06-20-2012 09:55 AM
Impressed with Sophos Antivirus for Android, I installed Free Mac Antivirus Home Edition of Sophos on my MBP.
Remarkably I have come acrross an interesting issue,
My ADSL 2+ Huawei modem hangs cause of Anti Virus !!
Before some one says to check my networkk set up, let me clear some things about me,
I am a full time developer / reverse engineer and Red Hat Certified , so I have some Networking knowledge to come to this conclusion.
My Network Connection is as follows,
ISP --> Huawei ADSL 2+ MT841 Modem/Router (DHCP disabled & Firewall disabled) --> ASUS N10+ (DDWRT - DHCP enabled ) --> iMac and Macbook
My Setup -
1. Free Mac Antivirus Home Edition of Sophos installed on my Mac Book .
2. My Macbook has OSX Lion 10.7.4 with internal firewall and Little snitch enabled.
1. The modem hangs in 1 - 2 hrs after the boot of Mac Book and Anti Virus running.
Troubleshooting Followed :
I followed the following troubleshooting methodology for two days before arriving at the conclusion.
1. Checked by removing the router between the modem and MBP and connected directly to modem - issue occurs in 1-2 hrs.
2. Disabled / Enabled DHCP servers on modem and router alternatively - issue not resolved.
3. Reset / Restored default settings in modem - issue occurs back in 1-2 hrs.
Temporary Fix :
1 . Modem restarted , the issue occues after 1-2 Hrs.
Permanent Solution :
1. Uninstalled Free Mac Antivirus Home Edition . - Modem works perfect .
1. My Huawei MT 841 modem has been working great for 7 years with no issues so far . But I could find a 2008 thread on the same modem having same issue with Trend Micro Internet security on a Windows OS. That was an official bug in Trend Micro AV related to global threat sense technology in it.
2 . Free Mac Antivirus Home Edition of Sophos had a similar Threat sense technology connecting to global servers, I wonder whether it causes my modem to hang.
Sophos products are great no doubt on that, Free Mac Antivirus Home Edition of Sophos looked promising it even detected windows virus from the parallels desktop VM. But I cannot continue using it unless the bug which causes my modem to hang gets resolved. It would be intresting to know how the Antivirus could cause a modem across the router to hang.
Looking for answers from Sophos support. I have mailed them, will soon post their reply.
Solved! Go to Solution.
06-20-2012 10:06 AM
I got reply from Sophos support that since Mac Antivirus Home Edition of Sophos is a free product, the support is from this forum only .
06-20-2012 11:51 AM
Interesting... my guess would be that your modem does not like the DNS requests originating from the product -- it is likely designed in a "lightweight" manner and does not fully comply with the RFCs.
To test this theory out, go to Preferences -> Live Protection, and disable this. If the problem goes away, the issue is indeed DNS requests that while legitimate, are not standard domain lookup requests.
If this doesn't fix the problem, we're likely looking at the autoupdate mechanism querying the akamai servers. Can you check your console.app logs for syslog and Sophos, and see if the drop coincides with an attempted autoupdate?
06-20-2012 12:01 PM
Thanks for your insight.
I will post the logs this weekend, as I had to run the modem for next two days (to compensate the lost two days troubleshooting this !! ) .
Meanwhile, can you please eloborate some more on what kind of DNS requests arises out of Live protection feature of the Sophos Mac Antivirus ?
06-20-2012 01:14 PM
All lookups from the Sophos lookup server are done via DNS request, with the queries packed inside the request. You can run wireshark on the line to view the specifics.
06-20-2012 07:39 PM
I was able to check Sophos Anti Virus Logs before I uninstalled it. I was able to conclude that Live Protection was infact the culprit as Auto update was successful when modem was alive and infact I was even able to manually update the AV few times.
I would like to know whether this issue has been found on any other modem so far ? and would sophos try to fix it in future updates by standardizing the DNS requests ?
06-21-2012 09:49 AM
Thank you for checking! I haven't heard of this issue in any other modem so far, but I don't work for support -- I will flag this issue for them.
