Overview

When malware is detected on your Mac computer you may see an alert similar to the screenshot below.

When alerted to the presence of malware, you should open the Quarantine Manager (the part of Sophos Anti-Virus that lists what was detected) and remove the malware.

See the following video on how to cleanup an infection on Mac OS X:

For Home Edition (free) users:

• If you are using the Free (Home Edition) of Sophos Anti-Virus the instructions below also apply, but you may want to go to our forum and read this Sophos Community post.
• For documentation of the Home Edition (there are some differences in versions of Sophos Anti-Virus for Mac OS X) click here.
• If you receive a "Clean up failed" message, you can search/post a message on the Sophos Community.
• Watch the video of creating different types of scans:
  

Applies to the following Sophos products and versions
Sophos Anti-Virus for Mac OS X v9.x,
Sophos Anti-Virus for Mac Home Edition v9.x

How to remove malware from a Mac OS X computer

Important: If malware is detected on your computer, and Sophos Anti-Virus informs you that it must be cleaned up manually, this means that you must create a custom scan. (Full details are given in the relevant section below.)

1. Do one of the following:
   • Click on the “Open Quarantine Manager…” button, as shown in the Threat detected window above,
     OR
   • Select the Sophos (Shield) menu item, and from the drop-down click on “Open Quarantine Manager…”
     
     
     
     
2. If your computer is currently in the “locked” state:
   
   1. Click the lock icon in the bottom left of the quarantine window
       
      
      
   2. When prompted enter the username and password of an administrator account for your computer. If you only have one account, this is the administrator account to use.
        
      
      
3. In Quarantine Manager, click the 'Action Available' column heading. This sorts the list of threats according to the action available.
     
   
   
4. Select all the threats for which the action available is listed as 'Clean up'.
   
   
5. Click the 'Clean Up Threat' button at the bottom right-hand side. Any threats that are cleaned up are cleared from the list.
   
   
6. Click the 'Action Available' column heading again. This will again sort the list of threats.
   
   
7. If there are any threats for which the action available is listed as 'Restart', restart your Mac to complete the cleanup.
   
   
8. Click the 'Action Available' column heading again. This will again sort the list of threats.
   
   
9. If there are any threats for which the action available is listed as 'Scan local drives', from the Sophos (Shield) menu drop-down, select 'Scan local drives', then in the Scans window, click the 'Scan now' button.
     
   
   
10. Click the Action Available column heading again. This will again sort the list of threats.
    
    
11. If there are any threats for which the action available is 'Clean up', go back to step 4. If not, continue with step 12.
    
    
12. If there are any threats for which the action available is 'Clean up manually', this indicates that you must create a custom scan.
    Before continuing with the next step, watch the video How to create a custom scan to see a video demonstration on what you will need to do.
    
13. For each item labeled 'Clean up manually', select the item in Quarantine Manager and make a note of the Path and Filename:
    
    
    
14. In the Manual Cleanup window (i.e. custom scan)  add the path you noted in the previous step. 
    
    
    Note the following:
    • If you cannot find a file or folder in the path indicated, ensure the navigation dialog window is selected (click a folder in the window), and then press command-shift-. (that’s ⌘-⇧-period). All hidden files and folders will now be visible.
      
      
      
    • If a folder in the path which you need to navigate has a 'Do not enter' red circle on it, select that folder and click 'Open'. Otherwise, navigate to the folder containing the item detected and click the 'Open' button.
      
      
15. In the Options tab, select 'Delete threat' from the drop down menu.
    
    
    
16. Click Done.
    
    
17. Click 'Scan Now' to run the scan.
    
    
18. If any threats still exist as 'Clean up manually' after performing the custom scan with the Delete option, the files are probably contained on a backup volume or inside an archive. These are not deleted by Sophos, as they probably contain a lot of information you do not wish to delete as well as the detected file.

    Some common locations for such files are:

    • E-Mail attachments.
      If the file path presented includes /Library/Mail/V2/,
      1. From the Sophos Preferences window, temporarily disable on-access scanning.
      2. Open your Mail program, and delete the email with the malicious attachment whose name matches that in the file path. The most common emails have a subject line referring to an invoice, payment, or application.
      3. From the Sophos Preferences window, re-enable on-access scanning.
         
         
    • Java Web Cache.
      If the file path contains /Library/Caches/Java,
      1. From the Sophos Preferences window, temporarily disable on-access scanning.
      2. Go to the Finder, hold down the Option key, and from the Go menu select Library.
      3. If the Library option does not exist, select Home and then click on the Library folder.
      4. Open the Caches folder and put the containing Java folder in the trash.
      5. Empty the trash.
      6. From the Sophos Preferences window, re-enable on-access scanning.
         
         
    • Time Machine Archive.
      If the file path contains /Backups.backupdb/,
      1. Make a note of the complete file path. E.g., /Volumes/<Time Machine Volume Name>/Backups.backupdb/<Computer Name>/YYYY-MM-DD-NNNNNN/<User Name>/Library/Caches/Java/cache/6.0/8/123456-123456
      2. From the Sophos Preferences window,temporarily disable on-access scanning.
      3. In the Finder, navigate as close to this location as you can, starting from the <user name> portion. When the next level down no longer exists (or when you've found the file indicated), select 'Enter Time Machine' from the Time Machine menu item (a clock face with an arrow around the outside).
      4. Navigate to the date and time indicated by YYYY-MM-DD in the file path, and then follow the path to the detected file within Time Machine.
      5. Control or right-click the file, and select 'Delete All Backups of <detected filename>'.
      6. Click OK.
      7. From the Sophos Preferences window, re-enable on-access scanning.
         
         
    • Bootcamp. If the file path contains /Volumes/BOOTCAMP/,
      1. Make a note of the full path(s) where the threat is detected.
      2. Reboot the Mac into Windows.
      3. Using Windows Explorer browse to the location of the threat and delete manually. Alternatively, if you have Sophos Anti-Virus installed on the Windows operating system, you can run a full scan and cleanup from the Quarantine Manager locally in Windows.

Related information

• Sophos Anti-Virus for Mac OS X
• Mac keyboard shortcuts
• Community forum: Removing Malware from a Mac OS X
• Sophos Anti-Virus: Create and run a full system scan
• How to remove malware threats, adware, or Potentially Unwanted Applications

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.