How to Disable Sophos AV On-access Scanning

computer-virusMost Mac users have not even seen a virus in many years. But it could happen. I’ve been trying out Sophos AV for Mac (Free) for some time now in both Mac OS X 10.6 Snow Leopard & Mac OS X 10.8 Mtn Lion. It seems to run OK, without causing noticeable problems. One of the important features of Sophos AV is that it does not need to waste time scanning the whole hard drive over & over. No, it just scans every file that you open or run. This seems like a great idea as it prevents you from running a virus accidentally. SophosAV_For_Mac_icon

It seemed like a great idea until I noticed that my twice weekly SuperDuper boot drive clone had been failing to complete for months. (!) The logs revealed that SD was unable to copy certain files – apparently it was losing access to the hard disk, so it halted. More interesting, these files it was losing access to were almost all located in the email spam folder. Some poking around and I figured out that Sophos AV locks access to virus infected files. Meaning that SuperDuper was being prevented from copying the files, tricking SD into assuming there was something wrong with the whole disk. AH HA!

The cure, obviously is to disable Sophos AV before running a back up. But the best, most reliable backups are the ones that run themselves on schedule. Humans can be so unreliable at backing up, even the good humans.

SuperDuper_iconHappily SuperDuper can run a script before starting a backup, and Sophos AV is AppleScriptable. A perfect match! … Or so you might think. I have to admit I haven’t had a need to become proficient with AppleScript.  Instead I got comfortable with QuicKeys which very sadly met its demise a few years ago. Poking around in Sophos with the AppleScript Editor showed some useful script commands, but no examples of how to use them. I asked for syntax help over at the Sophos Free Forum, but did not find resolution there. I did find other seekers looking for the answer to my question, all unresolved, and some dating back many years.

So I found another way. I used a Macro app: Keyboard Maestro. It’s really awesome.
See attached screen photo (below) of my Keyboard Maestro script that will disable Sophos AV for Mac On-access Scanning. This script is triggered by launching the backup app, or by a keystroke, or by running an AppleScript to call KM & tell it which script to run. I would use AppleScript for this except that Sophos for Mac has so little popular support that apparently nobody at Sophos nor the whole internet knows how to send it basic AppleScript commands not even “Stop On-access Scanning”. If you search the Sophos Forums you’ll see a few similar requests, left unresolved.
KeyboardMaestro_IconAnyway, I’ve found a number of uses for Keyboard Maestro, so even though it is not free, it is well worth the small price they charge for it. And there is a vibrant KM support community. Fun & powerful, but most importantly, able to resolve the problem.

I made a second, similar KM script to re-enable On-access Scanning which the backup app can activate when it is finished backing up. The only differece is the Start or Stop button, which I needed to identify by graphic appearance. Because of the non-standard way it was programmed, it is not identifiable by button label.

Because this is automated, you’ll need to save an admin username & pw in the script in cleartext. That needs to be your call, balancing your need for security against being able to run both Anti Virus and run a backup that doesn’t lose access to the disk due to AV locking files. Anyway, this is going to work for me, and I wanted to let you all know one way  how to disable Sophos Anti Virus for Mac via script. And how to re-enable it again.
Dave Nathanson
Mac Medix


Click pictures to view larger

Keyboard_Maestro_Script_to_disable_Sophos_Mac_On-access_Scanning  SophosAV On-accessScanning Preferences  SuperDuper_Advanced

2 thoughts on “How to Disable Sophos AV On-access Scanning

  1. Thank you for this. After a series of failed backups, I was ready to dump Sophos (Product Motto: “If You Had Windows, This Would Be a Threat!”), tired of its incessant warnings about things that would be threats on Windows or if I was a computer security naïf, and doubly tired of having to intervene after failed backups, I found your page.

    I’m a huge fan of Keyboard Maestro, and you helped me use features I’d never even considered.

    For example, rather than a timed pause (who knows how long it’ll take for the authentication dialog to appear or to authenticate?), I used a “Pause Until Conditions Met” > “All of the following are true:” > “The screen:” > “contains” and used an image of the giant lock with the Sophos logo to trigger typing the password.

    Similarly, I used screen image matching to wait to re-lock Sophos until the “Start Scanning” button appears, confirming that it’s been stopped.

  2. I found this post when I was looking for a way to disable the on-access scanner for an automated install of a piece of software. It appears Sophos wanted to make it more difficult than being able to simply unload a launch daemon. I used the binary “opensnoop” in terminal for the file /Library/Preferences/com.sophos.sav.plist and found that three process touch that file when you enable and disable the OAS (On-Access Scanner). The three processes are 1) InterCheck 2) SophosAntiVirus and 3) SophosConfigD. I played with killing these processes but obviously they’d simply relaunch when they are killed. I also found that there is a value in the com.sophos.sav plist that is changed when you hit the “Stop Scanning” button. It’s the “AutoLaunch” integer which changes from 1 to 0. So long story longer. My theory is when you hit “Stop Scanning” in the GUI it is writing the 0 (off) value to the com.sophos.sav plist then its restarting its services. When it sees AutoLaunch set to 0 it doesn’t run the OAS until you hit “Start Scanning”. So I used “defaults write /Library/Preferences/com.sophos.sav AutoLaunch -int 0” and then I tried doing a “killall InterCheck”. This will show in the GUI that the OAS is off for about 5 seconds then it goes green again. Frustrated, wrote the AutoLaunch value to 0, THEN i moved the /Library/Sophos\ Anti-Virus/ application (Which contains the InterCheck binary) to /tmp THEN I did a killall InterCheck. Since Sophos wasn’t able to find the InterCheck binary it the OAS stayed off. Then I ran my install, then simply moved the back to /Library/Sophos\ Anti-Virus/ and it immediately turned its services back on. I hope that helps someone, or maybe they can post here how they actually got it to work a little more gracefully than that.

Leave a Reply

Your email address will not be published. Required fields are marked *