Virus through/from email

Does your email account use the IMAP protocol? (There are two kinds of email accounts, POP and IMAP, the latter being the norm today since it allows email to sync between devices, such as computers, phones, and tablets, with the greatest ease.) If so, Mail.app and the server will do their utmost to stay in sync: whenever something is deleted from Mail.app without it being told that this deletion is on purpose, then, it will fetch a fresh copy of the missing information as soon as it realises it is missing.

Sophos Anti-Virus works very well to delete regular threats, such as a files on your hard drive, but sync makes email trickier. This can make it look like the virus is "coming back" from the dead. It is, in a way, but this is not indicative of a compromise, simply of Mail.app doing the job it is designed to do. Luckily, the solution is quite simple.

If your email account offers a "webmail" interface, quit Mail.app and access the webmail in your browser. From there, locate your SPAM folder and, without opening the infected email, move it to the Trash. Then, empty the Trash, and log out of your webmail. When your re-launch Mail.app, it should notice that the email is gone and delete its local copy in a matter of seconds. If Sophos wakes up in the meantime, while Mail.app launches, ask it to "ignore" the threat temporarily so that Mail can perform its work unimpaired.

Alternatively, simply open Mail.app and — again, without opening the email — delete it then empty the Trash. Ignore warnings from Sophos while you delete the message — doing so will cause Mail to access it on your hard drive, which may raise alarms from Sophos.

In both cases, after having emptied the Trash — whether through Mail.app or webmail — use the Mailbox ▸ Synchronise menu in Mail.app as a way to force Mail and the server to sync up the deletion. (This is normally not needed, but it can hurry up the process just a little.)

This is all there is to it. It may be that Sophos takes a little while to notice the disappearance of the threat. In this case, open Sophos, then open Quarantine Manager and authenticate by clicking on the lock icon at the bottom of the window. This should cause it to refresh the list of threats, and the email should disappear from there.

At some point, Windows machines could be infected by simply receiving and parsing certain infected emails. At the moment, to the best of my knowledge, this is not true of OS X. It may happen in future — until Apple fixes it — but, right now, you have comparatively little to fear of an email you have not opened, especially if Mail.app is properly configured not to load remote content.

Boot.efi does mean something to me. It lives in /System/Library/CoreServices and it is an essential System file without which your Mac would be unable to boot. I would advise not touching it as there is no valid reason to move or edit that file.

Scanning your drives with Sophos is a sound policy. Once again, if you were on Windows, I would advise further caution, as there are a great many viruses that can "jump" from a drive to a machine — although, of course, the whole point of Sophos's on-access scanner is to protect you from these threats. At this moment, however, I am not aware of any such threats on OS X, at least in actual circulation. Connecting the drive and performing a full scan in Sophos should be a good policy. Do note that, if these drives are backup drives, it will be normal for your infected email to have been copied there: this would not be a cause for concern and the backup of the infected file can simply be deleted.

Sophos Anti-Virus on OS X has plenty of room to improve but I am afraid it might be the least clunky of the available options, which is why it is so popular. There are quite a few versions of Sophos Anti-Virus, but I believe they all more or less use the same scanning engine, and provide different features geared towards the needs of different customers — such as the enterprise, or schools, etc. Using the free Sophos Anti-Virus should not entail any performance penalty. 

Does your email account use the IMAP protocol? (There are two kinds of email accounts, POP and IMAP, the latter being the norm today since it allows email to sync between devices, such as computers, phones, and tablets, with the greatest ease.) If so, Mail.app and the server will do their utmost to stay in sync: whenever something is deleted from Mail.app without it being told that this deletion is on purpose, then, it will fetch a fresh copy of the missing information as soon as it realises it is missing.

Sophos Anti-Virus works very well to delete regular threats, such as a files on your hard drive, but sync makes email trickier. This can make it look like the virus is "coming back" from the dead. It is, in a way, but this is not indicative of a compromise, simply of Mail.app doing the job it is designed to do. Luckily, the solution is quite simple.

If your email account offers a "webmail" interface, quit Mail.app and access the webmail in your browser. From there, locate your SPAM folder and, without opening the infected email, move it to the Trash. Then, empty the Trash, and log out of your webmail. When your re-launch Mail.app, it should notice that the email is gone and delete its local copy in a matter of seconds. If Sophos wakes up in the meantime, while Mail.app launches, ask it to "ignore" the threat temporarily so that Mail can perform its work unimpaired.

Alternatively, simply open Mail.app and — again, without opening the email — delete it then empty the Trash. Ignore warnings from Sophos while you delete the message — doing so will cause Mail to access it on your hard drive, which may raise alarms from Sophos.

In both cases, after having emptied the Trash — whether through Mail.app or webmail — use the Mailbox ▸ Synchronise menu in Mail.app as a way to force Mail and the server to sync up the deletion. (This is normally not needed, but it can hurry up the process just a little.)

This is all there is to it. It may be that Sophos takes a little while to notice the disappearance of the threat. In this case, open Sophos, then open Quarantine Manager and authenticate by clicking on the lock icon at the bottom of the window. This should cause it to refresh the list of threats, and the email should disappear from there.

At some point, Windows machines could be infected by simply receiving and parsing certain infected emails. At the moment, to the best of my knowledge, this is not true of OS X. It may happen in future — until Apple fixes it — but, right now, you have comparatively little to fear of an email you have not opened, especially if Mail.app is properly configured not to load remote content.

Boot.efi does mean something to me. It lives in /System/Library/CoreServices and it is an essential System file without which your Mac would be unable to boot. I would advise not touching it as there is no valid reason to move or edit that file.

Scanning your drives with Sophos is a sound policy. Once again, if you were on Windows, I would advise further caution, as there are a great many viruses that can "jump" from a drive to a machine — although, of course, the whole point of Sophos's on-access scanner is to protect you from these threats. At this moment, however, I am not aware of any such threats on OS X, at least in actual circulation. Connecting the drive and performing a full scan in Sophos should be a good policy. Do note that, if these drives are backup drives, it will be normal for your infected email to have been copied there: this would not be a cause for concern and the backup of the infected file can simply be deleted.

Sophos Anti-Virus on OS X has plenty of room to improve but I am afraid it might be the least clunky of the available options, which is why it is so popular. There are quite a few versions of Sophos Anti-Virus, but I believe they all more or less use the same scanning engine, and provide different features geared towards the needs of different customers — such as the enterprise, or schools, etc. Using the free Sophos Anti-Virus should not entail any performance penalty.