Sophos Free A-V For Mac May Kill Time Machine Backups

← Back to Stories (view on slashdot.org)

Sophos Free A-V For Mac May Kill Time Machine Backups

Posted by timothy on Tuesday November 9, 2010 @03:26PM from the mysteriouser-enough-already dept.

kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."

24 of 133 comments (clear)

Min score:

Reason:

Sort:

seems about right to me by waterwingz · 2010-11-09 15:29 · Score: 2, Interesting

you sometimes get what you pay for.

--
. waterwingz
Loss of data, backups disabled without warning? by Anonymous Coward · 2010-11-09 15:33 · Score: 3, Funny

Sounds like a virus, you should install AV
RTFA First by Caraig · 2010-11-09 15:37 · Score: 2, Informative

After looking through the article, while the user seems to have erred in taking Sophos and Time Machine both at their word -- I need to re-read the part he was talking about VMs, something there didn't sound right but I'm not sure what -- and been a little too quick with the OK button, it does strike me as odd that Sophos didn't drop some kind of error when it tried to write to the backup file.

--
"I am an Adept of Tantric VAX."
How does Sophos do this? by MarchHare · 2010-11-09 15:44 · Score: 4, Interesting

He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?
1. Re:How does Sophos do this? by 0123456 · 2010-11-09 15:53 · Score: 4, Funny
  
  If so, wouldn't that introduce a HUGE performance penalty on the everything happening on the machine, since these system calls are so crucial?
  Uh, it's anti-virus software: of course it introduces a huge performance penalty when accessing files. Otherwise, how would you know that it was doing anything?
2. Re:How does Sophos do this? by bill_mcgonigle · 2010-11-09 16:02 · Score: 5, Funny
  
  Yes.
  Really, though, on a Mac, it should have a mode that makes it noop unless it's a Microsoft Office app running.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:How does Sophos do this? by goombah99 · 2010-11-09 18:50 · Score: 2, Interesting
  
  Mac extended attributes tell the OS when not to open a file. For example com.apple.quarentine get's tagged onto every file you download from the internet unless it's of a set of known safe file types. If you have os 10.6 try typing ls -loe@ in your downloads folder. When you edit a file the mac file system also tags it as changed so it knows it will need to back it up without having to go checksum compare every file like rsync checksums do. Thus it's perfectly possible that the virus software could intercept every file open.
  What I don't like about this is that when I compile code, every time I run it, a waring message gets written to the system log unless I also code sign it before I run it. I can see why this is really good for me and consumers in general, so I put up with it.
  Moreover, macs also check to see if any executable has a sandbox before it launches as well.
  so there are lots of hooks.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
4. Re:How does Sophos do this? by am+2k · 2010-11-09 23:28 · Score: 2, Insightful
  
  That's also why for quite some time my company policy has been at least two CPU cores per computer - one for the virus scanner and the OS/apps can have the rest.
  That doesn't make sense. When the scanner kicks in, the application is blocked on the open() call until the scanner is finished analyzing the file, so your second CPU does nothing, and vice versa.
SOME GUY LOST SOME FILES by wampus · 2010-11-09 15:45 · Score: 2, Funny

Not sure why, film at 11.
1. Re:SOME GUY LOST SOME FILES by david_thornley · 2010-11-10 03:13 · Score: 2, Insightful
  
  It's the media effect. If we invade another country and accidentally kill a few tens of thousands of civilians, and suffer hundreds of casualties, it won't be presented as effectively as the death of the single journalist who got shot in all of this.
  Mess up a few hundred random computer dudes, and nobody may hear of it. Don't even in the slightest mess with a /. editor, or lots of people will know.
  
  --
  "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Assuming this is true.... by 8127972 · 2010-11-09 15:52 · Score: 3, Insightful

... Then this is a serious hit to Sophos as they have a very good reputation. Having said that, AFAIK this is their first Mac app. So perhaps it needed more QA before release. Until more reports of this phenomenon appear, I'd reserve judgment. However it might be wise for Sophos to get out front of this issue before the spin gets out of control.

