Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 59 replies
  • Subscribers 6 subscribers
  • Views 72462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with Creating a Custom Scan to remove a Threat

hjmarxmd

I would appreciate help with a problem identified when I did a
scan using the free Sophos Anti-Virus for IMac Home Edition that
uses Mac OS X 10.5.  The scan detected Mal/EncPk-LF threat and
the action advised was to "clean up manually" by creating a
custom scan, but I cannot figure out how to do that.
Herbert Marx (hjmarxmd@pol.net)

:1001625


This thread was automatically locked due to age.
Parents
  • 0

    John I am having a similar problem trying to remove a MAL/Phish-A file from my Time Machine backups  I installed and ran Sophos for MAC anti-virus for the first time yesterday and it detected 3 Trojans in my Library/Caches/Java on the local HD in addition to the MAL/Phish-A on TIme Machine.  All 4 indicated they needed to be cleaned manually so I ran an initial custom scan just of the local hard drive to delete the 3 Trojans which were successfully removed. 

    I have not yet been successful in removing the MAL file however from Time Machine.  In my first attempt I ran a scan only on the most recent backup volume so I could filter down to the actual path of the Library/Mail/Sent folder.  Even though I had selected the Delete action in the Options dropdown the completed scan indicated that the file was detected but "Threat not deleted because cleanup is available". This is in spite of the fact that the Quarantine Manager indicated the file must be cleaned manually.

    After puzzling over this I ran the scan a second time this time selecting CLEAN from Options and an additional dropdown appeared asking what action I wanted if the clean failed...so I selected DELETE in the second option box.  This scan also failed to remove the MAL file but when checking the scan log it indicated "Failed to clean up threat"  "Issue deleting threat".

    So not knowing if the "issue"  is because I was trying to selectively scan only the folder where the file resided in a single backup volume, I am now running a complete scan of my entire Time Machine drive (1.7 million files) and have selected both the CLEAN and then DELETE options.  The scan has been running since 4am and has only 250,000 files to go so I will let you know if it is successful in removing the MAL/Phish-A in all occurences on the Time Machine.  If it again finds an "issue deleting threat"  I will have to appeal to SOPHOS support moderators here or anyone else who  has successfully removed infected files from Time Machine.

    UPDATE:  My total Time Machine scan completed finally but was again unable to clean or delete the detected MAL file.  I then decided to try to use the "Move"  function and created a folder on the Time Machine drive specifically for infected files.  I ran a custom scan only of the folder containing the detected file and selected Clean and then Move options.  The scan failed to clean and reported an "issue moving threat".  So the file was not moved.

    I read up on how to delete files from Time Machine directly using only the Time Machine interface but even that would not work as expected. I could not pull up any context menu where I could select the option to "delete all backups"  of the selected offending file even though Apple Support indicated it should work.

    So after reading a few more posts here and making sure my Sophos was set for On Access Mode, I have decided for now to let the Mal file sit out on Time Machine and will just be careful never to recover that file.  I did a fresh Time Machine backup of my clean MAC HD and verified that the offending file is no longer to be found in that copy. At this point my assessment is that Time Machine is not allowing SAV to remove any backup files.  I do get the SAV Detection Alert screen everytime I access the file in Time Machine but unfortunately that is all that can be done at the moment to my knowledge.

    :1001647
Reply
  • 0

    John I am having a similar problem trying to remove a MAL/Phish-A file from my Time Machine backups  I installed and ran Sophos for MAC anti-virus for the first time yesterday and it detected 3 Trojans in my Library/Caches/Java on the local HD in addition to the MAL/Phish-A on TIme Machine.  All 4 indicated they needed to be cleaned manually so I ran an initial custom scan just of the local hard drive to delete the 3 Trojans which were successfully removed. 

    I have not yet been successful in removing the MAL file however from Time Machine.  In my first attempt I ran a scan only on the most recent backup volume so I could filter down to the actual path of the Library/Mail/Sent folder.  Even though I had selected the Delete action in the Options dropdown the completed scan indicated that the file was detected but "Threat not deleted because cleanup is available". This is in spite of the fact that the Quarantine Manager indicated the file must be cleaned manually.

    After puzzling over this I ran the scan a second time this time selecting CLEAN from Options and an additional dropdown appeared asking what action I wanted if the clean failed...so I selected DELETE in the second option box.  This scan also failed to remove the MAL file but when checking the scan log it indicated "Failed to clean up threat"  "Issue deleting threat".

    So not knowing if the "issue"  is because I was trying to selectively scan only the folder where the file resided in a single backup volume, I am now running a complete scan of my entire Time Machine drive (1.7 million files) and have selected both the CLEAN and then DELETE options.  The scan has been running since 4am and has only 250,000 files to go so I will let you know if it is successful in removing the MAL/Phish-A in all occurences on the Time Machine.  If it again finds an "issue deleting threat"  I will have to appeal to SOPHOS support moderators here or anyone else who  has successfully removed infected files from Time Machine.

    UPDATE:  My total Time Machine scan completed finally but was again unable to clean or delete the detected MAL file.  I then decided to try to use the "Move"  function and created a folder on the Time Machine drive specifically for infected files.  I ran a custom scan only of the folder containing the detected file and selected Clean and then Move options.  The scan failed to clean and reported an "issue moving threat".  So the file was not moved.

    I read up on how to delete files from Time Machine directly using only the Time Machine interface but even that would not work as expected. I could not pull up any context menu where I could select the option to "delete all backups"  of the selected offending file even though Apple Support indicated it should work.

    So after reading a few more posts here and making sure my Sophos was set for On Access Mode, I have decided for now to let the Mal file sit out on Time Machine and will just be careful never to recover that file.  I did a fresh Time Machine backup of my clean MAC HD and verified that the offending file is no longer to be found in that copy. At this point my assessment is that Time Machine is not allowing SAV to remove any backup files.  I do get the SAV Detection Alert screen everytime I access the file in Time Machine but unfortunately that is all that can be done at the moment to my knowledge.

    :1001647
Children
No Data