Detected Thread disappears

Has not happened in awhile, but that is way too complex Bob!

I have seen this "behavior" twice today on a new "Scan This Mac" on a a MacBookPro with a freshly installed Sophos-AntiVirus today.

The MacBookPro is running Mavericks 10.9.5 with all update current.

In one case the Malware was Mal/CryptBox-A. In this case, clicking on the "Reveal in Finder" button did not show any Path and filename" nor any information at all. The only additional information was that it said "Action Available: Restart Required". After restart, opening the Quarantine Manager showed the malware but after unlocking and clicking fon the Reveal in Finder, the file disappeared from the Quarantine Management. There is nothing in the logs about the file.

This happened a second time after the scan found another file. I did not catch the name. I clicked on "Reveal in Finder" and the Malware referenced disappeared from the Quarantine Manager.

It is easy to believe that perhaps an inexperienced user click on "Clean Up Threat" or "Clear From List". This is most definitely not the case. There is either a bug in the Quarantine Manager or perhaps the Malware is detecting Sophos and disappearing? Is that possible?

Todays experience is not the first time I have seen this behavior - things disappearing from the Quarantine Manager - but today it is pretty clear that I carefully watched and the description that people are giving is correct.

---

terryjfundak wrote:

Todays experience is not the first time I have seen this behavior - things disappearing from the Quarantine Manager - but today it is pretty clear that I carefully watched and the description that people are giving is correct.

---

Yep that is consistent with other people's reports. The Quarantine Manager re-scans every time you take an action, and what is happening is that the re-scan operation thinks the file is clean, or the file is no longer present (the QM would believe the file had been deleted).

Do you use a Time Machine backup drive? We have been investigating some interesting behavior with these backups when doing an on-demand scan.

Thank you for your reply.

Yes, TimeMachine is in use and yes, the hourly mount/dismount of TimeMachine volume and even temporily TImeMachine volume that is kept local can and will have the malware. Perhaps that is what is causing the issue. I had wondered if it was only TimeMechine and has pretty much concluded that while is does contain an addition copy of the malware triggering file, I was not sure it was the only cause.

I turned off TimeMachine for the last test and the malware was found on the local (staged or temporary ) TimeMachine repo. I have not yet attempted to delete this repo or turn off TimeMachine local activity.

From a design perspective, it is very disconcerting to experiment a malwale that "hiddens itself" as soon as you tried to remove or expose it with the Sophos Mac Anti-Virus product. It fosters mistrust of the software, and I believe should be fixed. The fix is to store the location of the Malware at the point is it discovered ( the full path ) and not to have it "disappear" when a person clicks on the reference to see what it is all about. Second best would be to log the full discovery of the malware with the full information at the time it is found in a way that is clear to at least an experience user.