Threats in a Time Machine Backup

If he's running Sophos in on-access mode, he won't be able to restore the files -- the action will be blocked.

For now, the only way to remove them is from inside Time Machine -- do not try removing them with any other tool.

To remove files from within Time Machine:

1. Enter Time Machine
2. If you know where the file is located, navigate to it.  If you don't, do a search for it.  Make sure that "This Mac" and "File Name" are selected as search criteria.
3. right/control click on the file and select Delete All Backups

All copies of the file will now be deleted.

If he has 100's of detections, it might be that one file is infected and is being detected in each backup snapshot.  Also, if the detected files are cache files (for example, the Java webcache), get him to exclude his cache directories from TM backup -- they aren't needed after all.

DO NOT REMOVE THE THREATS WITH SOPHOS QUARANTINE MANAGER WHILE A TIME MACHINE BACKUP IS RUNNING

I corrupted my whole Time Machine sparsebundle this way... :( :( :( :(

What a relief! Finally got rid of those files. Thanks so much.

There is a fly in the ointment. Mail.app places attachments in a folder in the Library folder of the user's home directory (/Users/<username>/Library/Mail/....). 10.7 does not normally allow a user to see her/his Library for some reason, though holding down the Option key while pulling down the Finder's "Go" menu will include an option for the Library.

The gotcha is that this trick does not work within Time Machine, so to navigate to a malware-ridden file in a Time Machine backup, navigate in Finder to the current directory containg the malware, then launch Time Machine, which will by default place you at the same folder. Then you can right-click on the bad file name and proceed as above.