Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 14206 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Detected threat/issue disappears from Quarantine Manager

ceotty

This has been going on for four days now and is honestly really annoying.

On Monday, I had an email malware threat detected. When I tried to clean it up out of Quarantine Manager, Sophos froze, crashed and restarted. The threat alert popped up again and I was able to clean it up.

However, almost every hour since this initial threat warning, I have received a popup message alerting me to the same threat. When entering Quarantine Manager, it disappears without warning of cleanup or anything. (Generally before I can even unlock Quarantine Manager, but sometimes right after.) I have checked other threads and cleaned the cache from my browser. I've had all programs closed. I've restarted. And I still get the warning with the same results.

I also saw there was a possibility of it being detected from my Time Capsule backup and so I excluded that from the live search. Still I get a warning about every hour.

Additionally it's worth noting that since the initial threat and subsequent cleanup, I have run two entire system scans and both times there have been "issues detected." These seem to be completely begnin and/or nonexistent files, though.

:1019753


This thread was automatically locked due to age.
  • 0

    To understand what's being detected can you email the scan logs through to sophossupport@icloud.com?  How to gather the logs is shown below.

    :1019755

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    I am having similar issues with a threat identified as Troj/MSIL-AVK. When I highlight that threat in the Quarantine Manager, click the unlock button and log it, the QM window clears and the threat has apparently disappeared.

    It seems to happen about every hour and has been happening for several days now. I have updated Sophos and even deleted and then reinstalled. A complete system scan reveals "issues detected" but does not provide any list of files to clean up.

    I have created a scans.zip file as described by your 10-30-2014 11:24 am comment. I've attached that to this comment.

    :1019924
    Scans.zip
  • 0

    Thanks for the logs.  The last scan doesn't show a detection.  An older scan, back in February, shows two threats and they are both a .zip attachments of emails, in the junk folder, which are both then contained in a Time Machine backup...

    2014-02-18 01:48:29 -0500 Threat: 'Troj/Mdrop-FIT' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2013-10-21-003723/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/6/1/5/Attachments/516540/2/payment slip.zip
                             Failed to clean up threat
2014-02-18 01:48:39 -0500 Threat: 'Troj/Mdrop-FSS' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2014-01-30-042518/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/8/9/5/Attachments/598215/2/report.creditcard7800.zip

     ...and hence clean up is expected to fail - the complex and encrypted Time Machine backup can be read by Sophos Anti-Virus, but SAV cannot then get inside it to delete the attachment and this is by design.  If you ever feel the need to dig out and delete a threat in a Time Machine backup you should do it manually.  However I'd suggest excluding the back ups from scanning is better (as shown in the YouTube video https://www.youtube.com/watch?v=j3SUJFozC2Q) as the backup will be overwritten as space fills up on the drive, and the on-access scanner will detected and block the threat if restored.

    The logs gathered - based on the previously posted video - doesn't include the on-access scan log and perhaps that is how the threat is being detected.  I'd recommend searching that log for the threat (Troj/MSIL-AVK) and seeing if you can ascertain the location.  Note: The on-access log (which also includes updating information) is not under ~/Library/Logs, but rather /Library/Logs.  Example:

    2014-11-25_21-14-26.png

    :1019926

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0

    I have the same issue but with a different trojan. I don't get regular warnings, only when I start the Mac. Other than that, the experience is just the same - open Quarantine Manager (takes longer than I'd expect), there's a line with the threat and the Cleanup button is enabled, but before I can get anywhere near clicking it the threat line vanishes. The really annoying thing is that the on-access log (thanks for that suggestion) doesn't identify the file containing the threat. Screen shot attached.

    It's a Windows threat and I have a Mac, so I'm more irritated than worried. How can I stop these alerts if I don't know where the infected file(s) are?

    OSX 10.10.2, SAV Home Ed v 9.2.4

    :1020510
Unfiltered HTML