Whats up with Lion lately?

Launch the Console application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Console in the page that opens.

In the Console window, look under DIAGNOSTIC AND USAGE INFORMATION for crash or panic reports. Select the most recent report from each subcategory and post the contents — the text, please, not a screenshot. In the interest of privacy, I suggest that, before posting, you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if it’s present (it may not be.) Pleasedon’t post shutdownStall or hang logs — they're very long and not helpful.

Uninstall Sophos according to the developer's instructions, then reboot and test. Never install Sophos, or any commercial "anti-virus" software, again.

The vast majority of AV software cause more problems then they solve.

Running multiple AV software applications is bad. They can step on each other causing you grief.

I concur with Linc that you should uninstall Sophos.

ClamXav is OK.

Allan

Is there a problem with running anti-virus software?

Yes: the problem you have now.

Do you think they are ever going to figure out that the cure is worst then the illness?

Allan

For the AV stuff, see Reed's virus guide and Klaus1's virus guide

Sorry. I just got tired of seeing this same question so many times.

You are correct I had meant to type worse but was going to fast.

You might find some helpful information at this site,

http://www.reedcorner.net/guides/macvirus/

Allan

Mac OS X versions 10.6.7 and later have built-in detection of known Mac malware in downloaded files. The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders. In most cases, there’s no benefit from any other automated protection against malware.

The most effective defense against malware is your own intelligence. All known malware on the Internet that affects a fully-updated installation of Mac OS X 10.6 or later takes the form of trojans, which can only work if the victim is duped into running them. If you're smarter than the malware attacker thinks you are, you won't be duped. That means, primarily, that you never install software from an untrustworthy source. How do you know a source is untrustworthy?

1. Any website that prompts you to install a “codec,” “plug-in,” or “certificate” that comes from that same site, or an unknown site, merely in order to use the site, is untrustworthy.
2. A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim.
3. “Cracked” versions of commercial software downloaded from a bittorrent are likely to be infected.
4. Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. No intermediary is acceptable.

Disable Java (not JavaScript) in your web browser(s). Few websites have Java content nowadays, so you won’t be missing much. This setting is mandatory in Mac OS X 10.5.8 or earlier, because Java in those versions has bugs that make it unsafe to use on the Internet. Those bugs will probably never be fixed, because those older operating systems are no longer being maintained by Apple. Migrate to a newer version of the Mac OS as soon as you can.

Follow these guidelines, and you’ll be as safe from malware as you can reasonably be.

Never install any commercial "anti-virus" products for the Mac, as they all do more harm than good. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.

Linc Davis wrote:

The most effective defense against malware is your own intelligence. All known malware on the Internet that affects a fully-updated installation of Mac OS X 10.6 or later takes the form of trojans, which can only work if the victim is duped into running them. If you're smarter than the malware attacker thinks you are, you won't be duped.

That is a bit misleading. The latest Flashback variants take the form of "drive by" attacks that exploited a known vulnerability in Apple's version of Java. You did not have to install anything to get infected, just 'drive by' (visit) a maliciously crafted web page. Apple did patch the vulnerability eventually -- almost seven weeks after it was public knowledge & around a month after these variants of Flashback were in the wild, eventually infecting (according to some reports) as many as 650,000 Macs.

Had you been running Sophos or any of several other A-V products, your exposure to these variants would have been limited to at most about two days after they first appeared. In fact, the malware was designed to self-destruct if it detected certain A-V products, so if you ran one of these products, you would have no exposure at all.

The idea that all commercial A-V products do more harm than good is overly simplistic -- like any other kind of software, some are well designed & maintained, some are not. Personally, I have been running Sophos since November 2010 & have had not a single issue with it, even when beta testing new versions of Apple software.

I chose it over ClamXav in part because the latter is sometimes a bit slow to be updated (including for the 'drive-by' variants of Flashback). ClamXav also is somewhat limited in its "always on" capability: that feature (called Sentry) was introduced in the new 2.0 version (& still missing from the Mac Apple Store Version) & must be set up to scan specific folders to do anything. Sophos' "on access" scanner is not restricted to specific folders. There is also a potential issue with ClamXav if you try to scan the entire HD; for this reason its maker recommends that you not do that.

My feeling is that if you are going to use A-V software at all, it doesn't make much sense to use a product that doesn't include an "always on" scanner that detects malware as soon as it enters your system -- for a drive by type attack this limits you to a 'closing the gate after the horse has bolted' type of defense, so to speak. It also doesn't make much sense to me to use a product that isn't updated as quickly as possible with the latest "in the wild" malware definitions -- there isn't much point in using it otherwise.

