Scanning a Mac with Sophos Antivirus 9

With my last post regarding being up to date done I’m free to talk about scanning with SAV 9 – make sure you are up to date before scanning your computer.

There are pretty much four ways of scanning your computer:

  1. Selecting ‘Scan This Mac’ from the Sophos shield in the menu bar or from the ‘Scans’ window
  2. Setting up a custom scan so you can control what is scanned and what it does with the things it finds
  3. Right-clicking on a particular file or folder and selecting ‘Scan with Sophos Anti-Virus’
  4. Using the command line scanner (a program called sweep) and really tune what happens

Summary

Scan Type Good Bad
Scan This Mac Scans whole drive and all local drives; set up for you out-of-the-box; one click is all it takes No automatic clean-up option; lack of control; can take a long (long) time depending on size of drive/ number of files
Custom scan Can configure clean-up options; selecting only folders of interest and removing the scanning of compressed files shortens scan time Only certain folders are scanned so you may have missed something
Right-click scan Simple to perform; if you prefer real time scanning off the option does allow scanning of a particular file just before you open it With on-access scanning on right-click scanning before opening is not required and hence the option is redundant; have to remember to do it before clicking a file
sweep extremely powerful; does everything the graphical frontend does and a heck of a lot more Requires knowledge of Mac’s Terminal application; semi-complex syntax is off putting to beginners

In the sections below I discuss each one in more detail.

Scan This Mac

This is the simplest and easiest option to go for when you want to scan your computer, however it may not be the best.  The ease of the one-click scan comes at a price – how long the scan takes to complete and computer performance during that long scan.

When you scan your computer (by what every method you choose) the computer’s resources are going to be lower.  When you scan with this option the entire hard drive(s) and all local drives are scanned and hence you’re going to experience that reduced performance for longer.

This doesn’t mean you shouldn’t use this option, however take on board that this scan is designed to give you maximum protection.  It’s a damn good way to be sure your system is clean, but don’t expect your computer to behave normally (in terms of performance) while it’s running – leaving the computer alone to finish the scan is better than having a load of applications open and complaining the computer is dog slow.

The scan also doesn’t have automatic clean-up enabled.  This means that anything it finds will not be deleted immediately, but you will be able to use the Quarantine Manager to review a list of detections after the scan has finished and clean them up at that point – in some ways that’s actually a better way of doing it so you know what was there.

The main reasons for this scan taking so long are because (a) the entire main hard drive is scanned for all files (b) it scans all other local drives (connected USB and FireWire) and (c) the scan also checks all compressed files (like zip files, etc.).  All this adds up to a lengthy scan time.

Run a ‘Scan This Mac’ scan

From the Sophos shield in the menu bar select ‘Scan This Mac’

scanthismac_shieldmenu

Alternatively you can select ‘Open Scans’ from the same menu shown above and in the ‘Scans’ window click ‘Scan now’.

scanthismac_never_run

The program will calculate the files it needs to scan.

scanthismac_calculating

At the end on the scan, if anything is found you can click the ‘Quarantine Manager’ button to review and clean-up malware.

scanthismac_complete

If the scan takes a log time or you need to troubleshoot, it’s handy to know where the log of the scan is.  To access the log open Console (type ‘console’ into Spotlight) and expand ‘~/Library/Logs/’ > ‘Scans’ > ‘Scan Local Drives’.  Then select the most recent log file based on date and time.

In the screen grab below I have included in the highlighting that the scan name is ‘Scan Local Drives’ and that all local drives are included.

scanthismac_logfile

Custom scan

I’ve previously posted about this.  To save repeating myself see: Creating a custom scan with Sophos AV for Mac.

What I will add now is that using a custom scan means the time of a scan can be dramatically reduced as you control the drives and folders on those drives that are scanned.  Plus you can uncheck ‘Scan inside archives and compressed files’ on the ‘Options’ tab.

If you find the ‘Scan this Mac’ option takes forever (or maybe never completes) then stop using that and break down hard drive into more manageable chunks. I recommend starting with just your Users folder for one scan (as that’s where most malware will be) and only adding system folders as and when required.

