Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sophos Free A-V For Mac May Kill Time Machine Backups

Posted by timothy on from the mysteriouser-enough-already dept.

kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."

13 of 133 comments (clear)

  1. Loss of data, backups disabled without warning? by Anonymous Coward · · Score: 3, Funny

    Sounds like a virus, you should install AV

  2. How does Sophos do this? by MarchHare · · Score: 4, Interesting

    He tried to open a quarantined file, once with the 'cat' command
    and once with vi, as root, and both times Sophos warned him and
    prevented him from proceeding. Now, the code for the 'cat'
    command is quite simple, it basically just does a open(2)
    of the file and then issues a series of read(2). My question
    is: Does Sophos actually intercept the system calls in order
    to make sure no application opens an infected file? If so,
    wouldn't that introduce a HUGE performance penalty on the
    everything happening on the machine, since these system calls
    are so crucial?

    1. Re:How does Sophos do this? by 0123456 · · Score: 4, Funny

      If so, wouldn't that introduce a HUGE performance penalty on the everything happening on the machine, since these system calls are so crucial?

      Uh, it's anti-virus software: of course it introduces a huge performance penalty when accessing files. Otherwise, how would you know that it was doing anything?

    2. Re:How does Sophos do this? by bill_mcgonigle · · Score: 5, Funny

      Yes.

      Really, though, on a Mac, it should have a mode that makes it noop unless it's a Microsoft Office app running.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Assuming this is true.... by 8127972 · · Score: 3, Insightful

    ... Then this is a serious hit to Sophos as they have a very good reputation. Having said that, AFAIK this is their first Mac app. So perhaps it needed more QA before release. Until more reports of this phenomenon appear, I'd reserve judgment. However it might be wise for Sophos to get out front of this issue before the spin gets out of control.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
    1. Re:Assuming this is true.... by osssmkatz · · Score: 3, Informative

      It isn't their first Mac app. They've been selling it to businesses before now, but businesses don't generally use Time machine, and would never execute a deletion command using an antivirus on a backup archive while it was running. Not sure whether this is an OS bug, or a sophos bug, or whether if he had allowed the command to finish, it would have worked fine. (Maybe it was just taking a long time.) --Sam

    2. Re:Assuming this is true.... by baddaybeav · · Score: 3, Insightful

      we've used the business side of it for over a year, major performance headaches... as to the time machine part, if my memory serves, time machine creates one large file (like tar, but a lot more advanced) it saw the "virus" in the one large file, didn't differentiate that and deleted what it saw as the "file containing the bad stuff" now that he's written data to the drive he's lost any good chance at recovery... I guess we'll need a time machine time machine soon.

    3. Re:Assuming this is true.... by zippthorne · · Score: 4, Informative

      No, it's separate files. You can browse it using finder or terminal.

      Unless you're backing up a filevault protected home directory. Then it handles it in just about the stupidest way possible: it saves the whole honking encrypted image as one big file.* And despite the fact that it doesn't decrypt the image, it still only works if you're logged in and the image is open.

      *If you're set up as sparse images, then you do a little better. But still, no incremental backups for you. If a file changes, you have to copy the *whole* thing, because good encryption won't make it obvious which bits of the file are different. Also, I'm not sure it can tell which files are, say, disk cache for the browser....

      --
      Can you be Even More Awesome?!
    4. Re:Assuming this is true.... by kdawson · · Score: 3, Informative

      FYI, I'm not using filevault, just individual files to be backed up... but TM uses sparsebundles in ways I don't begin to understand. One respondent via Twitter suggested that Sophos may have simply been in the process of deleting the entire sparsebundle -- i.e. the entire lot of backups -- when I killed its process. No idea if this is correct. I hope Sophos eventually provides some insight.

    5. Re:Assuming this is true.... by Rosyna · · Score: 3, Informative

      yes, one large file which is actually a sparse disk image.

      it's a sparse disk image bundle thingy. Which uses a bunch of 8MB files, not one file. from the hdiutil man page:

        By default, UDSP images grow one megabyte at a time.
                                                          Introduced in 10.5, UDSB images use 8 MB band files
                                                          which grow as they are written to.. -imagekey
                                                          sparse-band-size=size can be used to specify the
                                                          number of 512-byte sectors that will be added each
                                                          time the image grows. Valid values for SPARSEBUNDLE
                                                          range from 2048 to 262144 sectors (1 MB to 128 MB).

                                                          The maximum size of a SPARSE image is 128 petabytes;
                                                          the maximum for SPARSEBUNDLE is just under 8
                                                          exabytes (2^63 - 512 bytes minus 1 byte). The
                                                          amount of data that can be stored in either type of
                                                          sparse image is additionally bounded by the filesys-
                                                          tem in the image and by any partition map. compact
                                                          can reclaim unused bands in sparse images backing
                                                          HFS+ filesystems. resize will only change the vir-
                                                          tual size of a sparse image. See also USING PERSIS-
                                                          TENT SPARSE IMAGES below.

    6. Re:Assuming this is true.... by Rosyna · · Score: 5, Informative

      One thing. directly connected hard drives do not use sparse bundles if FileVault is not on,.

    7. Re:Assuming this is true.... by uglyduckling · · Score: 3, Insightful

      Blame Sophos. Sparse bundles are a key feature of the Apple filing system and really, really useful. Sophos should know all about them. This would be akin to a Linux AV that could look inside .tar.gz files but would nuke the whole archive if one file inside was questionable, without making that absoluely clear to the user.

  4. I am actually not surprised by fluch · · Score: 3, Informative

    The time machine stores the back up files on an external hard drive in a specific way such that can perform the backup task and the possible restore task effectively. In order to this to work noone should modify or delete any data stored in the backup location. This will most likely corrupt the backup.

    The author of the article told Sophos AV to delete files from within the time machnien backup location ... well, of course one can expect that it messes things up.