Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The Quarantine Manager

In the past i have had problems with virus software moving vital files  like whole mailboxes to the Quarantine Manager and messing up some of my mail clients  will Sophos Anti-Virus for Mac Home Edition do this or has it better ways to deal with files.

I use ClamXAV at the moment it scans without moving the files and let me decide how to deal with them in situ

Can some point out how the Quarantine Manager works and are there any pitfalls.

:1005053


This thread was automatically locked due to age.
  • By default, the Sophos Quarantine Manager leaves files in-place.  There is an option to move files that you can enable when needed, but most of the time this is not needed.

    Instead, the Quarantine Manager keeps track of where the files are, and locks them for reading by other processes, similar to how ClamXAV works.

    Some of the pitfalls to the Quarantine Manager include difficulties disinfecting a file that is in an archive; if you have a java jar file in an email attachment in your spam mailbox folder, and this is archived to Time Machine, the easiest way to clean it up is to navigate to the file in Time Machine, delete all backups, and then delete the original from your mail application.

    Since the Quarantine Manager is real-time, if a file is being purged and then re-loaded into your cache (for example, if a malicious web page is being cached and purged), you will see the detection disappear from the quarantine and then later re-appear, as the file disappears and reappears on your filesystem.  Other than web, java, and email caches, this does not tend to happen; so if you're seeing vanishing detections, they are likely associated with one of these activities.

    :1005057
  • Andrew, If I may ask a question about time machine and deleting files. I have MAC 10.6.8  and SOPHOS finda the MAL / Phish-A file in my time machine. It tells me I have to deal with it manually. I have navigatedto the 1 file backup date and backup number and delete the entire backup. Then I secure empty trash.

    When I run SOPHOS again, it will find it in another different date bacup in time machine. So far It has found and I have deleted the entire date backup edition of 12/13, 12/14/, 1/7/12, and now it found the same file again in 12/18/11. Always the same file, same way to get to it, just a different day.

    Can't SOPHOS find all the files so I can delete the 8 backup sets and be done with this virus?

    Do I need to basically erase, format, and re set up my time machine?

    My investigations find that this virus effects Windows systems. Does this really matter?

    Thanks for your advise

    Brickman75

    :1005091
  • Sophos treads lightly when handling files within a Time Machine backup, as if Apple changes anything, us messing with the archives could result in the entire backup being destroyed.

    When you say you delete the entire backup, you mean you right clicked and selected "Delete All Backups of <infected file> ?  This should automatically delete the backups from other dates as well.

    However, if the file is still in your mailbox, it will get backed up again.

    Phish-A really affects everyone, as it just means that there is an attachment that forges itself as content from a legitimate banking site.  However, it only really affects people who fall for the phish and send their information to the phisher.

    :1005093
  • /Volumes/Time Machine Drive/Backups.backupdb/SteveMacbookPro/2011-12-18-092352/Macintosh HD/Users/Steve/Library/Mail/IMAP-mycondoinparadise@imap.gmail.com/[Gmail]/All Mail.imapmbox/Attachments/27752/2/Application Form.htm

    Here is today's location. What I have done 3 previous times is navigate to (in this example) 2011-12-18-092352.  I select this entire date and everything under it is automatically included, so I ultimately am getting to the end file Application.htm which is the infected file. Time Machine will not allow me to delete anything but the entire backup session. If you attenpt to delete just the .HTM file, or even everything after 27752, time machine says you can not delete it as it is part of a backup set.

    I don't see anywhere to right click and select Delete all backups of <infected file> can you walk me through that process?

    Steve

    :1005103
  • Please don't attempt to delete files on your Time Machine volume.  This volume is managed by Time Machine, and just like Sophos won't let you delete things from it randomly, neither will the OS.  Apple provides one recommended interface to this data, and that is the Time Machine interface, available from the Time Machine menu bar icon and from the Time Machine preferences panel.

    Instead, navigate to "Macintosh HD/Users/Steve/Library/Mail/IMAP-mycondoinparadise

    @imap.gmail.com/[Gmail]/All Mail.imapmbox/Attachments/" within the Finder, enter Time Machine (using the menu bar or preferences interface), then navigate to the subfolder "27752/2/"

    Then, right click Application Form.htm and select "Delete all backups".

    :1005105
  • Andrew, I can make it all the way to "within the finder, enter time machine. So I right click the time machine icon at the top right of my screen (next to the bluetooth icon) and enter time machine. The finder window drops and the time machine portal opens with the same finder screen with all the attachment folders running down the page. I scroll down and 27750 is there and next comes 27753. 51 & 52 are not there. Am I doing what you said correctly?

    :1005107
  • Yes... you'll now have to go back to a date in Time Machine where those two folders exist.  Then enter them and right click to delete ALL backups of the file.

    :1005109
  • Andrew,

    Thank you. You're the bomb. It appears to have cleaned out all the suspect files as you said. I have run the complete authorized scan 2 times and it found nothing each time, wheras it would find the virus in a different location each time. Thank you again.  Steve

    :1005143
  • Thanks a million for your help! I had the same problem. I have searched for two 'invisible' folders in finder for 2 weeks. With time machine I found them...:smileyhappy:


    Agile wrote:

    Yes... you'll now have to go back to a date in Time Machine where those two folders exist.  Then enter them and right click to delete ALL backups of the file.


    :1008590
  • :smileysad: too early...

    The scan stops after a few seconds and does not move on. What must I do? 

    I have already removed and reinstalled antivirus. It immediately told me about one threat, but does not show one any more. 

    Please can anybody help me? I do not feel save... Many thanks in advance!!!!!!!!!!!

    :1008610