This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat detected but doesn't show in Quarantine Manager

Hi, SAV detected Troj Agent ANUC and displayed a message stating this.  When I opened Quarantine Manager, however, there was no threat listed for me to clean up.  (I have cleaned up other threats in the past, so I know in a general way how to do this.)  I am afraid whatever this trojan is, it may be stopping the SAV from working properly to clean it.  However, it looks like Troj Agent ANUC is a Windows virus, so I don't know how it could mess up my Mac SAV.  My system info and version of SAV are pictured in the attachments, but basically Yosemite OS X 10.10.3, SAV 9.2.7.  Any help appreciated greatly.

:1021486


This thread was automatically locked due to age.
Parents
  • Similar behavior in 2018, macOS High Sierra. Another thread suggested this may be a false alarm from Zotero, which I use. By opening Preferences -> Logging -> View Log Contents, I was able to get the /Library/Logs/Sophos Anti-Virus.log file and confirm that it was alerting on Zotero:

    com.sophos.oas: 2018-10-11 12:40:22 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 12:42:41 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 12:42:58 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 15:39:02 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 15:39:04 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 12:40:39 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 13:40:38 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 14:40:58 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 14:48:10 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-15 09:56:37 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'

    I suppose it's possible that Zotero has an infection, or that Mal/DrodZp-A is using Zotero tempfiles, but this seems more like a false alarm. I was able to find the unzipped folder in /Users/<username>/Zotero/storage/YR79APQD, and it has an HTML file and three JavaScript files.  They *appear* to be related to a particular item in my bibliography.  

    Possibly relevant: the new Safari update (OCT-2018) just tightened security on extensions, disabling the Zotero extension.

Reply
  • Similar behavior in 2018, macOS High Sierra. Another thread suggested this may be a false alarm from Zotero, which I use. By opening Preferences -> Logging -> View Log Contents, I was able to get the /Library/Logs/Sophos Anti-Virus.log file and confirm that it was alerting on Zotero:

    com.sophos.oas: 2018-10-11 12:40:22 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 12:42:41 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 12:42:58 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 15:39:02 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-11 15:39:04 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 12:40:39 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 13:40:38 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 14:40:58 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-12 14:48:10 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'
    com.sophos.oas: 2018-10-15 09:56:37 -0400 Threat: 'Mal/DrodZp-A' detected in '/Users/Charles.Twardy/Zotero/tmp/YR79APQD.zip'

    I suppose it's possible that Zotero has an infection, or that Mal/DrodZp-A is using Zotero tempfiles, but this seems more like a false alarm. I was able to find the unzipped folder in /Users/<username>/Zotero/storage/YR79APQD, and it has an HTML file and three JavaScript files.  They *appear* to be related to a particular item in my bibliography.  

    Possibly relevant: the new Safari update (OCT-2018) just tightened security on extensions, disabling the Zotero extension.

Children
No Data