11-05-2010 11:41 PM
I installed the SAV for Mac today.
After installation, I made a local drive scan, and It found 4 threats.
I deleted the infected files.
After a while, I got alert from SAV that it denied access to the files, which had been deleted but still in my TimeMachine backup.
Although everything seems alright now, SAV interfered TimeMachine's operation.
Will this corrupt my TimeMachine backup?
Solved! Go to Solution.
11-07-2010 07:00 AM - edited 11-12-2010 01:22 PM
Backups made by Time Machine are read-only — so a backup of a threat should remain, in that backup, until that backup is eventually purged by Time Machine (when the volume used for backup lacks free space).
If you prefer your on-access scanner to automatically disinfect or remove threats — and if a threat is in an area that's read-only — I'd expect Sophos Anti-Virus to:
11-10-2010 01:04 PM
Looking at a mixed topic nearby, http://openforum.sophos.com/t5/Sophos-Anti-Virus-f
@ st181234 (opening poster):
would you mind if we shift disucssion of Time Machine with Sophos Anti-Virus Home Edition from that topic, to this one?
11-12-2010 10:57 AM
At separating out discussion of Time Machine environments (was: My review of SAV Mac HE & 4 issues):
… My TM disk resides on a network server …
… Time Machine backup … sparsebundle is a complex combination of data and metadata …
… Selectively deleting old backups from TM is not the expected failure mode of how such a program would corrupt your backup. You would much more likely see what the good doctor saw in his blog post -- a complete loss of ALL your TM.
Time Machine will prune your backup. SAV doesn't have the intelligence to do such.
All true to the best of my knowledge, but I can think of at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle — and an obscure bug (not yet reported in the Home Edition area) that causes a volume unrelated to TM to be unexpectedly ejected — so I think it'll be prudent to separate the SAV versus TM puzzles into a separate topic.
11-12-2010 11:03 AM - edited 11-12-2010 11:03 AM
at least three different Time Machine destination/target environments — one of which does not involve a .sparsebundle
11-12-2010 03:10 PM
I've added my TM volume to the SAV exclusion list -- there's no need to take a chance, and based on the nature of the content, no need to be scanning the volume anyways. Anything in there shouldn't be deleted by an outside program, and any malware therein will be caught should you try to restore it to a protected volume.
Is there a way that SAV could check if a volume is used for TM, and if so, automatically add it to the exclusion list?
11-14-2010 05:21 AM
I've added my TM volume to the SAV exclusion list …
All: be aware that an exclusion for On-access Scanning is
not effective for Scan Local Drives.
Pending the results of investigations by Sophos:
if your Time Machine backs up to a local volume — and if you Scan Local Drives —
I should recommend setting the preference for that predefined scan to
√ Log only (nothing more):
11-11-2010 05:24 PM
Thank you Sophos, you have now corrupted my effing Time Machine backup.....
7 months of backups ALL GONE..... ALL CORRUPTED - the Sparsebundle has been corrupted....
11-12-2010 08:08 AM - edited 11-12-2010 09:15 AM
Anecdotal hints of bad interactions between SAV and TM are floating around. I documented mine (loss of 19 months of TM backup data) pretty extensively at http://recoveringphysicist.com/17 and reached out to Graham Cluley for any comments, then updated the blog post with his observations. Bottom line: Sophos believes they are playing nicely with TM and could not be the cause of data loss there. But in my experience TM is quite fragile -- great when it works but easy to mess up. (I wrote about another mysterious TM failure at http://recoveringphysicist.com/15/ .)
[Note added 2010-11-12, 16:15 Z] Word from Sophos that they are still investigating my data loss and may have something to post soon on the forum.
11-12-2010 01:28 PM
The latest is that Sophos is still investigating the issue reported by a small number of users on this forum about Time Machine backups being deleted whilst running Sophos Anti-Virus for Mac Home Edition.
As a precautionary measure, while our investigation continues, we would recommend that, if you detect malware in your Time Machine backup,you do not tell Sophos to clean it up.
From a protection point of view, you are still safe. Sophos Anti-Virus for Mac Home Edition continues to protect you (through its on-access scanner), checking any file you access for malware, including files restored from backup.
As our investigations continue we will provide further updates.