Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 24606 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TROJ/DOCDL-RF keeps coming back - help needed!

leonschroder

On my Mac (Yosemite and Sophos 9.2.7) I keep getting the Sophos virus alert for 'troj/docdl-rf'. When I open the quarentine manager the threat gets cleaned up and everything seems fine but it keeps returning. A little while later (hours) I get the same alert again.

I tried clicking 'show in finder' but it does not work,

also the path is not shown.

If I disconnect completely from the network the alert stops. However, on my network there are no servers, just the printer, TimeCapsule (that I have excluded from scans completely to try to find the cause), and two workstations, on and off.

Does anyone have an idea how to solve this problem because itis driving me mad.

Leon 

:1021253


This thread was automatically locked due to age.
  • 0

    Hey leon,

    • Run the scan that detects the threat
    • Click the Sophos sheild tray icon and select Open Scans...
    • Alt-click the white space next to Scan Now button on the scan you just ran and selet View Scan Log
    • This will open Console.app, and will hopefully show you the path of where the threat is being detected. Feel free to post a screen shot or copy / paste of the output in your reply.  It should look something like this:

    You can also take a look at this article, which gives you details on all the different ways you can remove stubborn malware from your Mac. In your case, I would pay close attention to step #18. 

    :1021261
  • 0

    Thank you for your reply!

    The problem is that when I run a normal scan it shows no threats. The virus alert I get is from Sophos running in  the background. Then when I open the quarentine manager there is no path with the listing. And when I select it it disappears as if it was cleaned. I am attaching some of the screen images here. 

    Thank you so much for your time!

    Leon

    :1021264
  • 0

    Thank you for your reply!

    The problem is that when I run a normal scan it shows no threats. The virus alert I get is from Sophos running in  the background. Then when I open the quarentine manager there is no path with the listing. And when I select it it disappears as if it was cleaned. I am attaching some of the screen images here. 

    Thank you so much for your time!

    :1021273
  • 0

    Hey leon

    Can you try disconnecting the time capsule and see if the issue goes away? My guess that's where the issue is.

    If that doesn't work, some other things you can try are:

    - check on access log (it'll most likely be blank but may be worth checking)
    - clear web browser cache
    - set 'On access' to move threat on detection so it can't hide (Open Sophos preferences, authenticate, click on "On Access." Don't forget to set the "Move threat to folder" destination)

      

    :1021283
  • 0

    Thank you, I will try that.

    What if indeed Time Capsule was/is the problem? Would there be a virus in there? How could I clean that?

    I have unmounted Time Capsule and will let you know tomorrow. I really appreciate your help.

    Leon 

    :1021286
  • 0

    Hey Leon,

    Take a look at this KB article. It's really detailed, but it should walk you through what you need to do.

    Basically, you'll want to set up a custom scan for your time machine, find the location of the threat, and then go into the time machine and remove it.

    :1021311
  • 0

    Hi again,

    I think I have solved it! I used a scanner to scan the TimeCapsule files and indeed it was located on that disc. I managed to remove it and I hope that I can keep it clean now.

    Thank you very much for your help and patience!

    Leon

    :1021312
  • 0

    Woohoo! So glad you were able to get things fixed again. 

    Now you are officically a Sophos Expert. 

    :catvery-happy:

    :1021315
Unfiltered HTML