Sophos on Mac: Infinite Loop Brings Machine to a Crawl

A late-2012 Mac Mini had been behaving oddly for a while, with disk space on the 250GB SSD often nearing capacity. By the time I got my hands on it, the SSD had died. Once replaced and restored (slowly) from TimeMachine, the system seemed very slow.

Using Activity Monitor, I discovered that Sophos was by far the biggest disk hog. (The machine runs Sophos Home Edition version 9.6.1.) Checking Sophos about 11:15am, I saw that the 6:05am scan was still running. It had scanned 14 million files and detected over 62,000 errors. Plus the log indicated repetitive detections in /Users/Shared/Infected, which is where it copies infected files to. You can actually see the same file name over and over, with numbers at the end to make the names unique. It looks like it was copying files there, then re-detecting them, then copying them again, almost ad infinitum (though the log indicates that it did not move threats already in the destination).

Sophos on Mac infinite loop

I aborted the Sophos scan. From a Terminal window, I located /Users/Shared/Infected in Finder. The Info box reported 1.7 million (!) files consuming 27GB of disk space. Deleting the files from Finder was taking too long. I killed Finder, opened a Terminal window, and deleted them from the command line

sudo cd /Users/Shared/Infected
sudo find . -maxdepth 1 -name '*' -delete

I also went into Sophos and added exclusions on /Users/Shared/Infected to the scheduled scan and the On-Access Preferences. For good measure, I excluded the external Time Machine volume as well. Finally, I went into Time Machine and excluded the same folder—no point in backing up virus files, especially if there are over a million of them.

It seems strange to me that Sophos did not exclude its own virus vault. Maybe this setting was lost at some point. Hopefully the new exclusions will allow the system to function more normally again.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.