Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 6 subscribers
  • Views 3188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Bug?

LDMartin1959

I originally posted this on the main Sophos forums and was chastised and told to post it here. I was directed to do this by a forum moderator, so please do not criticise me for cross-posting.

I have noticed an odd situation. I am using the free Mac edition on Lion. Sophos keeps reporting infection in a couple of files in my Time Machine backup. But it does not report infection of the same files on the primary drive where the primary/original copies of those files reside. It simply doesn't make sense that the primary/original copy of a file could be free of infection and the backup copy made from that primary/original file could be infected. Rationally, one of these things is wrong: Rationally, either they are both infected or neither are infected. Not sure which is the case, but it certianly shakes myfaith in Sophos AntiVirus.

Update: Since my initial posting on the main forums, I've noticed one additional apparant anomoly in this matter. Amoung the multiple references to "Original Locations" for each infected file are some "Original Locations" which seem to make no sense. For example, a reported infected Windows .DLL file includes an identification of originally being a .WMA file, and a reported infected Windows .EXE  file includes an identification of originally being a .RM file. Ignoring the fact that these "original location" references are nonsensical, even if we were to accept for the moment that these file name/format transformations did somehow occur, there is still the fact that these referenced "original" files do not report as being infected. As I say, all this certianly shakes my faith in Sophos AntiVirus.

As I mention in the thread on the main forums, my posting was and is in reference to a possible bug and to (hopefully) bring the matter to the attention of the Sophos folks so that if it is a bug it can be addressed. This is not principly a request for support or assistance to solve/explain my dilema, although such will be gladly accepted.

:1008143


This thread was automatically locked due to age.
Parents
  • 0
    RBaldry wrote:

    With regard to your comment about 'original locations', it's interesting that the files you mentioned originally appeared to be media files. I was recently asked by a neighbour to help them secure their Mac and ran the Home Edition product on it. It reported a whole load of Windows malware in files whose names suggested they were MP3s, WMAs or other media files. They had all been downloaded from media sharing services or sites like Limewire. Looking at the files more closely, it was clear they were Windows executables, but they had been placed on media sharing sites to try and trick Windows users into running them.

    While I am aware of this trick, I can attest that this is not the case here. First, the actual files on which Sophos hit were an .exe and a .dll flle (the second being part of OpenOffice for Windows). Second, it was not the files on which Sophos hit which were media files, the files identified as media files were reported in QM as the source files. Third, I viewed the reported files in my Time Machine structore and there were in fact showing as the .exe and .dll which Sohpos reported. So, unless Time Machine changed the names of those files, then your example is not applicable here.

    Regarding the Time Machine issue, is it possible that the original files have been disinfected and the old copies are still there in an old backup, or are the infected items in very recent backups? If you've changed the original file, wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

    [Repsonse edited for clarificaiton: 11:59 PDT] Is it possible that the original files have been disinfected and the old copies are still there in an old backup? I suppose it is possible, but I have not seen anything from Sophos to indicate that this was the case (edit: that is, nothing to indicate that the source files had been infected and hed been cleaned, thus creating the situation you describe). Plus, the TM files are recent, in some cases [apparantly] as they are being written to the TM archive. But again, it is the TM file that is triggering and not the source file. I am confused however by the fact that QM generally references multiple source files for the TM infected file.

    ...wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

    Yes, TM would access, read, compare then copy the files the first time after they were changed, but after that, TM (as I understand it) only compares the current version of a file to the last backed up version of the file. If the infected version is multiple back-ups in the past why would Sophos be reading those files if I am not accessing them and if TM is not longer accessing them as part of it's comparison process?

    :1008171
Reply
  • 0
    RBaldry wrote:

    With regard to your comment about 'original locations', it's interesting that the files you mentioned originally appeared to be media files. I was recently asked by a neighbour to help them secure their Mac and ran the Home Edition product on it. It reported a whole load of Windows malware in files whose names suggested they were MP3s, WMAs or other media files. They had all been downloaded from media sharing services or sites like Limewire. Looking at the files more closely, it was clear they were Windows executables, but they had been placed on media sharing sites to try and trick Windows users into running them.

    While I am aware of this trick, I can attest that this is not the case here. First, the actual files on which Sophos hit were an .exe and a .dll flle (the second being part of OpenOffice for Windows). Second, it was not the files on which Sophos hit which were media files, the files identified as media files were reported in QM as the source files. Third, I viewed the reported files in my Time Machine structore and there were in fact showing as the .exe and .dll which Sohpos reported. So, unless Time Machine changed the names of those files, then your example is not applicable here.

    Regarding the Time Machine issue, is it possible that the original files have been disinfected and the old copies are still there in an old backup, or are the infected items in very recent backups? If you've changed the original file, wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

    [Repsonse edited for clarificaiton: 11:59 PDT] Is it possible that the original files have been disinfected and the old copies are still there in an old backup? I suppose it is possible, but I have not seen anything from Sophos to indicate that this was the case (edit: that is, nothing to indicate that the source files had been infected and hed been cleaned, thus creating the situation you describe). Plus, the TM files are recent, in some cases [apparantly] as they are being written to the TM archive. But again, it is the TM file that is triggering and not the source file. I am confused however by the fact that QM generally references multiple source files for the TM infected file.

    ...wouldn't Time Machine still keep a copy of the original as well as a copy of the new (clean) version - after all, that's what it's supposed to do in the case of legitimate changes to files such as editing documents, modifying photos, etc.

    Yes, TM would access, read, compare then copy the files the first time after they were changed, but after that, TM (as I understand it) only compares the current version of a file to the last backed up version of the file. If the infected version is multiple back-ups in the past why would Sophos be reading those files if I am not accessing them and if TM is not longer accessing them as part of it's comparison process?

    :1008171
Children
No Data