Using ‘Scan with Sophos Anti-Virus’

This is a handy option if you’re unsure where a particular file came from, or think it may be malware.  Simply right-click on a file and select the option Scan with Sophos Anti-Virus.

scanwithsav

Once the scan has completed the Finder Item Scan windows will report if it found something or not.

scanwithsav_completed

Click the View Log button and Console opens showing further details of the scan called Finder Item Scan.

scanwithsav_log

In summary the right-click option is handy but if you have real time scanning (aka on-access scanning) running – so every file is checked by SAV before it has run – then doing a right-click scan is redundant.  However it’s there and it does add some peace of mind.

The power of sweep

Some Mac users are immediately going to shy away from anything Terminal related – thinking that it’s too hard.  Honestly it’s not.  Get your geek on and play with sweep!

If ‘Scan This Mac’ takes too long, or a custom scan just isn’t customizable enough for you then sweep is the answer to your prayers.

The first step is to open Terminal from Spotlight.

sweep_openingterminal

To run the sweep program simply type sweep and you’ll see the program start, list all the signature files, blurt out the usage options and then shutdown – with no scan.  This is because sweep requires options (aka parameters) to run so that it knows what you want it to do.

I’ve listed the full usage options at the end of this post, however below are a few examples you may find handy and will definitely get you started.

I want to… Run the command (all on one line)…
scan my Downloads folder (don’t take any action) sweep ~/Downloads
scan my home folder (called ‘diz’) and save a handy log to the desktop (but don’t take any action) sweep /Users/diz > ~/Desktop/savscan.txt
scan my home folder (called ‘diz’) and see what files are being scanned (handy if ‘Scan This Mac’ hangs) – but don’t take any action sweep /Users/diz/ -dn 2> ~/Desktop/manualscan.txt
scan my Downloads and take action to disinfect all malware files sweep –di ~/Downloads
scan my Downloads and take action to delete all malware files sweep –remove ~/Downloads
scan the entire main drive, disinfect what is found and log it sudo sweep –di / > ~/Desktop/scanHD.txt

Note: Using the ‘~/Desktop’ is the same as typing ‘/Users/diz/Desktop’ (where ‘diz’ is your username) and hence ‘~’ means the logged on user’s home folder.  If you prefer you can type out the full path but ~ is quicker (ie cd ~ gets you straight to your home folder in Terminal).  If you get lost in Terminal type pwd to display the folder path you are currently in – it standards for print working directory.  Changing folders in Terminal is done with cd (change directory) so you can do cd /Users/diz/Downloads to go to your Downloads folder or cd .. to move up a level to the next folder.

Full sweep usage options

  Usage: sweep [options] <path1> <path2>... <pathN> [include/exclude options]

  where <path1>, <path2>... <pathN> may refer to files, directories or
  filesystems.

  Note: With the exception of the -include and -exclude options, it does not
  matter where on the command line you specify an option: you can specify it
  before, in the middle of, or after, a list of paths. Regardless of where it
  appears, it is applied to all the paths on the command line. However, the
  -exclude and -include options control whether the paths after them are
  scanned, and therefore the position of these options does matter. If you
  specify options which have opposing effects to each other (for example,
  -archive followed by -narchive), then the latest one on the line takes effect
  (in this example, -narchive would take effect).
The following options may be prefixed with 'n' to invert their meaning
(for example, '-nsc' is the inverse of '-sc'). [*] indicates the option
is the default:

  -sc         [*] : Scan dynamically compressed executables
  -f          [ ] : Full scan
  -extensive  [ ] : Scan complete contents of files
  -di         [ ] : Disinfect infected items
  -s          [*] : Run silently (do not list files swept)
  -c          [*] : Ask for confirmation before disinfection/deletion
  -b          [*] : Sound bell on virus detection
  -all        [*] : Scan all files
  -rec        [*] : Do recursive scan
  -remove     [ ] : Remove infected objects
  -dn         [ ] : Display file names as they are scanned
  -ss         [ ] : Don't display anything except on error or virus
  -eec        [ ] : Use extended error codes
  -ext=extension,..     : Specify additional extensions to SWEEP
  -p=<file>       : Write to logfile <file>

