Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 14208 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Detected threat/issue disappears from Quarantine Manager

ceotty

This has been going on for four days now and is honestly really annoying.

On Monday, I had an email malware threat detected. When I tried to clean it up out of Quarantine Manager, Sophos froze, crashed and restarted. The threat alert popped up again and I was able to clean it up.

However, almost every hour since this initial threat warning, I have received a popup message alerting me to the same threat. When entering Quarantine Manager, it disappears without warning of cleanup or anything. (Generally before I can even unlock Quarantine Manager, but sometimes right after.) I have checked other threads and cleaned the cache from my browser. I've had all programs closed. I've restarted. And I still get the warning with the same results.

I also saw there was a possibility of it being detected from my Time Capsule backup and so I excluded that from the live search. Still I get a warning about every hour.

Additionally it's worth noting that since the initial threat and subsequent cleanup, I have run two entire system scans and both times there have been "issues detected." These seem to be completely begnin and/or nonexistent files, though.

:1019753


This thread was automatically locked due to age.
Parents
  • 0

    Thanks for the logs.  The last scan doesn't show a detection.  An older scan, back in February, shows two threats and they are both a .zip attachments of emails, in the junk folder, which are both then contained in a Time Machine backup...

    2014-02-18 01:48:29 -0500 Threat: 'Troj/Mdrop-FIT' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2013-10-21-003723/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/6/1/5/Attachments/516540/2/payment slip.zip
                             Failed to clean up threat
2014-02-18 01:48:39 -0500 Threat: 'Troj/Mdrop-FSS' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2014-01-30-042518/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/8/9/5/Attachments/598215/2/report.creditcard7800.zip

     ...and hence clean up is expected to fail - the complex and encrypted Time Machine backup can be read by Sophos Anti-Virus, but SAV cannot then get inside it to delete the attachment and this is by design.  If you ever feel the need to dig out and delete a threat in a Time Machine backup you should do it manually.  However I'd suggest excluding the back ups from scanning is better (as shown in the YouTube video https://www.youtube.com/watch?v=j3SUJFozC2Q) as the backup will be overwritten as space fills up on the drive, and the on-access scanner will detected and block the threat if restored.

    The logs gathered - based on the previously posted video - doesn't include the on-access scan log and perhaps that is how the threat is being detected.  I'd recommend searching that log for the threat (Troj/MSIL-AVK) and seeing if you can ascertain the location.  Note: The on-access log (which also includes updating information) is not under ~/Library/Logs, but rather /Library/Logs.  Example:

    2014-11-25_21-14-26.png

    :1019926

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Reply
  • 0

    Thanks for the logs.  The last scan doesn't show a detection.  An older scan, back in February, shows two threats and they are both a .zip attachments of emails, in the junk folder, which are both then contained in a Time Machine backup...

    2014-02-18 01:48:29 -0500 Threat: 'Troj/Mdrop-FIT' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2013-10-21-003723/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/6/1/5/Attachments/516540/2/payment slip.zip
                             Failed to clean up threat
2014-02-18 01:48:39 -0500 Threat: 'Troj/Mdrop-FSS' detected in /Volumes/LaCie Tara-1/Backups.backupdb/Rod's iMac 24/2014-01-30-042518/Macintosh HD/Users/rodneyad/Library/Containers/com.ambrosiasw.snapz-pro-x/Data/Library/Mail/V2/Mailboxes/Junk (AOL - Rod).mbox/EABDE91F-7A48-4656-A2B0-39DD5CC35870/Data/8/9/5/Attachments/598215/2/report.creditcard7800.zip

     ...and hence clean up is expected to fail - the complex and encrypted Time Machine backup can be read by Sophos Anti-Virus, but SAV cannot then get inside it to delete the attachment and this is by design.  If you ever feel the need to dig out and delete a threat in a Time Machine backup you should do it manually.  However I'd suggest excluding the back ups from scanning is better (as shown in the YouTube video https://www.youtube.com/watch?v=j3SUJFozC2Q) as the backup will be overwritten as space fills up on the drive, and the on-access scanner will detected and block the threat if restored.

    The logs gathered - based on the previously posted video - doesn't include the on-access scan log and perhaps that is how the threat is being detected.  I'd recommend searching that log for the threat (Troj/MSIL-AVK) and seeing if you can ascertain the location.  Note: The on-access log (which also includes updating information) is not under ~/Library/Logs, but rather /Library/Logs.  Example:

    2014-11-25_21-14-26.png

    :1019926

     - - - - - - - - - - - -

    Communities Moderator, SOPHOS
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

Children
No Data
Unfiltered HTML