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
1. Re:Assuming this is true.... by osssmkatz · 2010-11-09 16:06 · Score: 3, Informative
  
  It isn't their first Mac app. They've been selling it to businesses before now, but businesses don't generally use Time machine, and would never execute a deletion command using an antivirus on a backup archive while it was running. Not sure whether this is an OS bug, or a sophos bug, or whether if he had allowed the command to finish, it would have worked fine. (Maybe it was just taking a long time.) --Sam
2. Re:Assuming this is true.... by baddaybeav · 2010-11-09 16:12 · Score: 3, Insightful
  
  we've used the business side of it for over a year, major performance headaches... as to the time machine part, if my memory serves, time machine creates one large file (like tar, but a lot more advanced) it saw the "virus" in the one large file, didn't differentiate that and deleted what it saw as the "file containing the bad stuff" now that he's written data to the drive he's lost any good chance at recovery... I guess we'll need a time machine time machine soon.
3. Re:Assuming this is true.... by zippthorne · 2010-11-09 16:35 · Score: 4, Informative
  
  No, it's separate files. You can browse it using finder or terminal.
  Unless you're backing up a filevault protected home directory. Then it handles it in just about the stupidest way possible: it saves the whole honking encrypted image as one big file.* And despite the fact that it doesn't decrypt the image, it still only works if you're logged in and the image is open.
  *If you're set up as sparse images, then you do a little better. But still, no incremental backups for you. If a file changes, you have to copy the *whole* thing, because good encryption won't make it obvious which bits of the file are different. Also, I'm not sure it can tell which files are, say, disk cache for the browser....
  
  --
  Can you be Even More Awesome?!
4. Re:Assuming this is true.... by kdawson · 2010-11-09 17:08 · Score: 3, Informative
  
  FYI, I'm not using filevault, just individual files to be backed up... but TM uses sparsebundles in ways I don't begin to understand. One respondent via Twitter suggested that Sophos may have simply been in the process of deleting the entire sparsebundle -- i.e. the entire lot of backups -- when I killed its process. No idea if this is correct. I hope Sophos eventually provides some insight.
5. Re:Assuming this is true.... by Rosyna · 2010-11-09 18:10 · Score: 3, Informative
  
  yes, one large file which is actually a sparse disk image.
  it's a sparse disk image bundle thingy. Which uses a bunch of 8MB files, not one file. from the hdiutil man page:
  By default, UDSP images grow one megabyte at a time.
  Introduced in 10.5, UDSB images use 8 MB band files
  which grow as they are written to.. -imagekey
  sparse-band-size=size can be used to specify the
  number of 512-byte sectors that will be added each
  time the image grows. Valid values for SPARSEBUNDLE
  range from 2048 to 262144 sectors (1 MB to 128 MB).
  The maximum size of a SPARSE image is 128 petabytes;
  the maximum for SPARSEBUNDLE is just under 8
  exabytes (2^63 - 512 bytes minus 1 byte). The
  amount of data that can be stored in either type of
  sparse image is additionally bounded by the filesys-
  tem in the image and by any partition map. compact
  can reclaim unused bands in sparse images backing
  HFS+ filesystems. resize will only change the vir-
  tual size of a sparse image. See also USING PERSIS-
  TENT SPARSE IMAGES below.
6. Re:Assuming this is true.... by Anonymous Coward · 2010-11-09 18:12 · Score: 2, Interesting
  
