Scan Local Drive Question

Try doing an initial scan with archive scanning disabled; this should go very quickly.  After that, you may have some large archive files you want to exclude from the scan; for this, create a custom scan, and manually exclude the archives.

If you then want to scan only those archives at a later date, you can do this with a second custom scan.

This should speed up scanning of most of your files, leaving the large archives for a time when your computer is relatively unused.

 Sorry, but I don't know how to disable "archive scanning" or even what you mean by "archive files." Are you referring to back up drives perhaps, e.g., Time Machine? In fact, I cannot get anything to work the way the instructions read. I deleted threats, but they are still there, for example. 

The scanning has in fact identified the same threats in Time Machine. Couldn't I just delete from TM rather than follow custom scan instructions?

Archives include .zip files, .dmg files, .jar files, .docx files, .tgz files, and many others.  Time Machine also often uses archive files (sparseImage bundles) to achieve its magic.

For example, if you have a zip file that contains a bunch of files, a few of which are malicious, Sophos will identify the malicious contents, but will not delete the zip file, as it also has the potential to contain non-malicious files.

As far as Time Machine goes, you are indeed probably better off going into Time Machine, right clicking the file in question, and selecting to remove all backups of the file.  As documented in other threads on here, the safest way to remove anything from Time Machine is always via the Time Machine interface.

There might some .zip files and definitely .dmg files but all .docx are converted, and I am not familiar with the others. But the question remains as to how I disable scanning from these files. I doubt there are that many out of the 5-6 million files that are being scanned. I have 4 back up drives, and maybe that is what is taking so long. Is it possible to set it up not to scan the external drives? Then I could just go into them and look for the same files and delete them as you suggest.

1. Click the black shield icon in the menu bar and select "Open Preferences..."
2. Untick the "Scan inside archives and compressed files" tickbox.
3. There is no third step.  Close the window, and press the "play" button beside Scan Local Drives.

 To exclude external drives, just create a custom scan:

1. make sure the triangle in front of  "Custom Scans" is pointing down
2. Click the + button at the bottom of the screen
3. Name your scan, and then drag the drives/folders you want to scan from a finder window into the white rectangle
4. Click Done
5. Click the "play" button for your custom scan.

If you want, you can click the pencil button beside the play button to further customize your scan prior to scanning.

Remember: on-access scanning happens all the time; you don't need to repeatedly run manual scans (custom scans or "scan local drives") unless you've changed your settings to have different exceptions when doing on-access scanning and manual scans.

Thanks. In the first case, the preference for compressed files was already unchecked. So that was not the problem. In the second, I created the custom scan, and when I started it, I was down to only 1 million + files to scan rather than 5-6 million. So this will help a lot.

However, I noticed that while 24 threats have been identified right under the progress bar, only 3 are actually listed under Custom Scans. Why is that? Have the others been automatically deleted?

Really appreciate your help! But I guess I'm still in for another night of keeping the computer awake. I have been getting so many beach balls no matter what I'm doing, and I think it must be because of the continual scanning. I need to restart the computer badly. I don't suppose it would pick up the current scan where it left off, would it?

Regarding the 24 threats vs 3 threats: there are 24 unique detections in your files, and 3 threat names implicated.  This means that on average, you have 8 instances of each threat detected.

Regarding resumed scans, I believe this is not the case; too many things can change in the filesystem between scans for this to be workable.

If you're slowing down that much with archive scanning disabled, some more investigation might be a good idea; non-archive scans are usually quite fast, and quietly sit in the background allowing you to get your real work done.  I would guess that you have a file (likely a large PDF) that triggers a few detections and has many layers of analysis done on it before the file is determined to be clean/infected.  After you've cleaned up the threats, I'd be interested to see if performance is still as bad as you've reported.

OK, we're almost there. You've been amazing help. The scan of just my main HD is done, and it found no threats. Must mean my manual cleanup did work after all.  But the 8 instances of each threat would mean that I have 8 drives, wouldn't it? I don't. When I finally canceled that scan, it was up to 28, and I suppose it would have found more had I been able to let it complete.

So what I have to do now is to find those 3 threats on every external drive and just manually delete them without using Sophos. Is that right? Then I just let it run in the background?

That sounds like a working plan to me... if  one of the external drives is a Time Machine drive, you can just go into Time Machine, select the file, and remove all backups of that file (context menu).  My guess is that this is where the other copies will be found.

I can't drag anything into the white space.  My main drive is just called Macintosh HD, and when I drag it to the white space, it just returns to its original place on my desktop.