troj/bredo-ajr

In Quarantine Manager does it give a path to the location of the file detected?  You'll have to open QM, click the padlock, select the item in the top panel and expand the lower panel.

If the path is too long to be fully displayed in QM then have a look in the logs via Console.  Post below explains how to acces the logs in more detail.

http://openforum.sophos.com/t5/Mac-tools-help/Where-are-the-logs-for-SAV-for-Mac/td-p/16091

...to add: the most common reasons for the Quarantine Manager (QM) to have a problem cleaning up an item are:

- the item is located in your mailbox

- the item is located in a Time Machine backup

- the item is located in the web browser's cache (and may no longer exist on disk)

- the item is no longer located on disk

Hence knowing where the item is, is the first thing to find out.

The threats were evidently in my email:

I regularly delete the contents of my "Junk" folder in Mail. Is that why the "original locaiton" is blank?

Thanks for your help.

I moved a Windows .exe file from a folder on my Desktop to the Desktop itself and got this...

Hence the 'original path' shows where the file was coming from as the on-access detected it.  The 'Path and Filename' shows where I was moving it to.

With detections involving emails there should be (generally) no problem deleting the file but if the mail app is syncing with a webmail account the files can keep coming back.  If cleanup is failing it could be that the item no longer exists (the 'Reveal in Finder' button may help here).

I'd suggest logging into your email account via a browser, deleting the contents of the spam/junk folders.  Ensure you check for spam folders other than the main ones as Gmail, for example, has a 'Bin', 'Junk email', '[IMAP]Archived', and '[IMAP]SPAM' and the mails can be spread around.

Once that's done I'd clear the quarantine manager list (not cleanup) and re-scan to see what comes back.