You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
I want to see if I can get some help as to where to look for clues from an abnormal/unpredictable shut down. I have the sysdiagnose files but can you please point me to where I can look for clues? I need a bit of help on how to decipher the ample files. The sysdiagnose files are generated from an MBP 2015 - OSX Mojave 10.14.5
Thanks
Uninstalling non-Apple "anti-virus" junk is Step 1 in diagnosing a broken Mac. Often, it's the only step. Do that first.
Create a backup as a matter of course. To learn how to use Time Machine please read Back up your files with Time Machine on Mac. Actually, do that first (you should already be doing it).
---
Shutdown / reboot events are logged using codes that are not publicly documented. To find the previous shutdown codes use log:
clear; printf '\e[3J' && log show --predicate 'eventMessage contains "shutdown cause"' --last 192h --debug --info
Copy / paste the above into a Terminal window. The Terminal app is in your Mac's Utilities folder.
Negative shutdown codes are usually abnormal and usually indicate a hardware fault. The exceptions to "usually" are those that are associated with an anticipated event. Firmware updates are one example.
Sysdiagnose is overkill to find shutdown / reboot events. It generates over a hundred files.
See if you have a panic report. If you have more than 1, please post a couple as the differences can be very useful:
Look for the Kernel Panic reports at:
Finder -> Go -> Go to Folder -> /Library/Logs/DiagnosticReports
<http://support.apple.com/kb/ht2546>
<http://support.apple.com/en-us/HT200553>
The panic report should have ".panic" in the file name.
You can put the panic report in an "Additional Text" box when you Reply
com.netskope.client.nsIPFilterNKE 1
com.sophos.kext.oas 9.9.4
com.sophos.kext.sfm 9.9.4
com.sophos.nke.swi 9.9.4
com.Cycling74.driver.Soundflower 2
com.sophos.driver.devctrl 9.9.4
3rd party kernel extensions are the #1 cause of macOS panics. 3rd party anti-virus packages are at the top of that list, because they frequently do not use official kernel APIs, and just go roaming through internal kernel structures without taking the correct locks, or inserting code into kernel code paths to intercept some kernel operations. Then when the macOS kernel changes, these packages do not get what they expect and they are not doing what the kernel expects and often a panic happens.
You appear to have 2. Sophos and NetSkope
Many anti-virus packages are badly ported Windows packages that they are trying to shoehorn into macOS and do a poor job of it. Worse most of them do not actually find anything that actually affects Mac users.
If you want a package that has proven itself, then look at MalwareBytes. The Mac version was written by a long time forum contributor, and has earned the trust of the long time forum volunteers. Plus MalwareBytes actually finds and removes stuff that affects Mac users.
Finally, to date, there is no self propagating malware for the Mac. All of it requires the user to be tricked into installing it. Either they think they are downloading something legit (like Adobe Flash), but are really on a malware webpage. Or a download site wraps a freeware/shareware package in its own installer, that happens to do a side install of adware that the download site gets paid to distribute. Or the software author is being paid by an adware vendor to side-load adware with their product.
But in all cases the user had to actually intentionally install the software. So the only time you need to even run MalwareBytes is after you install something that did not come from the Apple App Store.
Helen2006 wrote:
an abnormal/unpredictable shut down.
MBP 2015 - OSX Mojave 10.14.5
And while we wait for the output from 192 hours of past logs...
was this an isolated event, or on going shutdown event?
If your Mac restarted because of a problem - Apple Support
Independent of your issue— your software is not up to date.
The stable release:
Combo update 10.1.4.6 https://support.apple.com/kb/DL2010?viewlocale=en_US&locale=en_US
Helen2006 wrote:
It's on-going shutdown events since last fall until now. User work from remote and so the response could be irregular like a week or two elapse, the mac shut down. Works get busy and so a month later, they notify that while drafting an email, the shut down happens again etc.
So you are trying to trouble shoot for third party remote Mac.
Kernel Panics are predominately caused by hardware faults or faulty third-party kernel extensions.
Your client can run this trusted utility http://etrecheck.com for conflicts or issues and share their report with you.
If your Mac restarted because of a problem - Apple Support
If you are not a system software debugger, then don't waste your time. Those files are intended for the engineers to use with special debuggers.
Provide more complete information surrounding the event. Has it happened more than once? What were you doing when it happened? What software was running? What third-party hardware is connected? Was there a power outage?
If this was a one time event, then don't worry over it. There could be any number of causes but if it happened once, then it isn't likely to signal any major hardware/software concern.
The shutdowns are random! The laptop was brought back to the Apple store to check for hardware malfunction and it was not. It was a new deployment for an end-user but it’s been reloaded with std office and design apps. There are 3rd parties software ie Anti-virus and monitor app. The user’s function requires the use of Wacom Tablet and that differential them from non-designer. I've opened up a few of the files in the crashes-and-spins folder and there is a lot of data that I have not looked thoroughly. The data seems to state what it is of the Mac and not pointing to any particular app that is causing the crash. If you can provide any insight into interpreting the data, I would appreciate it. What should I be looking for?
It's on-going shutdown events since last fall until now. User work from remote and so the response could be irregular like a week or two elapse, the mac shut down. Works get busy and so a month later, they notify that while drafting an email, the shut down happens again etc.
The latest shut down happened January 16th.
@John Galt - I tried to run the command but got an error. It was down straight from the user's desktop who have standard permission. I will try from Admin account and see if I can get the result tmr.
@ Leroydouglas - Thanks will update Mojave to 10.14.6. I ran the etrecheck on the affected Mac and the critical error it found was that it did not found the Time Machine on Mac.
[Edited by Moderator]
"Sophos" is present and affecting that Mac to an unknown degree. Have the user follow Step 1.
John Galt wrote:
Uninstalling non-Apple "anti-virus" junk is Step 1 in diagnosing a broken Mac. Often, it's the only step. Do that first.
Step 0 (creating a backup) is assumed.
Thanks, BobHarris, John Galt and all for your insight and contribution to my question. I really appreciate your expertise and your contribution to this community! With your help, it points me to where I need to focus on rather than fixated on something that is not a contributing factor to the problem.
Helen2006 wrote:
Can you shed light on why antivirus can't co-exist on the Mac platform? In Windows, ...
Stop right there.
macOS ≠ Windows
Can you shed light on why antivirus can't co-exist on the Mac platform? In Windows, I have seen that when certain folders are filtered out from being scan it works fine.
sysdiagnose files - where to look for clues for the unnormal shutdown
