How to see what files are being scanned by the on-access scanner on OS X

  • Article ID: 111978
  • Updated: 30 May 2014

This article explains how to see what files and paths are being scanned by the Sophos Anti-Virus for Mac OS X on-access scanner.  This ability is made possible using bash and dtrace commands.

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Mac OS X

Operating systems
Mac OS X

What To Do

  1. Open Terminal
  2. Change directory to a location where you want to create and run the tracing script from (e.g., cd ~/Documents/ )
  3. Create the script file type the following and press enter:
    vi dtrace_ic.d
  4. Copy and paste the code below into the Terminal window:

    #!/bin/bash

    ps_out=$(ps -Aco "pid command" | grep InterCheck)
    [ $? -eq 0 ] || { echo "InterCheck process is not running"; exit 1; }

    ic_pid=$(echo $ps_out | cut -d ' ' -f 1)

    echo "Tracing InterCheck; pid = $ic_pid"

    /usr/sbin/dtrace -n '

    #pragma D option quiet
    #pragma D option switchrate=10hz

    pid'$ic_pid'::ic_log_debug:entry
    {
    self->pathstr = arg1 > 4096 ? copyinstr(arg1) : "";
    }

    pid'$ic_pid'::ic_log_debug:return
    / self->pathstr != "" /
    {
    printf("%s\n", self->pathstr);
    }

    '
  5. Press i, command + v, then :wq! and enter
  6. The script file needs to be executable.  Type the following and press enter:
    chmod 755 dtrace_ic.d
  7. Run the script file as root by typing the following and press enter:
    sudo ./dtrace_ic.d

Information on what the on-access scanner is processing will be shown in the Terminal window.  When you want to end the logging press Ctrl+C in Terminal.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments