First report of 178 Virus Threats in Sophos Free for Mac

---

JohnHenry wrote:

I just switched from MacScan to Sophos free for Macs at the suggestion of my Mac user group. In 20 minutes today it gave a warning of nearly 50 virus threats. It asked me run a scan, which I did, and it then reported 178 threats total. However, when I now open Quarantine, it shows nothing! When I spot-checked the reports that all said "clean up manually" they all said they were for only for Windows OS. I thought I downloaded the Mac virus protection! Sophos would not clean up the four reports that merely said "Clean Up" - I tried over and over.  

All the instructions seem to be for Windows, not Mac. It says to delete the viruses where they reside. How do I find out WHERE they reside? Sophos also said the one sample file I emailed them was not malicious and I should "authorize it." What the heck does that mean? Also said something about HIPS - have no idea what that is. Sophos support won't answer anything since this is the free version. They said to work with my IT dept.  -  I am a one-man business. Why do they distribute virus protection for Windows but call it for Macs? Is there any way to identify only Mac malware and viruses? I followed the "How to remove..." instructions explicitly; Restart never appeared, and cleaned-up threats were never deleted from the list as it says they are.

My website was just hacked recently for the second time so naturally I'm extremely concerned about these reports.

NEXT DAY: Am I going to get any response whatever? The Sophos tech support merely sends boilerplate refusals to help in any way - they won't even answer why the supposed virus security software for Macs seems to be only for WINDOWS!  What in the world am I to do with the 178 Virus Threats I got, which now have disappeared from the Quarantine?  I'm afraid to send out any vital emails.  If I agree to pay some $ can I actually get professional answers to my questions? And approximately How Much??

---

Hi JohnHenry,

Thank you for trying out Sophos Free Mac Home AV.   Did you read the documentation regarding the product prior to downloading it?

This product is a free service from Sophos provided solely for home use too Mac OS X users that uses the exact same detection engine used in our Enterprise product line; it does not come with support, other than what you find in this forum.  Searching this forum will find answers to all of the questions you have asked in your post, and most of the answers are also found in the Help (Open Sophos Anti-Virus, click the Help menu, and select Sophos Anti-Virus help).

The Quarantine interface is quite intelligent, and will only display items that still exist on your system.  Since you had a large number of quarantined files that indicated they were Windows only, I would suspect that the files detected were likely in your Java cache folder or your web cache folder -- both of which get purged by the OS on a regular basis.  This means that after the OS deleted the files from your system, they also vanished from Quarantine.  You can look in the scan log (Scan->> View Scan Log, or open Console.app and navigate to Files > ~/Library/Logs > Sophos Anti-Virus > Scans) to see what was actually logged.

On the page where you went to view the removal instructions, you will find Windows instructions at the top of the page, and Mac instructions at the bottom of the page.  Please follow the instructions in the Mac section.

If you emailed a sample to Sophos, you were sending it in to Enterprise Support, which would automatically pass it on to SophosLabs.  Since the Labs only handle Enterprise submissions except by specific request (where we ask a user to send us a sample), the handling of the submission and the response assume you are using the enterprise product.

Sophos Free Mac Home AV is not for business use; we do have a small business solution that comes with support.

In the Enterprise product, the IT manager has an Enterprise Console that allows them to remotely control the installations on each end point (PC) and set policies.  From this console interface, the manager can authorise a file that fires suspicious heuristics (using HIPS, a behavioural detection system, which is why this was mentioned in the response).

All website-based documentation lists the Windows steps first, and the Mac (and other platform) steps second, as most of our customers use Windows.  They are all listed on the same page (notice the headings... 1. Using Enterprise Console, 2. Windows 2000+ with Sophos AV 9.x, 3. Windows 95/98, 4. Mac OS X computers, 5. NetWare....).  You want the instructions for OS X, not the ones for the other platforms.

So, to summarize:

• Please read the documentation, and search these forums for your answers as a first step to finding your answers.  Post a question here if you do not find the answer you need in the documentation provided nor on this forum.

• This free product is not supported by Enterprise support.
• This free product is not for business use; even a home business.
• This free product includes enterprise-level detection for all malicious files, no matter what system they target.  It detects malicious scripts injected into web pages, Windows malware, OS X malware, classic MacOS malware, and even Apple ][ malware and DOS malware.  As all of this can end up being dropped on your computer, even if it can't actually harm your computer, we alert you as to its presence, and prevent it from even attempting to execute.

If you are a single user running a home business, Sophos Free Mac Home AV is not for you, and likely our small business product is not your best choice either.  You would be better served by one of the other commercial offerings out there; About.com has a good summary.

I hope this answers your questions and concerns.

Thank you for allaying most of my fears, I think you can understand why this was rather frustrating. I didn't know about the Mac Home Help doc. - I have downloaded it and am studying it. I did study everything else on the site before downloading the app. It's interesting you said the Free Mac Anti-Virus is not for my home business, since on your web site the first sentence is "...offers business-grade protection free for home use."  Also on the about.com site.

I don't sell anything, I publish a review web magazine. I have Qualys covering the web site security. 

I did explicitly follow the exact Mac Section in the instructions; they didn't work.

I will continue to search in the Help doc and FAQ for answers to what it means that I should "authorize" non-malicious files.  I also hope to learn what Enterprise support would cost me since you didn't tell me, though it probably is over my head technically. 

Thanks for the well thought-out response.  I'll attempt to answer your unresolved concerns in reverse order.

Enterprise support is for Enterprise products only; it is not available for our Home product.  Descriptions and trial access to our Enterprise products are available here: http://www.sophos.com/en-us/products/buy-now.aspx .  Make sure to try the trials before committing money to the product, as many of the components are Microsoft Windows product-centric.

The Help I was referring to is in the application itself, in the Help menu.  As I mentioned, "authorize" is a term applied to the Sophos Enterprise Console, which is not available with the Home product.

A search on this forum will probably help you with any Quarantine and cleaning issues much more than reading the admittedly terse cleanup instructions on the website, as it contains detailed responses to many situations people have encountered who didn't find the instructions on the website helpful.

The sentence regarding business-grade protection is saying that you get the same protection as a business user, but for free, if you're using it for personal home use only.  It does not say that the product is a business product.  This could be misleading, as the protection mentioned is the actual data protection, not the support contract or other integrated security protection of the enterprise product.  What it is generalizing is that the actual protection engine in the product is identical to what you'll find in the Enterprise product, and is fed the same protection data from SophosLabs.  SophosLabs employs people to (among other things) look at Enterprise customer submissions and hand analyze them; the results of this analysis are rolled into the detection updates which the Home users benefit from.

And lastly, I can definitely understand why this was a frustrating experience.  I'm confident that this discussion thread will be used by the company to improve future customer experience.