Mal/Phish-A recurring on Mac - Help on permanent removal

Question

Does one know how to permanently remove recurring Mal/Phish-A on Mac? (Detected by Sophos on Mac OS X 10.6.8 when the Mac Mail app 4.5-1084 is launched, provided AirPort is ON.)

Accessing same Zimbra mail account through the web browser does not trigger an attack.

Launching Mail app with AirPort OFF does not trigger an attack.

Recurring attack when launching Mail app with AirPort ON.

Removing the Mail app and reinstalling is useless.

Removing the Mail app + All related folders in the Mail Library is useless.

Changing master password after removing Mail app + Library is useless.

Scanning disk through'n through is useless.

All of this done without reconnecting to external Time Machine disk, in order to avoid any contamination from past backups.

Running out of ideas. Suspecting remorphing, or source malware having promoted itself to some regular status and cannot be detected anymore.

Please restrain yourself if you do not have a solid opinion: facts and verified infos are welcome.

This thread was automatically locked due to age.

Agile · Accepted Answer

Is Mail.app accessing Zimbra mail via IMAP?

What is the path to the Mal/Phish-A detection when it triggers?

From the fact that your network connection needs to be enabled to get the detection, I would guess that you are using IMAP instead of POP3, and that Mail.app is caching a known phish mail from your mail server.

The easiest way to stop this from triggering is to delete the offending phish email from the web interface prior to connecting to it with Mail.app. Alternately, once you know what file is causing the detection by looking at the path in the quarantine manager, turn off on access scanning and open that file in TextEdit to see which email it is -- then re-enable on-access scanning and delete that email from the server.