  -idedir=<directory>   : Read IDEs from alternative directory
  -exclude        : Exclude the following objects from scanning
  -include        : Include the following objects in scanning
                    (use after -exclude)
  -v              : Display complete version information
  -vv             : Display complete version information and details on
                    extensions and archive types supported
  -h              : Display this help and exit

The following options are related to archives and other special file types:

  -zip        [ ] : Scan inside ZIP archives
  -gzip       [ ] : Scan inside GZIP compressed files
  -arj        [ ] : Scan inside ARJ archives
  -cmz        [ ] : Scan inside Unix-compressed files
  -tar        [ ] : Scan inside TAR archives
  -rar        [ ] : Scan inside RAR archives
  -archive    [ ] : All of the above
  -cab        [ ] : Scan inside Microsoft Cabinet files
  -loopback   [ ] : Scan inside loopback-type files
  -mime       [ ] : Scan files encoded in MIME format
  -oe         [ ] : Scan Microsoft Outlook Express mailbox files
                    (requires -mime)
  -tnef       [ ] : Scan inside TNEF files
  -pua        [ ] : Scan for adware/PUAs
  -suspicious [ ] : Scan for suspicious files

The following options may be prefixed with 'no-' to invert their meaning
(for example, '--no-reset-atime' is the inverse of '--reset-atime'.  [*]
indicates the option is the default:

  --reset-atime          [*] : Reset file access time after scanning
  --stop-scan            [*] : Abort scanning of files such as 'zip bombs'
                               which require excessive amounts of time,
                               disk space or memory to scan
  --ignore-could-not-open[ ] : If a file cannot be opened, don't treat it as
                               an error

The following options are Unix-specific, and may be prefixed with 'no-'
to invert their meaning (for example, '--no-follow-symlinks' is the
inverse of '--follow-symlinks'). [*] indicates the option is the default:

  --follow-symlinks      [*] : Scan the object pointed to by symbolic links
  --stay-on-filesystem   [ ] : Attempt not to leave the starting filesystem
                               (i.e. do not traverse mount points)
  --stay-on-machine      [*] : Attempt not to leave the starting machine
                               (i.e. do not traverse remote mount points)
  --skip-special         [*] : Do not scan 'special' objects (/dev, /proc,
                               /devices etc.)
  --backtrack-protection [*] : Prevent repetition of work ('backtracking')
                               due to symbolic links
  --preserve-backtrack   [*] : Preserve the backtracking information for
                               the duration of this run
  --examine-x-bit        [ ] : Check files with an execute bit set
  --show-file-details    [ ] : Show file ownership and permissions when
                               displaying filenames
  --quarantine           [ ] : (Simple form of --quarantine option)
                               If file is infected with virus, attempt to
                               change file owner to user running Sophos
                               Anti-Virus, and permissions to
                                 -r-------- (0400)

  --quarantine:<uid=nnn>,<user=user>,
               <gid=nnn>,<group=group>,<mode=ppp>
                         [ ] : (Detailed form of --quarantine option)
                               If file is infected with virus, attempt to
                               change file ownership, group ownership, and
                               permissions to those specified as
                               uid/user, gid/group, and mode.

  -move=<quarantine directory>
                         [ ] : Move infected files to a quarantine directory
  -rename                [ ] : Append filename extension 'infected' to names of
                               infected files (unless they already have this
                               extension).
  --args-file=<file>         : Read command line arguments (both options and
                               directory/filenames) from file, taking
                               arguments from the command line again when
                               the end of the file is reached. A value of -
                               for <file> specifies taking input from stdin.
                               A small number of command line options may
                               not be used within an args file, namely:-
                               -eec, -neec, -p=, -s, -ns, -dn, -ndn.
                               These can only be specified from the command
                               line.

The following options are specific to Linux and FreeBSD only.

  -mbr        [ ] : Scan master boot records on all (physical) hard disks
  -bs=X,...   [ ] : Scan boot sector of each drive listed
  -bs         [ ] : Scan boot sectors on all (logical) drives
  -cdr=X,...  [ ] : Scan boot sector in bootable image of each CD drive listed

You need to have superuser rights in order to scan boot sectors.

Advertisements
This entry was posted in Antivirus for Mac, Fighting malware and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s