Virus: Troj/ObfJS-BK

I had a Sophos notice this AM that this same virus had been found and placed in quarantine

When I opened the quarantine folder, the virus was listed. But it disappeared within 5 seconds! All by itself.

The log shows that the virus was indeed found.

Sophos tech support would not comment on this, but referred me to this forum.

A second complete scan failed to detect this virus.

Hello Tom,

one reason for an item to disappear is that the threat is no longer found by QM when you open it. This can happen when the threat is detected in a cache or temporary location and later deleted by the application which stored it. Deletes are not blocked or intercepted so QM isn't notified of this - but it checks for the existence of the files when it is opened and prunes the list (i.e. removes the items for which it is safe to assumed to be no longer there).

Another possible reason (but it doesn't apply in your case) is that the detection triggers a more complex cleanup routine which takes some time to complete. From detection to cleanup completion the item will appear in QM.

BTW: it is not a quarantine folder, what's displayed when you open Quarantine Manager is the list of detected and presumably still existing threats.

Christian

Hello Wayne,

if the attachment is not "read back" after it has been written to disk it is not scanned. I assume it was SAV which denied access but when it did so you did not receive a desktop alert? Was this a scheduled back up and under which account does the software run?

Christian

Christian is spot-on; any detection that begins Troj/ObfJS is referring to detected malicious obfuscated Javascript found in a web page (most likely in your browser cache).  As such, when the cache is purged, the file will no longer exist on your computer -- until you next load/refresh the page containing the malicious script.

Some email-based malware will also contain links to obfuscated javascript.