Slashdot Mirror
Sophos Free A-V For Mac May Kill Time Machine Backups
kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new
free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."
you sometimes get what you pay for.
. waterwingz
As he apparently did. Perhaps it wasn't clear enough, but it's not like it just randomly did it.
Also, backups are backups. He can just create new ones.
With a little sophostry installed from Sophos, backups are a thing of the past. You will now never lose a file either due to virus, trojan, or simple human error. Want to revert to how your essay looked 12 hour ago? You no longer need to! Sophos magically takes care of all errors and mistakes for you ahead of time, freeing you up to work effortlessly and error-free on your gorgeous Mac without the constant file churning that Time Machine used.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Sounds like a virus, you should install AV
Compared to Norton, Symantec, and the other system-strangling solutions available for virus detection, Sophos is definitely the leading provider. When I was at college (10 years ago), their software scanned everything coming in and going out, and yet hardly slowed the systems down at all (yes, if you had a local machine Admin account you could end the process and prove this!)
I would be surprised if this turned out to be true.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
After looking through the article, while the user seems to have erred in taking Sophos and Time Machine both at their word -- I need to re-read the part he was talking about VMs, something there didn't sound right but I'm not sure what -- and been a little too quick with the OK button, it does strike me as odd that Sophos didn't drop some kind of error when it tried to write to the backup file.
"I am an Adept of Tantric VAX."
He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?
Not sure why, film at 11.
... Then this is a serious hit to Sophos as they have a very good reputation. Having said that, AFAIK this is their first Mac app. So perhaps it needed more QA before release. Until more reports of this phenomenon appear, I'd reserve judgment. However it might be wise for Sophos to get out front of this issue before the spin gets out of control.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
...data all the time. I thought this was a feature. Even my non-techie wife knows what a "corrupt sparsebundle" is....
Obviously.
Duh!
The closest I've ever come to AV software has been running clamav on a Slackware machine acting as a mail server, but I do understand how they work. It doesn't look like it was the AV's fault.
Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.
Anyway, this guy killed both Sophos and the Time Machine process in the middle of a backup, while they were both trying to access his backup disk.
Backup disks should never be treated in that way, and you should actually never sync against your only copy of a backup. That is plain stupidity. Backups should be done in two stages:
Active Data -> Backup server -> Offline backup.
Connecting your only copy of your backup to where your precious data is means you have both copies of your information connected and mounted in a single computer. That's beyond stupid.
Anyway, it seems like Apple's fault. I've used Rsync for ages. You can kill an rsync process, and recover from where you started, but I can see how cheaper backup alternatives might screw everything up if you killed them in the middle of an operation.
I don't know how data is stored on TM's timecapsules, but it doesn't seem to be transactional or secure, based on the way this guy lost so much data in a split second.
I guess my policy of staying away of anything proprietary, and using server-class, proven backup solutions in the proper way (data -> backup server -> offline storage), using fully transactional solutions, and always backing up to separate instances on the second stage (instead of replacing) is the only solution, as I've never lost a byte, while I keep hearing terrible stories of data loss, empty backups and massive filesystem corruption (yeah, mostly from windows/mac users).
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Can somebody explain to me what the Hell "Time Machine" is in this context?
AV on a UNIX machine is a bad idea in more ways than one. By definition, AV programs go about deleting files. Obviously this can corrupt a system. So the risk of incurring virus damage must significantly outweigh the risk of incurring antivirus damage. On any UNIX system, it it is still best not to have AV.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.
So.. You are never allowed to download something and try it out, unless it's from a trusted source. Exactly how are normal people supposed to get their programs into said trusted sources? Should we perhaps have an "app store" for all software, putting a few large entities in control of what is acceptable or not?
I also enjoy your naive belief that virus can only spread by downloading and running infected code. This is not 1989. Comprimosed web pages, exploitng holes in browsers and browser add-ons, infected non-executable files exploitng holes in applications, and autonomous worms exploiting holes in networked applications and operating systems, are by far the biggest infection vector, for all platforms.
You probably consider running OpenBSD with the minimum number of activated services, pf configured for maximum security, and an external firewall between your system and the internet a good and acceptable solution for everyone, but most people would disagree.
Your solution is not a solution, any more than building customized computers that can only run a specific set of pre-installed and custom made software would be a solution.
It is possible to go without AV software and still have a very low risk of infection, even on Windows, if you are careful. But the problem it is there to solve is a real one.
I've installed it on my Mac, and run it alongside Time Machine without any difficulties. It even found some occurrences of the EICAR test file and handled them appropriately.
The initial Time Machine backup was admittedly slower than normal, but I haven't noticed any impact since.
if there are no viruses on OSX, why use an antivirus program? don't we have to wait for OSX to be compromised first?
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
The time machine stores the back up files on an external hard drive in a specific way such that can perform the backup task and the possible restore task effectively. In order to this to work noone should modify or delete any data stored in the backup location. This will most likely corrupt the backup.
The author of the article told Sophos AV to delete files from within the time machnien backup location ... well, of course one can expect that it messes things up.
Software that was at the bleeding edge a decade ago might not be that now. Hell, 2 years is pretty long time in AV business and 10 years is long enough for larger changes in the enviroment itself (the amount of data, the type of data, the bottlenecks, the type of malware, tec. all can change in that time).
I don't know much about Sophos: They might or might not be a leading provider. But 10 years old examples aren't really all that relevant when it comes to any software, especially one that includes such a cat-and-mouse play as AV...
First, we get an article that consists of one idiot posting on a blog who openly admits that he clicked delete himself on the popup and thus caused the problem in the first place. If it had been a critical set of Windows backups, the same thing would have happened, or even the System Restore folders.
