Slashdot Mirror
Sophos Free A-V For Mac May Kill Time Machine Backups
kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new
free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."
you sometimes get what you pay for.
. waterwingz
As he apparently did. Perhaps it wasn't clear enough, but it's not like it just randomly did it.
Also, backups are backups. He can just create new ones.
With a little sophostry installed from Sophos, backups are a thing of the past. You will now never lose a file either due to virus, trojan, or simple human error. Want to revert to how your essay looked 12 hour ago? You no longer need to! Sophos magically takes care of all errors and mistakes for you ahead of time, freeing you up to work effortlessly and error-free on your gorgeous Mac without the constant file churning that Time Machine used.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Sounds like a virus, you should install AV
Compared to Norton, Symantec, and the other system-strangling solutions available for virus detection, Sophos is definitely the leading provider. When I was at college (10 years ago), their software scanned everything coming in and going out, and yet hardly slowed the systems down at all (yes, if you had a local machine Admin account you could end the process and prove this!)
I would be surprised if this turned out to be true.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
After looking through the article, while the user seems to have erred in taking Sophos and Time Machine both at their word -- I need to re-read the part he was talking about VMs, something there didn't sound right but I'm not sure what -- and been a little too quick with the OK button, it does strike me as odd that Sophos didn't drop some kind of error when it tried to write to the backup file.
"I am an Adept of Tantric VAX."
He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?
Not sure why, film at 11.
... Then this is a serious hit to Sophos as they have a very good reputation. Having said that, AFAIK this is their first Mac app. So perhaps it needed more QA before release. Until more reports of this phenomenon appear, I'd reserve judgment. However it might be wise for Sophos to get out front of this issue before the spin gets out of control.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
...data all the time. I thought this was a feature. Even my non-techie wife knows what a "corrupt sparsebundle" is....
The closest I've ever come to AV software has been running clamav on a Slackware machine acting as a mail server, but I do understand how they work. It doesn't look like it was the AV's fault.
Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.
Anyway, this guy killed both Sophos and the Time Machine process in the middle of a backup, while they were both trying to access his backup disk.
Backup disks should never be treated in that way, and you should actually never sync against your only copy of a backup. That is plain stupidity. Backups should be done in two stages:
Active Data -> Backup server -> Offline backup.
Connecting your only copy of your backup to where your precious data is means you have both copies of your information connected and mounted in a single computer. That's beyond stupid.
Anyway, it seems like Apple's fault. I've used Rsync for ages. You can kill an rsync process, and recover from where you started, but I can see how cheaper backup alternatives might screw everything up if you killed them in the middle of an operation.
I don't know how data is stored on TM's timecapsules, but it doesn't seem to be transactional or secure, based on the way this guy lost so much data in a split second.
I guess my policy of staying away of anything proprietary, and using server-class, proven backup solutions in the proper way (data -> backup server -> offline storage), using fully transactional solutions, and always backing up to separate instances on the second stage (instead of replacing) is the only solution, as I've never lost a byte, while I keep hearing terrible stories of data loss, empty backups and massive filesystem corruption (yeah, mostly from windows/mac users).
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.
So.. You are never allowed to download something and try it out, unless it's from a trusted source. Exactly how are normal people supposed to get their programs into said trusted sources? Should we perhaps have an "app store" for all software, putting a few large entities in control of what is acceptable or not?
I also enjoy your naive belief that virus can only spread by downloading and running infected code. This is not 1989. Comprimosed web pages, exploitng holes in browsers and browser add-ons, infected non-executable files exploitng holes in applications, and autonomous worms exploiting holes in networked applications and operating systems, are by far the biggest infection vector, for all platforms.
You probably consider running OpenBSD with the minimum number of activated services, pf configured for maximum security, and an external firewall between your system and the internet a good and acceptable solution for everyone, but most people would disagree.
Your solution is not a solution, any more than building customized computers that can only run a specific set of pre-installed and custom made software would be a solution.
It is possible to go without AV software and still have a very low risk of infection, even on Windows, if you are careful. But the problem it is there to solve is a real one.
It's a daemon that copies files that have changed in the last hour to an second hard drive. It's useful for casual development work, and the GUI client is intuitive. I've also used it to recover files after they've been over-wriiten by buggy programs. It's also come in handy for certain games-- if the autosaved game file from today is less interesting than the autosaved game file from yesterday, or two weeks ago, I can recover the older files.
Yes, you can get the same effect by running VMS, or Git, or adhering to a regular backup schedule, but this makes it easy. All you have to do is make sure that your backup hard drive is connected, and turned on.
if there are no viruses on OSX, why use an antivirus program? don't we have to wait for OSX to be compromised first?
Remember kids, if you're not paying for the service, YOU ARE THE PRODUCT THAT IS BEING SOLD.
The time machine stores the back up files on an external hard drive in a specific way such that can perform the backup task and the possible restore task effectively. In order to this to work noone should modify or delete any data stored in the backup location. This will most likely corrupt the backup.
