Sophos detected a virus Mal/Phish-A is located in the file "containers” of a "Library”. Sophos seems unable to Clean Up Threat. I am administrator of this machine, but the access of "containers” is forbidden for me. How could I get rid of yhis virus?
I use Mac OS X.9.3 on a MacBookPro.
I wrote the following to Sophos today: "Sophos is telling me I have a virus, and it lists the path below, so I click reveal in finder and NOTHING happens. I had another virus recently with the same issue, where you click reveal in finder and it doesnt open any finder windows for you. Since the "reveal in finder" feature doesn't work, I tried taking the right hand corner of this window (see attached screenshot) and dragging it out (in order to make the window bigger) so I could see the full path, but IT WONT DRAG OUT, so I cant see the full path that way and your software refuses to "reveal in finder", and then I click Cleanup in Progress, and it NEVER completes the cleanup. It seems like your software doesn't work at all, please help!!!!!!!!!!!!!"
They responded and told me to post to the forums. I'm there now, and I'm signed in and I cant even figure out how to start a new post. Someone PLEASE HELP! rachelkodner1@gmail.com
Hi Rachinc,
I have had issues with the Quarantine Manager window as well. It is fixed and can't be re-sized so long paths can't be viewed. I'm sure that on an earlier version of SAV the file path was clickable and would expand. It seems that this feature has been removed, accidently or otherwise. It is crazy that finding a reported threat is so obtuse. Also. I have had Quarantine Manager hang up and not apparently do anything after clicking the Cleanup button. As for the Show In Finder, perhaps the threat HAS been cleaned up which means the file has been deleted and can't be displayed (but the QM display has not been refreshed). Anyway, enough of speculation.
If I knew whether the threat had been detected by the on-access scanner or the main GUI scan it would be easier to diagnose but I suspect you may not know?
1) To check the on-access scanner logs
Select "Open Preferences" from the Sophos shield icon menu at the right hand side of the menubar (top of screen)
Click the Logging icon at the right hand side of the preferences window
Then click the View LOg Contents button.
This will be mostly full of AutoUpdate reports and lists of ide files.
Use the COMMAND/F shortcut to open the Find box where you can enter "threat"
If a threat was reported by on-access it will be shown in this log. There may well be more than one entry. Use the right arrow to navigate to the most recent which I guess may be the one you have listed in QM.
Anyway it will show the full file path.
The other option is that the threat was detected by a GUI scan. In which case:
2) To check the GUI scanner logs
We can try some investigation using the Console app.
Launch Console from Applicatiolns/Utilities.
You should see a list of logs on the lefthand side. If not, select Show Log List from the View menu.
In this log list use the reveal triangles to bury down: LOG FILES ---> ~/LibraryLogs (N.B. ~/Library differs from /Library) ---> Sophos Anti-Virus ---> Scans
Each type of scan has a name. The main one "Scan this Mac" is called "Scan Local Drives" in the log list.
There may be others if you have created any custom scans.
Each scan name will have a list of all its logs beneath it. You need to check the most recent of these probably and any threat will have the full path listed.
Hope this helps somewhat. I realise it's rather convoluted but the Quarantine Manager interface leaves something to be desired.
"perhaps the threat HAS been cleaned up". Nope, I go to Quarantine Manager and it's still there.
Everytime that I run a scan now, I get an error saying something along the lines of the scan was not able to be completed. So now the scans don't work, the clean up process doesn't work, the reveal in finder doesnt work.
NOTHING WORKS!!!!!!! AT ALL. WITH THIS SOFTWARE. doesn't really make me want to buy the paid version. And I just left Mac
I used your trick with Command F to find the path of ONE of the threats. (the "Mal/Phish-A" threat). I successfully deleted it just now. The file was InstantBooster.htm (in a folder called 2 which came from my Mail app) and there is a folder right underneath it called 3 and in it is a text file that says mentions unsubscribing from www.advertise-bz.cn (whoever the hell that is) so it makes me wonder if Advertise-bz.cn is the culperate of that virus.
Onto the next threat.... another Mal/Phish-A threat (even though there was only ONE Mal/Phish-A listed in the quaranteen manager, not two)... this one is LinkDirectorySubmitter.htm.... and sure enough, a folder accompanying it....www.advertise-bz.cn
Another one called FeedBlaster.htm
and BlogBlaster.htm
HitBooster.htm
dataentryjob.htm
cashcreation.htm
I'm having to create a filter in gmail to send ALL messages from admin2@advertise-bz.cn and admin@advertise-bz.cn straight to the trash. I dont really like to use the Mail app... only gmail on my browser because I feel like the Mail app is too stupid to prevent you from these downloads getting on your computer.
Then I continue that Command F search in the log to get the threat, the Troj/PHPBdoor-T treat, and this is what the log shows me..... so does this threat still exist? It must if its showing up in the list but I cant find the file path....
com.sophos.intercheck: 2014-06-21 19:58:56 -0500 Threat: 'Troj/PHPBdoor-T' detected in
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2014-06-21 20:02:17 -0500 Threat: 'Troj/PHPBdoor-T' detected in
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2014-06-21 20:07:51 -0500 Threat: 'Mal/Phish-A' detected in
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2014-06-21 20:13:53 -0500 Threat: 'Mal/Phish-A' detected in
com.sophos.intercheck: Access to the file denied
