Let me set the scene: You’re happily running a scan with Sophos Anti-Virus for Mac 9…
…and before the scan completes you see a warning in the Scans window that says Issues detected…
The questions now are: What are these issues detected? How do I fix them? Why does the scan report Issues detected and then also No threats found? Surely the only issues should be that the scan found threats right?
Access y ou r Sophos Home Dashboard Click the computer where you need to disable the real-time protection. Go to the Protection tab General tab. Switch on or off the toggle under Real-Time Protection. Set the Sophos Web Intelligence Serviceto manual and stop it. To see if this change worked. Uninstall Sophos. If none of the previous measures work and you are able to uninstall Sophos you may need to do so in order to run Connect. To see if this change worked.
Spoiler: These issues are nothing to worry about.
The ‘issues’ are caused by the scanner finding encrypted and/or corrupt files and simply not being able to access them.
On your Mac there will be a number of encrypted files and the scanner is not able to access them because they are…encrypted. Protected. Locked. It should not be able to access them otherwise what’s the point of the file being encrypted? If SAV can break in whenever it wants and have a peek then so can other programs and the encryption is pointless.
Your Mac is also going to have a few ‘corrupt’ files. Well…they may not be exactly corrupt. The structure of the file – or more precisely the file header – is not recognizable to Sophos Antivirus.
When any application (like SAV) ‘reads in’ a file it expects certain information, in a certain order. Usually there is a header, where global information about the particular file is kept.
If this information is not what SAV expects then the file is deemed corrupt. In actuality the file is most likely a system file or a file called only by a particular program that knows how to access or use it – nothing other than that program may be able to work with the file.
So shouldn’t you worry that Sophos didn’t scan these files? They could be malicious right? You don’t need to worry. Yes SAV didn’t scan the file, however the file itself cannot run on its own and hence cannot cause a problem to your computer.
I did say that the file could be called by another program, so maybe that program is malware? Maybe but if it’s able to run (execute on Mac OS X) then it has to properly present itself to the operating system and hence it cannot appear as a ‘corrupt’ file and therefore SAV would properly scan that program.
So the takeaway from this is: You’re absolutely fine. Don’t worry.
I want to see these corrupt and encrypted files
A reasonable request. Open Console from Spotlight…
From the left-hand menu select the Sophos log for the type of scan you ran.
In the screenshot below the ‘Issues detected’ was reported during a ‘Scan this Mac’ scan and hence is under the Scans > Scan Local Drives section. If you run a custom scan the log would be listed under ‘Scan’ > theNameYouGaveTheScan.
Recreate the problem with sweep
You can recreate the behavior with the command line version of Sophos Antivirus (sweep). Open Terminal…
Sophos Software
…and then type in the command below and press enter.
sweep /Library/Caches/
Tip: If you don’t see any errors try another folder like /Library/ (without the Caches/ bit) for example.
The program will quickly run a scan on the Caches folder and you will see something like this in the scan summary in the Terminal window…
5628 files swept in 25 seconds.
4 errors were encountered.
No viruses were discovered.
Ending Sophos Anti-Virus.
The ‘X errors were encountered’ is the same thing as the Issues detected message that is reported in the graphical frontend of SAV – sweep doesn’t report anything to the frontend so Terminal is the only place you’ll see issues for this scan.
Above the scan summary you will be able to see the actual files that caused the errors. It will be different messages for different computers but you may see Could not open messages etc.
Again: Don’t lose any sleep over these messages.
Apple has released a new security mechanism called Secure Kernel Extension Loading (SKEL) in MacOS 10.13. This affects all applications/software using non-Apple kernel extensions and users are required to manually add the affected applications/software into the trusted list before the applications/software can be used. This allows the kernel extensions to load and is required for Sophos Anti-Virus to function properly. Users of MacOS 10.13 are required to do the following steps for newly installed Sophos Anti-Virus:
1. After installing Sophos Anti-virus, go to “Security & Privacy” under Apple System Preferences.
Sophos Antivirus Download Free
2. At the bottom of the window, you will see “System software from developer “Sophos” was blocked from loading”. Click “Allow”.
Once authorized, all future Sophos kernel extensions are allowed, even after uninstallation. This step is not required again on a reinstallation. Kernel extensions already installed during an upgrade from MacOS 10.12 are automatically authorized.
For details, please refer to
Advisory: Apple MacOS 10.13 High Sierra Support:https://community.sophos.com/kb/en-us/127413#Sophos