The author of the article told Sophos AV to delete files from within the time machnien backup location ... well, of course one can expect that it messes things up.
***Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.***
Uh, Yeah. ... Of Course.
Now that you have solved that problem for us, what are you going to tackle next? World Peace? Finding economists who understand economics? Keeping sociopaths out of political office?
You do understand that the trusted sources solution is utterly impractical once you allow access outside of a closed, rigidly controlled, local network, right?
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
kdawson complains about having lost nineteen months of 'mac life' but what was there to lose? These were backups. They weren't the only location of the files in question, and if there were files stored only in Time Machine, are you also one of those people that keep important files in the trash can?
I'm not saying there isn't a problem if Sophos deleted the backups, just that it isn't that big a deal.
A latent existence
I don't run active antivirus at all, the trick is never to touch the internet explorer browser. Another tip is don't download a bunch of pirated program and run them without scanning them first. I suggest malwarebytes.
I also keep a copy of combofix on a usb drive just in case.
who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
Yes, but I was actually illustrating that Sophos has a very long history of writing quality bug-free software for mission-critical environments, like Governments, Educational Institutions, and large corporations.
The chances of their software not functioning as intended and screwing up systems or backups are far smaller than their lesser counterparts, Symantec et al, and the whole article smells of Troll Fat.
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Please never refer to yourself as an editor. Ever.
If you ignore ACs because they are anonymous - you're an idiot.
IMHO a backup of something important should be done with the simplest method possible. Put it on a medium (optical, HD, ...) and put the medium in a cupboard to never touch anymore. Why trust a program of which you don't know exactly what it does and that can be influenced by other programs as turns out now?
It's not their first Mac app - we've been running Sophos AV (corporate, non-free) for over 3 years. It supports Windows, Mac OS, and Linux. -ted
Not true. I use Free Software. I was a Slackware user for ages (version 3 through 12, then I switched to Ubuntu). I trust the community. I've never gotten malware into my machine. Security bugs? Sure. They were all promptly fixed.
So, don't say that something that has been a reality for 20 years isn't possible, you sound stupid.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Come on dude.
Use a modern, secure operating system. Use only free software that has been reviewed by the community. Peer-reviewing works, you know?
I only use Free Software. We review everything that goes in those repositories. It's simple, and it works.
Don't use privative software, don't download from untrustworthy sources. Easy.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
If you're using Time Machine and you think it'll keep files you've deleted from your original drive around forever, you're mistaken. Time Machine focuses on staying current; if you run out of space on your Time Machine volume, it starts deleting old backups to make room for the new ones. It assumes that since you deleted it, you don't want it anymore. It'll keep it around for a while as a side effect of how it works and as a convenience, but it's not the priority.
It also defeats the whole purpose of backing up: redundancy.
* If something isn't in two or more places, it's not backed up.
* If something is irreplaceable and it's not backed up, you're an idiot.
* If you're an idiot and you lose data, too bad so sad.
Also, don't ever accidentally subject yourself to zero-day exploits in your browser, which means never browse any valid website compromised by malware pushers without the knowledge or consent of the website owner.
In other words, connect your computer only to a fantasy Internet powered by the carbon-offsetting power of unicorn farts and good wishes.
Yes, the world is out to get you. Not you personally, of course; you're not that interesting. Just you as part of the entire gamut of possible malware victims. The same way that a cluster bomb doesn't care if it kills you, but insisting you're cluster-bomb-proof is still naive and silly.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Well, zerodays attacks can not be detected.
And the only thing the AV will do is to scan for Windoze viruses, and Mac before it got the X in OS X.
So its more or less completely useless, except for helping the poor mass of sheeps that should never be allowed to use a computer because of their stupidity.
The virus scanner asked him whether to delete the files, he clicked "yes" and thats it? So what would should the program have done?
My browser runs as a non-privileged user on a secure Unix system. The process itself doesn't have write permission on any executable file, not even itself.
That user is != to my actual user, so it won't even get to my docs or other information. It'll only affect my browser, which can write nowhere but it's own home directory. If something like that happened, restarting my browser and killing any process it might have spawn would be enough.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I presume you also do this with your torrent client, IM client, email client, etc? As well as having Adobe Reader under its own account?
I tried doing this for a while... having a separate user for each process that accessed the internet, and for each one that was a major exploit target. However, it became too much of a pain, as there was no process integration, and tossing stuff into the shared bin to transfer files between parts of the filesystem proved to be too annoying -- so I went back to a single userland and an AV solution, which has been much less annoying in the long run.
Dude, what are you running, windows?
I use GNU/Linux. I Don't need an AV solution. Process intercommunication is solved by standard means, namely Dbus. Only my browser runs in a different account.
I don't use Adobe Reader, I use Evince. PDF is not an exploit vector on my platform.
Your problem is crappy software, get rid of it.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I've added a comment from Sophos's Graham Cluley to the end of the blog post. He/they have been quite responsive, especially given that the free A-V product comes without official support. Apparently I am the only one ever to have reported such a problem with Time Machine.