Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 6 subscribers
  • Views 3188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible Bug?

LDMartin1959

I originally posted this on the main Sophos forums and was chastised and told to post it here. I was directed to do this by a forum moderator, so please do not criticise me for cross-posting.

I have noticed an odd situation. I am using the free Mac edition on Lion. Sophos keeps reporting infection in a couple of files in my Time Machine backup. But it does not report infection of the same files on the primary drive where the primary/original copies of those files reside. It simply doesn't make sense that the primary/original copy of a file could be free of infection and the backup copy made from that primary/original file could be infected. Rationally, one of these things is wrong: Rationally, either they are both infected or neither are infected. Not sure which is the case, but it certianly shakes myfaith in Sophos AntiVirus.

Update: Since my initial posting on the main forums, I've noticed one additional apparant anomoly in this matter. Amoung the multiple references to "Original Locations" for each infected file are some "Original Locations" which seem to make no sense. For example, a reported infected Windows .DLL file includes an identification of originally being a .WMA file, and a reported infected Windows .EXE  file includes an identification of originally being a .RM file. Ignoring the fact that these "original location" references are nonsensical, even if we were to accept for the moment that these file name/format transformations did somehow occur, there is still the fact that these referenced "original" files do not report as being infected. As I say, all this certianly shakes my faith in Sophos AntiVirus.

As I mention in the thread on the main forums, my posting was and is in reference to a possible bug and to (hopefully) bring the matter to the attention of the Sophos folks so that if it is a bug it can be addressed. This is not principly a request for support or assistance to solve/explain my dilema, although such will be gladly accepted.

:1008143


This thread was automatically locked due to age.
Parents
  • 0

    Since there has been some concern expressed about some of the files referenced in my comments/report (the suggestion was made that I had downloaded a video that was really a malicous program), allow me to dispel that with another example. This is an uploaded copy of the "source" file, a photo of my granddaughters taken by my wife (okay, 1-1/2 of my granddaughters):

    Now, first notice that Sophos reports this file as being clean:

    Now, lets look at the QM, in this first screen shot, observe that the file name in question is the same but the "infected" file is in the Time Machine archive (and although I was unable to show it, by hovering over the truncated path information, I confirmed that this is the correct backup file for the above indicated "source" file, not a different version of the same source file):

    Now, for more detail regarding the file path for the "infected" copy in the TM, lets look at this screen shot. You will notice that this screenshot clearly indicates that this is from the TM archive which is currently being created (".InProgress"). Further, note the times: The QM report was last night after I went to bed, the direct scan of the source file was this morning just after I got up. This is about as close to a direct, real-time comparison as I could get under the circumstances:

    Now, does anyone have any further doubts about the fact that Sophos is alerting on back-up files in TM that it is not alerting on with the source file? Now, will someone now please take my report seriously and stop trying to shift the blame to the "user" (who often just happens to know abit more than you seem to want to give them credit for knowing)? Again, I have to go back to my statement that one of these things is wrong: Rationally, either they are both infected or neither are infected: Sophos is failing in a major way, by either giving totally bogus false positives or by totally missing infected files.

    :1008175
Reply
  • 0

    Since there has been some concern expressed about some of the files referenced in my comments/report (the suggestion was made that I had downloaded a video that was really a malicous program), allow me to dispel that with another example. This is an uploaded copy of the "source" file, a photo of my granddaughters taken by my wife (okay, 1-1/2 of my granddaughters):

    Now, first notice that Sophos reports this file as being clean:

    Now, lets look at the QM, in this first screen shot, observe that the file name in question is the same but the "infected" file is in the Time Machine archive (and although I was unable to show it, by hovering over the truncated path information, I confirmed that this is the correct backup file for the above indicated "source" file, not a different version of the same source file):

    Now, for more detail regarding the file path for the "infected" copy in the TM, lets look at this screen shot. You will notice that this screenshot clearly indicates that this is from the TM archive which is currently being created (".InProgress"). Further, note the times: The QM report was last night after I went to bed, the direct scan of the source file was this morning just after I got up. This is about as close to a direct, real-time comparison as I could get under the circumstances:

    Now, does anyone have any further doubts about the fact that Sophos is alerting on back-up files in TM that it is not alerting on with the source file? Now, will someone now please take my report seriously and stop trying to shift the blame to the "user" (who often just happens to know abit more than you seem to want to give them credit for knowing)? Again, I have to go back to my statement that one of these things is wrong: Rationally, either they are both infected or neither are infected: Sophos is failing in a major way, by either giving totally bogus false positives or by totally missing infected files.

    :1008175
Children
No Data