Disable Sophos v9.2.4 On-Access Scanner via Command Line

russeller
Contributor III

I'm trying to install Bootcamp on some Macs without going through Casper Imaging so I found that through WinClone you can create a PKG of the BootCamp captured partition and deploy that to existing Macs that'll resize the partition and install BootCamp on the Mac. This is great, except that our Sophos Anti-Virus On-Access Scanner is not allowing the install to finish without getting its grubby little fingers all over the files being copied to the new partition. So I wanted to find a clean way to stop the Scanner through a simple script without touching the GUI. Most Mac Anti-Virus programs I've encountered in the past simply let you unload their LaunchDaemons and the scanner will stay off until you reload the daemon or reboot the Mac. It appears in previous versions of Sophos this was also the case. In this version we have installed this is not the case from what I can tell. So I used fsevents when hitting the "Stop Scanning" button in the GUI and found Sophos was talking to the plist called /Library/Preferences/com.sophos.sav.plist. It appears that it changed a value of 'AutoLaunch' from 1 (on) to 0 (off). I then used the binary "opensnoop" in terminal for the file /Library/Preferences/com.sophos.sav.plist and found that three processes touch that file when you enable and disable the OAS (On-Access Scanner) in the GUI. The three processes are 1) InterCheck 2) SophosAntiVirus and 3) SophosConfigD. I played with killing these processes but obviously they'd simply relaunch when they are killed and they appear to have no plist in any LaunchDaemon location (/Library nor /System).

So long story longer...

My theory is when you hit "Stop Scanning" in the GUI it is writing the 0 (off) value to the com.sophos.sav plist then its restarting its services. When it sees AutoLaunch set to 0 it doesn't run the On-Acess Scanner until you hit "Start Scanning". So I used "defaults write /Library/Preferences/com.sophos.sav AutoLaunch -int 0" and then I tried doing a "killall InterCheck". This will show in the GUI that the On-Access Scanner is off for about 5 seconds then it goes green again.

Frustrated, I put away the scalpel and grabbed the sledgehammer and I wrote the AutoLaunch value to 0, THEN I moved the "/Library/Sophos Anti-Virus/InterCheck.app" application (Which contains the InterCheck binary) to /tmp THEN I did a killall InterCheck. Since Sophos wasn't able to find the InterCheck binary, the On-Access Scanner stayed off in the GUI. Not certain that the scanner was actually off, but the GUI said it was. When I move the InterCheck.app back to "/Library/Sophos Anti-Virus/" the GUI would almost immediately show the Scanner is back on.

Has anyone else been able to get the On-Access Scanner to turn off through a script or command? Can you share if possible? I'm going to continue testing my method but I'm really hoping there is a easier way available.

Thank you.

1 ACCEPTED SOLUTION

maser
New Contributor III

This is what I run:

To turn off:

defaults write /Library/Preferences/com.sophos.sav AutoLaunch -bool false; pkill InterCheck

To turn on:

defaults write /Library/Preferences/com.sophos.sav AutoLaunch -bool true; pkill InterCheck

View solution in original post

4 REPLIES 4

russeller
Contributor III

If someone else has Sophos 9.2.x can you test this? I think I narrowed it down to simply:

#!/bin/sh

## Turn off OAS
mv /Library/Sophos Anti-Virus/InterCheck.app /tmp/
killall InterCheck

#####
## Install Software
#####

## Turn on OAS
mv /tmp/InterCheck.app /Library/Sophos Anti-Virus/

exit 0

I went http://www.eicar.org/86-0-Intended-use.html to create a test malware text file and so far found that Sophos ignores it when it is off.

maser
New Contributor III

This is what I run:

To turn off:

defaults write /Library/Preferences/com.sophos.sav AutoLaunch -bool false; pkill InterCheck

To turn on:

defaults write /Library/Preferences/com.sophos.sav AutoLaunch -bool true; pkill InterCheck

russeller
Contributor III

Thanks @maser that was a rookie mistake on my part. I had written a integer to the value instead of a boolean true/false. Writing the value correctly to the plist did the trick.

chrisbju
New Contributor III

Anyone still doing this on? Running 9.8.2 and would like to have a Self Service policy to automatically disable, and enable after 24 hours.