  Have you double checked to make sure that you can't still see the backup history using the native Time Machine browser app? In my experience with TM failure, one symptom included a sudden change in the amount of free/used space reported - not unlike your experience - see below for more details.
  One of the reasons I switched to Mac was because I liked the Time Machine concept. I use a Seagate USB drive plugged into a Macbook Pro. A few weeks in, Time Machine reports that it is unable to complete a backup. Multiple days later, I was unable to a) fix the TM backups, b) fix the TM file system, c) backup my backup data - despite the fact that TM would still let me browse the data just fine. Somewhere in the sparsebundle there was a bad file, and this kept TM from completing further backups, or from letting me save the still browsable data in a way that would let me re-import it later. Apple support told me to format the drive and live with losing my backup history.
  End result: I haven't run a backup in 196 days, according to TM.
  Conclusion: Time Machine sucks. Apple support knows very little about sparsebundles.
7. Re:Assuming this is true.... by Rosyna · 2010-11-09 18:32 · Score: 5, Informative
  
  One thing. directly connected hard drives do not use sparse bundles if FileVault is not on,.
8. Re:Assuming this is true.... by uglyduckling · 2010-11-09 19:49 · Score: 3, Insightful
  
  Blame Sophos. Sparse bundles are a key feature of the Apple filing system and really, really useful. Sophos should know all about them. This would be akin to a Linux AV that could look inside .tar.gz files but would nuke the whole archive if one file inside was questionable, without making that absoluely clear to the user.
Re:Sophos by Anonymous Coward · 2010-11-09 15:54 · Score: 2, Informative

Norton is made by Symantec, they are not separate entities. Sophos is a leading provider? Never even heard of them.
combo of bad apple, bad sophos, and stupid user. by GNUALMAFUERTE · 2010-11-09 16:19 · Score: 2, Informative

The closest I've ever come to AV software has been running clamav on a Slackware machine acting as a mail server, but I do understand how they work. It doesn't look like it was the AV's fault.
Well, it was in a way, AV software is a braindead solution to a problem that shouldn't exist. Use only properly signed software from trusted sources in a secure platform, that's a real solution.
Anyway, this guy killed both Sophos and the Time Machine process in the middle of a backup, while they were both trying to access his backup disk.
Backup disks should never be treated in that way, and you should actually never sync against your only copy of a backup. That is plain stupidity. Backups should be done in two stages:
Active Data -> Backup server -> Offline backup.
Connecting your only copy of your backup to where your precious data is means you have both copies of your information connected and mounted in a single computer. That's beyond stupid.
Anyway, it seems like Apple's fault. I've used Rsync for ages. You can kill an rsync process, and recover from where you started, but I can see how cheaper backup alternatives might screw everything up if you killed them in the middle of an operation.
I don't know how data is stored on TM's timecapsules, but it doesn't seem to be transactional or secure, based on the way this guy lost so much data in a split second.
I guess my policy of staying away of anything proprietary, and using server-class, proven backup solutions in the proper way (data -> backup server -> offline storage), using fully transactional solutions, and always backing up to separate instances on the second stage (instead of replacing) is the only solution, as I've never lost a byte, while I keep hearing terrible stories of data loss, empty backups and massive filesystem corruption (yeah, mostly from windows/mac users).

--
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I am actually not surprised by fluch · 2010-11-09 21:23 · Score: 3, Informative

The time machine stores the back up files on an external hard drive in a specific way such that can perform the backup task and the possible restore task effectively. In order to this to work noone should modify or delete any data stored in the backup location. This will most likely corrupt the backup.
The author of the article told Sophos AV to delete files from within the time machnien backup location ... well, of course one can expect that it messes things up.
Re:Sophos by webmistressrachel · 2010-11-09 23:54 · Score: 2, Insightful

If you're a government, educational institution, or a large corporation, you've definitely heard of them.
If you're a troll on /. with no real experience working in IT, then of course you haven't heard of them.

--
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
Re:My Time Capsule instantaneously loses... by mug+funky · 2010-11-10 00:12 · Score: 2, Funny

Trash your preferences!
flash the P-ROM!
buy more RAM!
i can't help you! ...well, that's the usual order of responses i get from mac techies.