Does "Move threat to Folder" -- not actually work?

Hello maser,

indeed it is neither moved nor is there any indication that a move is attempted (one should get an error if it fails). To make sure I've tried the same on Windows - and there it does move. That's IMO definitely not how it's supposed to work (despite the fact that, according to the help, you should use this setting only when advised by support).

Christian

So is this something you can toss back up to Engineering so they can take a look at it?

Hi maser,

The "move on threat detected" feature does work, except for situations where the threat has a cleanup action associated with it (e.g. could be cleaned up, if you've configured the product that way). This is the reason you won't see "move" working as you predicted for all possible threats.

Eicar is a threat which has a cleanup action associated with it, so if you were using that to test then its probably the right answer.

This isn't very intuitive and its something we'll be revising at some point in the future. BTW if you did an on-demand scan of the same threat with the same configuration, the log will give an explanation (even if its not intuitive). Unfortunately the on-access scanner is too silent about it.

The product is expecting most people want threats to be covered by a cleanup action, which is typically preferrable anyways as it will secure the system against further infection.

I'm interested to hear more about your use case for the "move" action. We've actually be discussing whether we want to remove it from the product in a future version.

Actually, I don't know if we have a use case for the move action -- other than there were instances where we might want to keep malware for future examination/testing.  

I think the case (when we originally set this up) was more along those lines -- just shunt the file out of the way for now and have the local system administrator come look at what it was to see if they need to do a deep-dive cleanup of whatever the malware was.

It may not be something that the average user would want to have the option to do.

Hello Bob,

The "move on threat detected" feature does work, except for situations where the threat has a cleanup action associated with it [...] We've actually be discussing whether we want to remove it from the product in a future version

does this apply specifically to HE, Sophos for Mac in general or across all platforms?

Christian

Hello Bob

I have exactly the same problem.

I just want Sophos to deal with any 'threats' automatically, as they arrive. They are always .exe files, usually in a zip archive or similar, telling me my Nigerian airline ticket is waiting at Paypal for me to UPS as soon as I send my bank details. Or some such nonsense.

No matter how I set Sophos preferences, any threat sends up the warning window and I have to go to Quarantine Manager to clean it up, even if I don't want the blinking thing in the first place. 

You are probably experiencing a recent big increase in spam, trojans and the like and I am getting heartily tired of dealing with these so-called threats.

Any advice please?

Mark

Hi Christian,

I'm interested to hear about use cases for "move on threat detected" for any of the Mac product editions. This could apply to any platform, but my interest is specifically for the Mac platform.

Hi Mark,

Sounds like what you want is the action "Cleanup when threat is found" and if cleanup is unsuccessful you want "Delete threat". This should cover your needs.

You say that you still need to visit the QM to clean things up. Can you tell me a little about the threats "stuck" in the QM? e.g. what is the threat name, where on your disk is it located, etc. A screen shot of your QM window might be super useful. Sounds like you might have some threats which aren't getting cleaned or deleted automatically, and that just isn't right.

---

bobcook wrote:

Hi Mark,

Sounds like what you want is the action "Cleanup when threat is found" and if cleanup is unsuccessful you want "Delete threat". This should cover your needs.

You say that you still need to visit the QM to clean things up. Can you tell me a little about the threats "stuck" in the QM? e.g. what is the threat name, where on your disk is it located, etc. A screen shot of your QM window might be super useful. Sounds like you might have some threats which aren't getting cleaned or deleted automatically, and that just isn't right.

---

Hi Bob

I have never been able to get Sophos to clean up threats automatically. I was getting so annoyed with being pestered with requests to clean up Windows threats that I moved to ClamX for a while. If I don't repond to clean the threats almost immediately, they end up being copied into Time Machine.

Here is my latest log file showing two threats, both well known and both needed doing by hand:

com.sophos.autoupdate: Info: Checked primary server at 08:15 on 20 Feburary 2013
com.sophos.autoupdate: Sophos Anti-Virus was updated
com.sophos.autoupdate:
com.sophos.intercheck: 2013-02-20 08:15:34 +0000 Threat: 'Mal/Phish-A' detected in /Volumes/Internal 1/Users/mark/Library/Mail/V2/IMAP-tennent-mark@imap.aquiss.net/INBOX.mbox/0DDC4176-56B5-4BC5-9783-EC171F69BC1F/Data/1/2/2/Attachments/221174/2/Tax.Refund.Confidential.Message.htm
com.sophos.intercheck: Cleaned up threat
com.sophos.intercheck:
com.sophos.intercheck: 2013-02-20 08:18:28 +0000 Threat: 'Mal/Phish-A' detected in /Volumes/Internal 1/Users/mark/Library/Mail/V2/Mailboxes/Junk (Aquiss IMAP).mbox/0DDC4176-56B5-4BC5-9783-EC171F69BC1F/Data/1/2/2/Attachments/221188/2/Tax.Refund.Confidential.Message.htm
com.sophos.intercheck: Cleaned up threat

Tried to attach screen dump but link not working.

Mark