How to see what files are being scanned by the on-access scanner on OS X

  • Article ID: 111978
  • Rating:
  • 1 customers rated this article 3.0 out of 6
  • Updated: 26 Aug 2014

This article explains how to see what files and paths are being scanned by the Sophos Anti-Virus for Mac OS X on-access scanner.  This ability is made possible using bash and dtrace commands.

Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Mac OS X

Operating systems
Mac OS X

What To Do

  1. Open Terminal
  2. Change directory to a location where you want to create and run the tracing script from (e.g., cd ~/Documents/ )
  3. Create the script file type the following and press enter:
    vi dtrace_ic.d
  4. Copy (cmd + c) and paste (cmd + v) the code below into the Terminal window:


    ps_out=$(ps -Aco "pid command" | grep InterCheck)
    [ $? -eq 0 ] || { echo "InterCheck process is not running"; exit 1; }

    ic_pid=$(echo $ps_out | cut -d ' ' -f 1)

    echo "Tracing InterCheck; pid = $ic_pid"

    /usr/sbin/dtrace -n '

    #pragma D option quiet
    #pragma D option switchrate=10hz

    self->pathstr = arg1 > 4096 ? copyinstr(arg1) : "";

    / self->pathstr != "" /
    printf("%s\n", self->pathstr);


  5. Press Esc, then :wq! and enter.
  6. The script file needs to be executable.  Type the following and press enter:
    chmod 755 dtrace_ic.d

  7. Run the script file as root by typing the following and press enter:
    sudo ./dtrace_ic.d

Information on what the on-access scanner is processing will be shown in the Terminal window.  When you want to end the logging press Ctrl+C in Terminal.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent