Sophos Free A-V For Mac May Kill Time Machine Backups

kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."

seems about right to me

[waterwingz]

you sometimes get what you pay for.

How does Sophos do this?

[MarchHare]

He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?

Re:How does Sophos do this?

[goombah99]

Mac extended attributes tell the OS when not to open a file. For example com.apple.quarentine get's tagged onto every file you download from the internet unless it's of a set of known safe file types. If you have os 10.6 try typing ls -loe@ in your downloads folder. When you edit a file the mac file system also tags it as changed so it knows it will need to back it up without having to go checksum compare every file like rsync checksums do. Thus it's perfectly possible that the virus software could intercept every file open.

What I don't like about this is that when I compile code, every time I run it, a waring message gets written to the system log unless I also code sign it before I run it. I can see why this is really good for me and consumers in general, so I put up with it.

Moreover, macs also check to see if any executable has a sandbox before it launches as well.

so there are lots of hooks.

Re:Assuming this is true....

Have you double checked to make sure that you can't still see the backup history using the native Time Machine browser app? In my experience with TM failure, one symptom included a sudden change in the amount of free/used space reported - not unlike your experience - see below for more details.

One of the reasons I switched to Mac was because I liked the Time Machine concept. I use a Seagate USB drive plugged into a Macbook Pro. A few weeks in, Time Machine reports that it is unable to complete a backup. Multiple days later, I was unable to a) fix the TM backups, b) fix the TM file system, c) backup my backup data - despite the fact that TM would still let me browse the data just fine. Somewhere in the sparsebundle there was a bad file, and this kept TM from completing further backups, or from letting me save the still browsable data in a way that would let me re-import it later. Apple support told me to format the drive and live with losing my backup history.

End result: I haven't run a backup in 196 days, according to TM.

Conclusion: Time Machine sucks. Apple support knows very little about sparsebundles.

Lost what, exactly?

[lga]

kdawson complains about having lost nineteen months of 'mac life' but what was there to lose? These were backups. They weren't the only location of the files in question, and if there were files stored only in Time Machine, are you also one of those people that keep important files in the trash can?

I'm not saying there isn't a problem if Sophos deleted the backups, just that it isn't that big a deal.