Hi there
I am new here and I am looking for some advice as I am not sure what to do next.
We had 3 macs in our house all had the free version of Sophos. Two of them got a virus/hacked? from emails that were in the spam folder.
We are in the process of having them factory reset.
What do I need to do to stop this happening again?
Thanks
Hello there,
As a general rule, it is quite common for email addresses to receive infected messages. Most email providers run checks on the server-side to detect and discard these messages before they reach your machine, but this is by definition imperfect. There is, therefore, no way to completely stop receiving virus-infected emails, although you can, of course, sign up for email service with a provider who takes filtering seriously. That ought to help a very good deal.
Do note that receiving an alert from Sophos Anti-Virus stating that one of the emails in your SPAM folder is infected does not mean that your machine has been hacked. Unless a vulnerability were discovered on OS X v. 10.10.4 that allowed it to be hacked by simply downloading an infected email, you would need to display, open or otherwise run ("execute") the infected file to run into trouble.
Do note, also, that Sophos will often warn you about "generic" phishing threats. These are designed to steal your personal info if you open the message, but they may not necessarily "hack" your machine: there is a whole gamut of nastiness out there.
The best course of action is to delete the email without opening it and to empty the trash in Mail. To be safe, you may want to configure Mail so that 1. it does not load remote content in messages and 2. the content of messages is not displayed in the main Mail window, but rather in a separate window. This will ensure that messages that are downloaded are not displayed by accident.
Resetting your Macs to their factory state is indeed a good course of action if your computers were really infected. However, unless you actually opened the messages that Sophos said were dangerous you have little, if anything, to fear, and can continue to use the machine. (Opening the message in itself, when the loading of remote content is disabled, is rather unlikely to cause issue, too. It's really the attachment that should be left alone in the very vast majority of cases.)
Of course, always apply all the security updates available for your Macs and all the applications they run. All of the above assumes you are up-to-date on your patches, and Sophos Anti-Virus cannot protect you if your machine is not up-to-date. Simply keeping up with patches is the very best thing you can do to protect yourself.
By the way, please do not entrust your machines to random "computer people" or "rent-a-geek" services. When in doubt, your best course of action is to reach out to Apple at an Apple Store. Some "rent-a-geek" operators are very good indeed, others less so, and it is difficult to tell from afar. Apple geniuses are not perfect, but have no incentive to sell you on unneeded procedures.
I hope this helps!
Thank you for your response.
We never opened the emails, just deleted them via sophos. However the same email (in the spam folder of macmail) came back once it was deleted, over and over again. Now I believe deleting them was the trigger. This type of thing happened to my husbands machine and them to mine.
Does "boot.efi" mean anything to you?
The email was from a gmail account.
We will soon have machines that are clean. This leaves us with a few of storage drives that have data on them and not sure what to do with those.
Do I just plug them in and run sophos on them - that will take days for sohpos for even one of them to be scanned.
Is there a faster more powerfull version of sophos?
Does your email account use the IMAP protocol? (There are two kinds of email accounts, POP and IMAP, the latter being the norm today since it allows email to sync between devices, such as computers, phones, and tablets, with the greatest ease.) If so, Mail.app and the server will do their utmost to stay in sync: whenever something is deleted from Mail.app without it being told that this deletion is on purpose, then, it will fetch a fresh copy of the missing information as soon as it realises it is missing.
Sophos Anti-Virus works very well to delete regular threats, such as a files on your hard drive, but sync makes email trickier. This can make it look like the virus is "coming back" from the dead. It is, in a way, but this is not indicative of a compromise, simply of Mail.app doing the job it is designed to do. Luckily, the solution is quite simple.
If your email account offers a "webmail" interface, quit Mail.app and access the webmail in your browser. From there, locate your SPAM folder and, without opening the infected email, move it to the Trash. Then, empty the Trash, and log out of your webmail. When your re-launch Mail.app, it should notice that the email is gone and delete its local copy in a matter of seconds. If Sophos wakes up in the meantime, while Mail.app launches, ask it to "ignore" the threat temporarily so that Mail can perform its work unimpaired.
Alternatively, simply open Mail.app and — again, without opening the email — delete it then empty the Trash. Ignore warnings from Sophos while you delete the message — doing so will cause Mail to access it on your hard drive, which may raise alarms from Sophos.
In both cases, after having emptied the Trash — whether through Mail.app or webmail — use the Mailbox ▸ Synchronise menu in Mail.app as a way to force Mail and the server to sync up the deletion. (This is normally not needed, but it can hurry up the process just a little.)
This is all there is to it. It may be that Sophos takes a little while to notice the disappearance of the threat. In this case, open Sophos, then open Quarantine Manager and authenticate by clicking on the lock icon at the bottom of the window. This should cause it to refresh the list of threats, and the email should disappear from there.
At some point, Windows machines could be infected by simply receiving and parsing certain infected emails. At the moment, to the best of my knowledge, this is not true of OS X. It may happen in future — until Apple fixes it — but, right now, you have comparatively little to fear of an email you have not opened, especially if Mail.app is properly configured not to load remote content.
Boot.efi does mean something to me. It lives in /System/Library/CoreServices and it is an essential System file without which your Mac would be unable to boot. I would advise not touching it as there is no valid reason to move or edit that file.
Scanning your drives with Sophos is a sound policy. Once again, if you were on Windows, I would advise further caution, as there are a great many viruses that can "jump" from a drive to a machine — although, of course, the whole point of Sophos's on-access scanner is to protect you from these threats. At this moment, however, I am not aware of any such threats on OS X, at least in actual circulation. Connecting the drive and performing a full scan in Sophos should be a good policy. Do note that, if these drives are backup drives, it will be normal for your infected email to have been copied there: this would not be a cause for concern and the backup of the infected file can simply be deleted.
Sophos Anti-Virus on OS X has plenty of room to improve but I am afraid it might be the least clunky of the available options, which is why it is so popular. There are quite a few versions of Sophos Anti-Virus, but I believe they all more or less use the same scanning engine, and provide different features geared towards the needs of different customers — such as the enterprise, or schools, etc. Using the free Sophos Anti-Virus should not entail any performance penalty.
