How do you prevent a process from automatically restarting? (specifically, sophos antivirus)

macos mac

This means that there is another monitor process which relaunches it.

You can check out who is the parent process: select the process in activity monitor and use the Info button, or via terminal with ps -ax -O ppid if I recall correctly.

  • It might be another process by Sophos but with a stealth name, or maybe even your VPN software. In that case you can just kill'em all.

  • The other possibility is that the process is being kept alive by the launch daemon launchd. In this case you will find an entry (a plist XML file) for your antivirus in either ~/Library/LaunchAgents, /Library/LaunchAgents (likely) or /System/Library/LaunchAgents (I dearly hope not).

If the second is the case, you can either:

  • Edit the file, and change the KeepAlive parameter, either removing or changing it (you can do nifty things, see the docs for more).

  • Just ask launchd to do the stopping for you. Unfortunately you can't just tell to launchtl stop since the process would just respawn. You'll have to use
    sudo launchctl unload /path/to/the/plist file


I'd comment on Agos' post, but I'm too new to do that. So:

As far as I remember they should have a launch agent in /Library/LaunchAgents. I'd just ask you to do a ls /Library/LaunchAgents, ls /Library/LaunchDaemons and ls /System/Library/LaunchDaemons. Something will show up.

Also you could open /Applications and check Uninstall Sophos.app with Show Package Contents then check out the uninstall script.


man launchctl


launchctl list |grep -i 'sophos'

to unload a daemon permanently, but not uninstall it

launchctl unload -w /full/path/to/file.plist

To find out which launchd job is spawning things back, tail -f /var/log/system.log and sudo kill -9 <pid> the process you are interested in.

Suddenly, launchd will tell you exactly which job is responsible:

com.apple.launchd[1] (com.sophos.managementagent[83911]): Exited: Killed: 9

You can also try increasing the log level to precisely determine what's happening: launchctl log level debug

Bear in mind that some jobs will be run as root, so sudo launchctl list might show you some extra jobs running on your machine.

Related

OSX : Cancel the shutdown sequence
Is it possible to use an Apple Time Capsule just as a network attached backup drive and not a router?
How to remove "XXX is an application downloaded from the internet. are you sure you want to open it" at start up?
How can I use Atom as the default editor for "open"?
How to keep mute button available during call
Change font style for pdf's using Preview
How to remove Skype menu bar icon from macOS?
Is a screen protector worthwhile for an iPad?
How to force a captive portal page to pop up (Like a Starbucks or McDonald's WiFi landing page)?
How to get back the missing monitor option in Mountain Lion's menubar?
How to fix curl: (60) SSL certificate: Invalid certificate chain when using sudo
Choosing the default application does not stay as default after reboot