Then, I realise it's an article by kdawson who I have deliberately blocked because all their submissions have glaring errors and omissions or are nothing more than rumour, but they've handed it off to another person to post on the site. I BLOCKED kdawson for a reason. Don't start slipping their posts around that block which you enable me to use yourselves.
***Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.***
Uh, Yeah. ... Of Course.
Now that you have solved that problem for us, what are you going to tackle next? World Peace? Finding economists who understand economics? Keeping sociopaths out of political office?
You do understand that the trusted sources solution is utterly impractical once you allow access outside of a closed, rigidly controlled, local network, right?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
of computer users don't care about macs
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
kdawson complains about having lost nineteen months of 'mac life' but what was there to lose? These were backups. They weren't the only location of the files in question, and if there were files stored only in Time Machine, are you also one of those people that keep important files in the trash can?
I'm not saying there isn't a problem if Sophos deleted the backups, just that it isn't that big a deal.
A latent existence
I don't run active antivirus at all, the trick is never to touch the internet explorer browser. Another tip is don't download a bunch of pirated program and run them without scanning them first. I suggest malwarebytes.
I also keep a copy of combofix on a usb drive just in case.
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
Please never refer to yourself as an editor. Ever.
If you ignore ACs because they are anonymous - you're an idiot.
The guys sounds like a complete douche and fanboi - drooling on about it being Unix, and having root, and having the 'cat' command. You bent over for Steve Jobs buddy, and not you're finding Macs are just computers too. Sorry for the loss of your innocence.
I want to delete my account but Slashdot doesn't allow it.
IMHO a backup of something important should be done with the simplest method possible. Put it on a medium (optical, HD, ...) and put the medium in a cupboard to never touch anymore. Why trust a program of which you don't know exactly what it does and that can be influenced by other programs as turns out now?
It's not their first Mac app - we've been running Sophos AV (corporate, non-free) for over 3 years. It supports Windows, Mac OS, and Linux. -ted
Not true. I use Free Software. I was a Slackware user for ages (version 3 through 12, then I switched to Ubuntu). I trust the community. I've never gotten malware into my machine. Security bugs? Sure. They were all promptly fixed.
So, don't say that something that has been a reality for 20 years isn't possible, you sound stupid.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Come on dude.
Use a modern, secure operating system. Use only free software that has been reviewed by the community. Peer-reviewing works, you know?
I only use Free Software. We review everything that goes in those repositories. It's simple, and it works.
Don't use privative software, don't download from untrustworthy sources. Easy.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
If you're using Time Machine and you think it'll keep files you've deleted from your original drive around forever, you're mistaken. Time Machine focuses on staying current; if you run out of space on your Time Machine volume, it starts deleting old backups to make room for the new ones. It assumes that since you deleted it, you don't want it anymore. It'll keep it around for a while as a side effect of how it works and as a convenience, but it's not the priority.
It also defeats the whole purpose of backing up: redundancy.
* If something isn't in two or more places, it's not backed up.
* If something is irreplaceable and it's not backed up, you're an idiot.
* If you're an idiot and you lose data, too bad so sad.
Also, don't ever accidentally subject yourself to zero-day exploits in your browser, which means never browse any valid website compromised by malware pushers without the knowledge or consent of the website owner.
In other words, connect your computer only to a fantasy Internet powered by the carbon-offsetting power of unicorn farts and good wishes.
Yes, the world is out to get you. Not you personally, of course; you're not that interesting. Just you as part of the entire gamut of possible malware victims. The same way that a cluster bomb doesn't care if it kills you, but insisting you're cluster-bomb-proof is still naive and silly.
Welcome to the Panopticon. Used to be a prison, now it's your home.
The virus scanner asked him whether to delete the files, he clicked "yes" and thats it? So what would should the program have done?
My browser runs as a non-privileged user on a secure Unix system. The process itself doesn't have write permission on any executable file, not even itself.
That user is != to my actual user, so it won't even get to my docs or other information. It'll only affect my browser, which can write nowhere but it's own home directory. If something like that happened, restarting my browser and killing any process it might have spawn would be enough.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
There are options to exclude files/directories from the real-time and full scan. The smart move would be to exclude Time Machine backups from the virus scanning. This is something that should have been included as a option in the virus scanner, just like most Windows virus scanners usually exclude the Windows System Restore (shadowcopy) directories.
Gates et al just got confused about the Unix approach, where everything is a file, and thought it would be helpful to go even further and make everything an executable. "Helping", just like Clippy used to "help".
Cheers,
I presume you also do this with your torrent client, IM client, email client, etc? As well as having Adobe Reader under its own account?
I tried doing this for a while... having a separate user for each process that accessed the internet, and for each one that was a major exploit target. However, it became too much of a pain, as there was no process integration, and tossing stuff into the shared bin to transfer files between parts of the filesystem proved to be too annoying -- so I went back to a single userland and an AV solution, which has been much less annoying in the long run.
Dude, what are you running, windows?
I use GNU/Linux. I Don't need an AV solution. Process intercommunication is solved by standard means, namely Dbus. Only my browser runs in a different account.
I don't use Adobe Reader, I use Evince. PDF is not an exploit vector on my platform.
Your problem is crappy software, get rid of it.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Nice written,Look forward your updates,I also like this,thank you,Cheap Nike Shoes , Nike Shox On Sale at shoes-vip.com,Discount and Free Shipping,Save43%-60%
I've added a comment from Sophos's Graham Cluley to the end of the blog post. He/they have been quite responsive, especially given that the free A-V product comes without official support. Apparently I am the only one ever to have reported such a problem with Time Machine.