05 15:15:30; I; Executing command persist_cmd_onInstall_scanApplicationHelper; 2022/07/05 15:15:30; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.SavEngineTask; 2022/07/05 15:15:30; W; File not found: com.google.android.trichromelibrary_463807433ScanThreadTask; 2022/07/05 15:15:30; E; No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'.SMSecLog; 2022/07/05 15:15:30; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.SMSecLog; 2022/07/05 15:15:30; I; Automatic scan of app 'trichromelibrary_463807433' (com.google.android.trichromelibrary_463807433) finished. No threats or PUAs found.SMSecLog; 2022/07/05 15:15:30; I; SDSMSecLog; 2022/07/05 15:15:30; I; SDApplicationHelper; 2022/07/05 15:15:30; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed.Persist; 2022/07/05 15:15:30; I; Command executed: persist_cmd_onInstall_scan id: 704399604Sophos; 2022/07/05 15:15:30; I; Start App protection watchdogAppProtection; 2022/07/05 15:15:30; I; App protection watchdog: load settingsSophos; 2022/07/05 15:15:30; I; No Apps to protect, run only monitor!Sophos; 2022/07/05 15:15:30; I; No monitor presentSophos; 2022/07/05 15:15:30; I; Leaving App protection watchdog
It does not appear that the scan is succeeding after all. It looks more like the file goes missing from the scan engine view instead. Also it says this is triggered by an "On install scan". So this looks more concerning to me now.
Cannot find package
File not found: com.google.android.trichromelibrary_463807433
No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'.
From the following forum link, I was able to gather some additional information on this. "trichromelibrary" is a system app pushed out to Android devices to aid in rendering web pages. Previously, this was handled using Google Chrome built into the OS.- Trichromelibrary was suddenly downloading from Google Play Store
This application should be treated as a system app. Do you know if you have the option "Scan system apps" enabled?
Scan system apps is not enabled. This is occurring when I am not using the device usually just once a day around the same time. I researched that app as well. Some people were suggesting to update Android System WebView but when I go to that in the play store it doesn't seem to actually be installed. I updated all of my apps that offered updates including chrome and it still happened again today. I removed and reinstalled sophos yesterday as well but still happening.
It sounds similar to this issue related to bitdefender: https://community.bitdefender.com/en/discussion/89223/bitdefender-security-keeps-uninstalling-com-google-android-trichrome-library
In that case bitdefender devs rolled out a fix of some kind.
Not sure it matters but when I go to apps >> show system apps - This com.google.android.trichromelibrary is not listed. Many other system apps seem to follow that same sort of naming pattern, com.android.whatever, com.google.android.whatever, etc... But com.google.android.trichromelibrary is not there.
Thank you for helping and verifying that I'm not alone.
My logs doesn't helped anyway, I didn't found a log entry that would help to find the app.
I even didn't had scan system app enabled, but enabled for test, but same issue comes up.
[EDIT]
Tonight, I've got finally the same log as PBJ_Family
SDCard ObserverWrapper; 2022/07/08 03:51:22; I; Removed 3 recently scanend file(s) from list. SBR; 2022/07/08 03:51:34; I; On install scan started for package: com.google.android.trichromelibrary_463807433 paHistory; 2022/07/08 03:51:34; I; Cannot find package Persist; 2022/07/08 03:51:34; I; inserted command='Command [type='persist_cmd_onInstall_scan', transitionId='-1', commandId='704399604', delay='null', parameter=[, parameter1='com.google.android.trichromelibrary_463807433']]' in queue. Persist; 2022/07/08 03:51:34; I; Executing command persist_cmd_onInstall_scan ApplicationHelper; 2022/07/08 03:51:34; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed. SavEngineTask; 2022/07/08 03:51:34; W; File not found: com.google.android.trichromelibrary_463807433 ScanThreadTask; 2022/07/08 03:51:34; E; No valid Result in sendItemResultMessage for 'com.google.android.trichromelibrary_463807433'. SMSecLog; 2022/07/08 03:51:34; I; Automatischer Scan von App „trichromelibrary_463807433“ (com.google.android.trichromelibrary_463807433) beendet. Keine Bedrohungen oder PUAs gefunden. SMSecLog; 2022/07/08 03:51:34; I; Automatischer Scan von App „trichromelibrary_463807433“ (com.google.android.trichromelibrary_463807433) beendet. Keine Bedrohungen oder PUAs gefunden. SMSecLog; 2022/07/08 03:51:34; I; SD SMSecLog; 2022/07/08 03:51:34; I; SD ApplicationHelper; 2022/07/08 03:51:34; E; Loading AppName of com.google.android.trichromelibrary_463807433 failed. Persist; 2022/07/08 03:51:34; I; Command executed: persist_cmd_onInstall_scan id: 704399604 Sophos; 2022/07/08 03:51:36; I; Start App protection watchdog AppProtection; 2022/07/08 03:51:36; I; App protection watchdog: load settings Sophos; 2022/07/08 03:51:36; I; No Apps to protect, run only monitor! Sophos; 2022/07/08 03:51:36; I; No monitor present Sophos; 2022/07/08 03:51:36; I; Leaving App protection watchdog
[/EDIT]
Thank you both for sharing additional information on this. I have reached out internally to inquire further into this so changes can be made to recognize the app correctly. I will follow up on this thread with any information I'm able to share.
Updated my last post, because I've got finally the same log entries.
It seems that the app "com.google.android.trichromelibrary_463807433" get's an update (install scan) but was removed directly so the scan doesn't get the name of the app.