Backups made by Time Machine are read-only — so a backup of a threat should remain, in that backup, until that backup is eventually purged by Time Machine (when the volume used for backup lacks free space). 

If you prefer your on-access scanner to automatically disinfect or remove threats — and if a threat is in an area that's read-only — I'd expect Sophos Anti-Virus to:

1. fall back gracefully to simple quarantine listing of the threat; and 
2. play nicely with other processes. 

At separating out discussion of Time Machine environments (was: My review of SAV Mac HE & 4 issues): 

grahamperrin wrote:

---

Alphaman wrote:

 

… My TM disk resides on a network server …

 

… Time Machine backup … sparsebundle is a complex combination of data and metadata …

 

… Selectively deleting old backups from TM is not the expected failure mode of how such a program would corrupt your backup.  You would much more likely see what the good doctor saw in his blog post -- a complete loss of ALL your TM.

 

Time Machine will prune your backup.  SAV doesn't have the intelligence to do such.

---

---

grahamperrin wrote:

at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle

1. local volume, connected via e.g. FireWire or USB, and backing up without hacks
2. Time Capsule
3. Mac OS X Server, not involving a .sparsebundle
4. … other Apple-supported environments?
5. … other environments involving hacks?

I've added my TM volume to the SAV exclusion list -- there's no need to take a chance, and based on the nature of the content, no need to be scanning the volume anyways.  Anything in there shouldn't be deleted by an outside program, and any malware therein will be caught should you try to restore it to a protected volume.

Is there a way that SAV could check if a volume is used for TM, and if so, automatically add it to the exclusion list?

---

Alphaman wrote:

 

I've added my TM volume to the SAV exclusion list …

---

All: be aware that an exclusion for On-access Scanning is

not effective for Scan Local Drives. 

Pending the results of investigations by Sophos:

if your Time Machine backs up to a local volume — and if you Scan Local Drives — 

I should recommend setting the preference for that predefined scan to 

√ Log only (nothing more): 

Thank you Sophos, you have now corrupted my effing Time Machine backup.....

7 months of backups ALL GONE..... ALL CORRUPTED - the Sparsebundle has been corrupted....

Just great....

Anecdotal hints of bad interactions between SAV and TM are floating around. I documented mine (loss of 19 months of TM backup data) pretty extensively at http://recoveringphysicist.com/17 and reached out to Graham Cluley for any comments, then updated the blog post with his observations. Bottom line: Sophos believes they are playing nicely with TM and could not be the cause of data loss there. But in my experience TM is quite fragile -- great when it works but easy to mess up. (I wrote about another mysterious TM failure at http://recoveringphysicist.com/15/ .)

[Note added 2010-11-12, 16:15 Z] Word from Sophos that they are still investigating my data loss and may have something to post soon on the forum.

Hi folks

The latest is that Sophos is still investigating the issue reported by a small number of users on this forum about Time Machine backups being deleted whilst running Sophos Anti-Virus for Mac Home Edition.

As a precautionary measure, while our investigation continues, we would recommend that, if you detect malware in your Time Machine backup,you do not tell Sophos to clean it up.

From a protection point of view, you are still safe. Sophos Anti-Virus for Mac Home Edition continues to protect you (through its on-access scanner), checking any file you access for malware, including files restored from backup.

As our investigations continue we will provide further updates.

Thanks.