Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 8 subscribers
  • Views 12414 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos is warning for a Trojan Horse that is no longer on my system

Jack van Driel

Hi, 

A couple of days ago, Sophos warned me of threats in my data. I was testing with an Outlook mailfile of one of my friends. The Outlook database originated on a Windows machine and I tried to restore it in my OSX Outlook App. That proces went OK, but the threat warning seemed valid. I told Sophos to clean up the threat and I also deleted the mailfile from my Mac.
The problem now is, that Sophos keeps on warning me for one of the threats, even though the file is no longer on my system…
I thought I may have missed something, but looking at the log seems to support my assumption that I did remove the file.
The warning is very persistent and pops up a few minutes after I close the Quarantine Manager. Instructing the Quarantine Manager to remove the file, does not work since the file is no longer there…
This is the warning from the log:
com.sophos.intercheck: 2015-10-22 21:43:48 +0200 Threat: 'Troj/JSDldr-BW' detected in 
com.sophos.intercheck:                              Access to the file denied
com.sophos.intercheck: 
com.sophos.intercheck: 2015-10-22 21:44:55 +0200 Threat: 'Troj/JSDldr-BW' detected in 
com.sophos.intercheck:                              Access to the file denied
com.sophos.intercheck: 
(the original message pointed to the directory where Outlook stores its content on Mac, but the current one has no directory reference....)
I am running OSX 10.11.1 (production version)
Sophos: Home Edition version 9.4.0
Threat detection engine: 3.61.0 Threat data: 5.20
I did a complete re-install of Sophos, but the issue remains....
Hope anybody can help me out!
Jack


This thread was automatically locked due to age.
  • 0
    Hey Jack,

    Thanks for stopping by, and sorry to hear you're having trouble. I'd recommend you take a look at the following KB article:

    community.sophos.com/.../118117

    I know it's a pretty long article, but I think step 18 might be the answer to your problem - I'm guessing the file is being downloaded from your email server so that's why it keeps coming back. You need to figure out which email has the bad attachment, go to your inbox, and delete the offending file.

    Also, if you need to see where the file is located, you can check the scan log:

    - Click the Sophos menu bar Icon
    - Click on Open Scans... 
    - Alt-click the white space by "Scan this mac" and select View Scan Log...

    This will open the Scan Log in an application called Console. The scan log gives you detailed information about the most recent scans, such as start time, what was scanned, scan configuration, any threats that were detected, etc. You should also see any errors that may have been encountered by the scanner. 

    Hope that helps, but let me know if you have any other trouble.

    Cheers,
  • 0
    I have the same problem. I deleted a suspicious email from my Mail junk folder, without opening the .txt attachment. I then deleted the email from the trash folder. Sophos detected that Mail had saved copies of the attachment - as .doc files - in two folders in User/Library/Containers. It 'cleaned up' the files and they are definitely no longer in the folders that contained them. Never the less, Sophos keeps warning me it has detected the threat - Troj/DocDI-ALZ. It has just done that during its scheduled scan this morning. I have also cleared Mail's junk and trash folders and the suspicious email has not returned. The scan log is quite extensive and I am not sure were to look for the threat. Should I delete the folders that once contained the suspect files? Should I uninstall and reinstall Sophos? Any suggestions, serra?
  • 0 in reply to serra
    Serra,
    Could you advise me on the same/similar issue I'm running into with Home SAV?

    I've noted my issue here:
    community.sophos.com/.../15845

    I've most recently performed step #18 in the article you referenced, and the threat detection alert is still popping up:

    E-Mail attachments.
    If the file path presented includes /Library/Mail/V2/,

    From the Sophos Preferences window, temporarily disable on-access scanning.
    Open your Mail program, and delete the email with the malicious attachment whose name matches that in the file path. The most common emails have a subject line referring to an invoice, payment, or application.
    From the Sophos Preferences window, re-enable on-access scanning.


    Bear in mind that I had already opened up Mail and did not find an email or file with the name that matches that in the file path.

    Randy
Unfiltered HTML