Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 6 subscribers
  • Views 2753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos for Mac - files stuck in Quarantine - cannot be cleaned

jasimon9

I have some files in Quarantine that I cannot get rid of. These threats are located in my Time Machine backups. I have set the Time Machine backups to be excluded from my custom scan so I am not sure how they are even being scanned. Perhaps the on-access scan is triggered during Time Machine backups; I don't know.

In any case, these threats cannot be gotten rid of for the following reasons:

1. Clicking "clean file" results in the cleaning process hanging indefinitely, until I force-quit Sophos. As stated, I think this might be because Time Machine blocks the removal of the file.

2. Manual cleaning would be fine, but the display in Quarantine either does not show a file location at all, or shows an email file in the Time Machine backup, which cannot be removed directly, due to the structure of the backup is very hard if not impossible to figure out where it is in the email system, which if known could be removed through the Time Machine interface.

3. In addition there is one file marked "Clean manually", but there is no given location. And the instructions to setup up a custom scan thus are pretty useless.

I am thinking that Sophos has to figure out a better way of dealing with Time Machine backups of emails.

Oh yeah, and Sophos is now popping up periodically to warn me about these files that cannot be removed. Which is getting old fast.

:1006933


This thread was automatically locked due to age.
  • 0

    Do you have on-access scanning enabled?

    If so, accessing the file on the Time Machine volume will cause it to be detected, unless you have the Time Machine volume disabled for on-access scans.

    The "clean file" hang is definitely an issue, as the Quarantine Manager should not even provide you with an option to clean files on the Time Machine volume.

    There's another thread on here that has some good tips regarding backing up to Time Machine (try excluding your mail and browser cache folders) and tweaking your on-access scans to speed up scanning and protect against issues like this.

    For your current situation, the first step is to exclude your time machine volume from on-access scans, and then remove the detections from the Quarantine Manager.  This should prevent them from coming back.

    :1006953
  • 0

    Thanks for your response.

    I had intended to omit Time Machine entirely from scanning as well as certain other exclusions that make good sense. However, I only entered the exclusions for the on-demand scan; later I found the on-access exclusions and added them there. I was expecting this to prevent the files from continuing to be found.

    However, I was surprised to see that every time Time Machine ran a backup, the files were reported even though you would think they should be excluded.

    What is worse, I have taken the trouble to examine carefully each reported file. The majority of them are clean. I uploaded to VirusTotal and Jotti and all scanners say they are clean. I even put them in a temporary folder on my desktop and had Sophos on my machine scan them; it also says they are clean. So then I uploaded all to Sophos, and they say they are clean. Twice now the Sophos team has suggested that I am sending the wrong files. I sincerely believe that I have been sufficiently careful to send the files being reported.

    All I know is that Quarantine Manager continues to accumulate additonal tiles in Time Machine backups that are clean. (It did however find some actual infections -- old email from a Windows platform).

    I would hope these issues can be corrected, as Sophos fares well against other products I have evaluated (which tend to be buggy/unstable).

    Possibly coincidentally, I discovered I was having other Time Machine issues, which were resolved by rebooting the Time Capsule. I had to uninstall Sophos during the troubleshooting of Time Machine because it appeared that it might be interferring. At this point I am uncertain as to the best course, but I think I will wait before reinstalling Sophos until Time Machine has worked well through a few cycles.

    :1006967
  • 0

    Thank you for the extra information.  I added a bit of extra information to your internal ticket earlier today, indicating that it appeared detections were firing on clean files.  Knowing that this was on a Time Capsule is definitely useful information.

    My guess is that if you have on-access scanning disabled for your Time Machine volume and have cleared your quarantine list (which uninstalling should have done),  the problem should now be gone.  However, I'd really like to be able to reliably replicate this issue for the product team (and have not been able to do so so far -- the other person who has reported this to me had it auto-fix during a version update [due to the update process I think, not the new version] and is no longer able to replicate the problem).

    :1006973
  • 0

    I will endeavor to provide complete info when I have it.

    For the record, I have already provided such detailed info directly to the Sophos team on ticket #3221557. In that ticket there was an attached SDU file which gave a lot of info, and probably include the path of the detections. In addition, I provided screen shots of the Quarantine Manager showing the infections. If it would help, I could provide that info again.

    :1006977
  • 0

    No, the ticket number is enough; we can look that up.  We'll only need more info if you ever see this issue come up in the future.

    :1006979
  • 0

    Thanks. I am truly impressed with your responsiveness, via this Free Talk site, sample submission page,  and via email. Bodes well for you.

    :1006983