As for standardizing the DNS requests: as Live Protection is not doing a regular DNS lookup (it's not attempting to resolve domains, it's attempting to resolve whether a file is known to be malicious), it is not likely to be fixed. That said, I know some of our live protection channels are moving away from DNS as a transport mechanism, so endpoint lookups may eventually switch protocols too -- but not likely within the next year.
Actually, this may be something you can fix on your modem: the issue probably has to do with caching DNS requests ahd filling up the buffer used for this. Turning off DNS caching may be just what you need (it will also fix the problem for other activities that involve a large number of DNS requests). Definitely worth some tweaking if you have access, as this is more of a bug in the modem than a bug in the reference protocol itself -- it'll probably crop up again somewhere else eventually.
06-22-2012 02:59 AM
The DNS requests made from the product (for Live Protection) are standard and correct. The difference from most DNS requests is that they are big (often using the maximum legal size of a packet). Normal DNS lookups use a few dozen bytes, but ours will use many, many more bytes.
My guess is that your modem has a flaw when handling large DNS requests or responses. You should check with your modem manufacturer as this is a potential denial of service vulnerability that an attacker could use to remotely disable your modem.
06-22-2012 09:59 AM
Hi Andrew ,
Thanks for your heads up on the DNS caching, I dug some info and found some interesting information.
1. All most all Modems/Routers made by GlobespanVirata using ATMos chip and ISOS SW has/had DNS caching issues cause of low memory , atleast till the one made till 2005 (as that of my Huawei MT 841).
I had no option to disable DNS caching, so I disabled the whole DNS Relay system and made my DD-WRT Router (which has virtually unlimited cache) as the local DNS server.
2. I installed Sophos Free Mac Antivirus now and There is absolutely no issues. So problem resolved !!
Hi Bob Cook,
Yes. Issue was definetly with my Modem,
But I had been using it extensively for 7 years (most of the time 24/7 connecting multiple machines) but the issue arised only now , Might be cause like you said Sophos using DNS REQ with upper limit of the standard size and it pushed my modem to the maximum it could handle (I am infact very glad of it !!) .
The reason I am telling this is, My search told me, there are number of modems/routers outthere with the same DNS caching issue. Atleast here in India these modems are distributed widely by a country level ISP having a huge market share (you know the population ). So every one of them who have a Mac and try to use Free Sophos AV would face similar issue as mine. I am 100% certain that their modem would hang, there by by resorting to un-installing the Sophos AV.
Therefore I suggest, Including this as a known issue in the document cautioning the users to fix their modems before installing the AV or better running a small tests to asses the DNS caching ability of the user's modem/router. Just a thought.
I am really impressesd with the support you guys brought in this open forum, I appreciate it. I will use Sophos AV and surely recommend to others.
07-08-2012 07:57 PM
My MacBook Pro has also been hanging occasionally since I installed the free Sophos, both at home and on the road -- so it's not related to any particular internet connection or cable modem. A few days ago it happened in the middle of a presentation (not good!) while on a wireless campus network. This evening it happened while on a wired hotel network. The common denominator in these hangs is Sophos updating (I guess, judging from its menu bar icon) and very little "free" system memory, but lots of "inactive" system memory. (Read the Mac OS X 10.7 definitions of those. As I understand it, the "inactive" memory is available to be reactivated by any process that needs it.)
After a few seconds of the "spinning pizza of death," the computer hangs completely, to the point where even the menu-bar clock stops ticking. I do a hard power-down and restart, and everything is fine again for awhile. But my scheduled 20-minute presentation has dragged into 30 minutes.
I never had this problem (or at least, exceedingly rarely) until after I installed Sophos, shortly after I installed OS X 10.7 "Mountain Lion." Maybe there's some compatibility issue there?
I'm not afraid to get my hands dirty with sysadmin stuff, but I don't see any obvious way to control anything about DNS caching. In the meantime, I guess I'm going to have to switch off the Sophos Auto Update and Live Protection.