Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I was backing up my mac onto my external hard drive via time machine when I received a quarantine manager notice that I had JS/Agent-AZOD malware on my mac which needs to be removed manually, and the 'cleanup' icon is greyed out. I note the file path is /Volumes/Macintosh HD 1/Backups.backupdb/Edwin's Macbook Pro/2018-08-23...rome/Default/Extensions/.
I have Sophos Home Edition 9.6.8, Threat detection engine: 3.73.0 Threat data: 5.54
I also note that this link (https://support.home.sophos.com/hc/en-us/articles/360000555626-Manual-malware-cleanup-on-a-Mac-computer) states that in order to delete the malware I will have to go into the time machine archive. I cannot find the above path in my finder window, which leads me to believe that the malware is on my external hard drive (on which my time machine data is stored). I ran a full system scan and it did not return anything, which reinforces my prior conclusion.
I would like to get rid of this malware, however I am reluctant to put the hard drive back into my computer now that I think that the malware is on it.
I would be grateful for any suggestions as to what I could do to resolve this.
You can find the complete file path of the detected file in the log file - /Library/Logs/Sophos Anti-virus
But to remove the detected file, you need to follow the instructions as suggested in the Article that you shared.
You may also try via the termail using the command: rm /Volumes/Macintosh\ HD\ 1/Backups.backupdb/Edwin's\ Macbook\ Pro/2018-08-23...rome/Default/Extensions/
In reply to Gowtham Mani:
Many thanks for your reply.
I have found the full file path of the detected file.
Am I correct in assuming therefore that the malware is on the external hard drive, and that in order to manually remove it I will have to plug it back in? Just seeking confirmation.
EDIT: The full file path is '/Volumes/Macintosh HD 1/Backups.backupdb/.... MacBook Pro/2018-08-23-230035/Macintosh HD/Users/.../Library/Application Support/Google/Chrome/Default/Extensions/aiimdkdngfcipjohbjenkahhlhccpdbc/31.2.2_0/js/jquery.js'
I had a look for it with and without the hard drive plugged in and I could not find it. Under 'Users' there is no Library folder (which appears to have gone up a level under 'Macintosh HD',) and under 'Library' > 'Application Support' there is no 'Google' folder through which I could presumably find the detected file.
I would be grateful for some advice on this.
EDIT 2: I tried searching for the 'Volumes' folder using finder, but it takes me through a never ending loop between 'Volumes' and 'Macintosh HD.' I'm wondering if this is an indication of the detected file's presence on my computer. Please see the attached photo.finder window.tiff
I have since found what I think is the file (see attached photograph) in Time Machine, and I proceeded to delete it. However, after attempting to do so, I can no longer see the backup folder with it in (dated 2018-08-23-230035) in Finder, nor can I access that time frame in Time Machine. I still think it is on my computer / hard drive as I can find the file in finder (As per the attached photograph).
Your assistance would be appreciated. file.tiff
In reply to ED1234:
Did you manage to delete the specific file that was detected or the entire instance of the particular backup?
I believe I managed to delete all backups of the detected file, given the fact that I can no longer find it when I search for it inside and outside of time machine. However, I cannot access the time machine back ups for the date and time indicated in the file's file path (on the hard drive through finder and in time machine - whenever I go to the relevant date the folder title to 'Waiting: [Day] [Date] [Month] [Year][Time]) so I admit I may somehow have gotten rid of the entire backup folder for that date - despite the fact that I was very careful not to do this.
Glad that you managed to remove the detected file and I sincerely hope you have the backup from other dates.
Many thanks for your help.