Of course, any software product (including the OS itself) can be affected by issues like file corruption or conflicts with incompatible or out-of-date add-ons, & A-V software is no exception. Before deciding it is the cause of your problem, it is worth checking for file corruption with Disk Utility & reviewing your other software for potential problems.

A lot of good advice up there, though I fear some if it might be getting lost. In sum:

- don't use two AV programs on your system; they are likely to conflict.

- Sophos runs well for many people, but it's also a known cause of problems for others. ClamXAV, as far as I know, has never been reported on these forums as causing conflicts with either the OS or other s/w, and that's why most regulars here generally recommend it, if they have to recommend any AV s/w at all. Norton, Kaspersky and VirusBarrier and all others are best avoided.

- most experienced mac users don't feel the need for AV software because there simply are no known mac viruses. It's also logically impossible that if/when a mac virus appears, any AV s/w could defend against it. AV programs only scan for known viruses. They cannot protect you from what will come tomorrow.

- Regarding Flashback, it's worth pointing out that the vulnerability in Java that flashback exploits is an old one. Flashback wouldn't install on any system that used certain s/w which already plugged the vulnerability with its own Java packages. Indeed, if you had MS Word, Flashback wouldn't install for the same reason it wouldn't install if you had Sophos.

If you've removed Sophos and still have the problems, report back.

softwater wrote:

It's also logically impossible that if/when a mac virus appears, any AV s/w could defend against it. AV programs only scan for known viruses. They cannot protect you from what will come tomorrow.

That isn't entirely correct. Most A-V products rely primarily on recognizing certain characteristic code patterns in malware to detect it. Because the majority of "new" malware is created with the help of crime kits like Weyland-Yutani or Blackhole, some code segments are often the same as in older stuff. The big problem for A-V companies is finding the code segments unique only to the malware (to prevent false positives).

There are different ways to do this. The simplest & most reliable is to define a unique set of one or more code patterns ("virus definitions") for each variant of some malware as it is discovered in the wild & apply a simple "AND" logic: unless the software includes every code pattern in that specific set, it isn't considered that variant & raises no flags.

This is basically the approach taken in Apple's "XProtect" built-in A-V protection. (You can see the binary code patterns in the XProtect.plist as "Matches" entries.)

This approach does indeed require an update for each new variant. (In the XProtect.plist, you can see this as several different entries for the same basic type of malware like MacDefender or Flashback.A.)

However, more complex detection algorithms are possible. For instance, the A-V software can compare code segments from many different sets & if there are enough matches among them (even if not all are from the same set), the algorithm flags the software as malware, or at least suspicious enough to perform other tests to determine if it is. For instance, it might look for suspicious references to system files in the code.

Obviously, this isn't as foolproof as using an update for each new variant & is much harder to implement. However, it is a viable technique & if done well is capable of detecting at least some "new" malware without requiring an update specifically for it or generating false positives that would make it unreliable.

For obvious reasons, A-V companies don't publish the details of the detection algorithms they use so about the only way we can judge them is by what they detect & when. Sophos scores pretty well in this respect, certainly a lot better than XProtect (which is limited to download packages anyway) & at least in my experience better than ClamXav.

Ultimately, the choice to use any third-party A-V software or not is a personal one, & opinions obviously differ widely about that. However, it is worth considering that even Apple suggests doing so, for instance in http://support.apple.com/kb/PH4251 (for Lion users), in http://docs.info.apple.com/article.html?path=Mac/10.6/en/11389.html (for Snow Leopard users), & in various Security Configuration Guides.

R C-R wrote:

I chose it over ClamXav in part because the latter is sometimes a bit slow to be updated (including for the 'drive-by' variants of Flashback).

That has certainly been true in the past, but at some point during the MacDefender outbreak it improved a great deal. I have documented a few examples of variants which were updated in the clamav database before either Sophos or Apple. Part of the explanation seems to be a broader willingness to share samples via services like VirusTotal and a willingness for the signature coders at clamav to take on OS X signature writing with the same priority they have previously reserved for Windows malware.

ClamXav also is somewhat limited in its "always on" capability: that feature (called Sentry) was introduced in the new 2.0 version (& still missing from the Mac Apple Store Version) & must be set up to scan specific folders to do anything.

Not that it matters, but Sentry came along way before v2 and has been part of ClamXav from the time I first started using it. I don't see it ever being included in the AppStore version as long as Apple rules remain as strict as they are, in fact I suspect the Sandbox requirement has made that even more difficult. The fact that you must set it up is considered to be a feature by the author who insisted that ClamXav do nothing that wasn't specifically requested by the user. Makes things more difficult in the beginning, but at least you know everything it's doing which is not true of other A-V software.

There is also a potential issue with ClamXav if you try to scan the entire HD; for this reason its maker recommends that you not do that.

True, but it's been fixed for most users and for others there is a work-around.