Sophos Free A-V For Mac May Kill Time Machine Backups

← Back to Stories (view on slashdot.org)

Sophos Free A-V For Mac May Kill Time Machine Backups

Posted by timothy on Tuesday November 9, 2010 @03:26PM from the mysteriouser-enough-already dept.

kdawson writes "Herewith the tale of the instantaneous loss of 19 months of Time Machine backup data, with the possible involvement of a fresh install of Sophos's new free Mac A-V package. Sophos support has been contacted but has not responded as of this writing."

5 of 133 comments (clear)

Min score:

Reason:

Sort:

How does Sophos do this? by MarchHare · 2010-11-09 15:44 · Score: 4, Interesting

He tried to open a quarantined file, once with the 'cat' command
and once with vi, as root, and both times Sophos warned him and
prevented him from proceeding. Now, the code for the 'cat'
command is quite simple, it basically just does a open(2)
of the file and then issues a series of read(2). My question
is: Does Sophos actually intercept the system calls in order
to make sure no application opens an infected file? If so,
wouldn't that introduce a HUGE performance penalty on the
everything happening on the machine, since these system calls
are so crucial?
1. Re:How does Sophos do this? by 0123456 · 2010-11-09 15:53 · Score: 4, Funny
  
  If so, wouldn't that introduce a HUGE performance penalty on the everything happening on the machine, since these system calls are so crucial?
  Uh, it's anti-virus software: of course it introduces a huge performance penalty when accessing files. Otherwise, how would you know that it was doing anything?
2. Re:How does Sophos do this? by bill_mcgonigle · 2010-11-09 16:02 · Score: 5, Funny
  
  Yes.
  Really, though, on a Mac, it should have a mode that makes it noop unless it's a Microsoft Office app running.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Assuming this is true.... by zippthorne · 2010-11-09 16:35 · Score: 4, Informative

No, it's separate files. You can browse it using finder or terminal.
Unless you're backing up a filevault protected home directory. Then it handles it in just about the stupidest way possible: it saves the whole honking encrypted image as one big file.* And despite the fact that it doesn't decrypt the image, it still only works if you're logged in and the image is open.
*If you're set up as sparse images, then you do a little better. But still, no incremental backups for you. If a file changes, you have to copy the *whole* thing, because good encryption won't make it obvious which bits of the file are different. Also, I'm not sure it can tell which files are, say, disk cache for the browser....

--
Can you be Even More Awesome?!
Re:Assuming this is true.... by Rosyna · 2010-11-09 18:32 · Score: 5, Informative

One thing. directly connected hard drives do not use sparse bundles if FileVault is not on,.