Help with Creating a Custom Scan to remove a Threat

Go to the icon and right click on it and open sophos AV.   Then on the bottom left is some writing with "Custom Scans"    Click on that and then on the + sign and then choose the location where the threat is, or folder.   

Give that a try, never had to do it before, but just had a play with it.  If I am wrong I am sure someone will put me right.

Good luck.

Rollers

Greetings ... 

Does anyone have any experience removing a threat that has been backed up by Time Machine?

Prior to installing Sophos, I must have picked up a virus and backed it up.  The Sophos scan now has seen that and tells me that I need to remove it manually.  However, trying to find it is next to impossible, especially since the Quarantene Manager does not give me the full path, AND it doesn't give me any idea of which backup file it is in.  I am really frustrated.  

John

This is what worked for me, step by step:

The 3 threats found after my first full scan on my Macbook were 

users/myname/library/cache/java……

which needed to be cleaned up manually.

In the Quarantine Manager, click on the blue link file name of the threat to get it's details.

You need to note the path & file name.

In my example I will use users/myname/library/cache/java……

You will need to make a custom scan.

1. In the window that's titled Scan Local Drives, click on the arrow next to Custom Scans

2. Click on the + sign.  You will see a message untitled - No items in scan, this scan has never been run.

3. Double click on it and another window will open asking for a Scan Name (can fill in later).  At the bottom of this window, click the + sign - this       will open a finder window called Open.

4. Double click on the file called Users (another window opens)

5. Double click on the home file with your name on it (another window opens)

6. Double click on the Library folder (another window opens)

7. Single click on the Caches folder and then click on the Open button bottom right

   You should now see the folder Caches with a tick next to it in the window described in step 3.

8. Type in whatever name you want to call the custom scan.  I called mine Caches.

9. Under the title you've just typed are 3 buttons. Click on the Options button.

10. Click on the drop down menu where it says log only and choose Delete threat.  So it now says When a threat is found: Delete threat.

       Click on the Done button.

11. In the customs scan window from step 1. you should see a new custom scan called Caches (or whatever you named it).  Click on the Play           button next to the pencil button.

12. A drop down dialogue box asks you to Scan with privileges, Cancel or Scan All.

      Click on the Scan All button & type in your administrator password & click OK.

13. The scan is performed.  If you Open Quarantine Manager, the threats should be gone.  

Cheers.

Much more detailed than my instructions :smileyhappy: thanks Merril444.  Let us know how you get on if you managed to clean up.

John I am having a similar problem trying to remove a MAL/Phish-A file from my Time Machine backups  I installed and ran Sophos for MAC anti-virus for the first time yesterday and it detected 3 Trojans in my Library/Caches/Java on the local HD in addition to the MAL/Phish-A on TIme Machine.  All 4 indicated they needed to be cleaned manually so I ran an initial custom scan just of the local hard drive to delete the 3 Trojans which were successfully removed. 

I have not yet been successful in removing the MAL file however from Time Machine.  In my first attempt I ran a scan only on the most recent backup volume so I could filter down to the actual path of the Library/Mail/Sent folder.  Even though I had selected the Delete action in the Options dropdown the completed scan indicated that the file was detected but "Threat not deleted because cleanup is available". This is in spite of the fact that the Quarantine Manager indicated the file must be cleaned manually.

After puzzling over this I ran the scan a second time this time selecting CLEAN from Options and an additional dropdown appeared asking what action I wanted if the clean failed...so I selected DELETE in the second option box.  This scan also failed to remove the MAL file but when checking the scan log it indicated "Failed to clean up threat"  "Issue deleting threat".

So not knowing if the "issue"  is because I was trying to selectively scan only the folder where the file resided in a single backup volume, I am now running a complete scan of my entire Time Machine drive (1.7 million files) and have selected both the CLEAN and then DELETE options.  The scan has been running since 4am and has only 250,000 files to go so I will let you know if it is successful in removing the MAL/Phish-A in all occurences on the Time Machine.  If it again finds an "issue deleting threat"  I will have to appeal to SOPHOS support moderators here or anyone else who  has successfully removed infected files from Time Machine.

UPDATE:  My total Time Machine scan completed finally but was again unable to clean or delete the detected MAL file.  I then decided to try to use the "Move"  function and created a folder on the Time Machine drive specifically for infected files.  I ran a custom scan only of the folder containing the detected file and selected Clean and then Move options.  The scan failed to clean and reported an "issue moving threat".  So the file was not moved.

I read up on how to delete files from Time Machine directly using only the Time Machine interface but even that would not work as expected. I could not pull up any context menu where I could select the option to "delete all backups"  of the selected offending file even though Apple Support indicated it should work.

So after reading a few more posts here and making sure my Sophos was set for On Access Mode, I have decided for now to let the Mal file sit out on Time Machine and will just be careful never to recover that file.  I did a fresh Time Machine backup of my clean MAC HD and verified that the offending file is no longer to be found in that copy. At this point my assessment is that Time Machine is not allowing SAV to remove any backup files.  I do get the SAV Detection Alert screen everytime I access the file in Time Machine but unfortunately that is all that can be done at the moment to my knowledge.

Have you been able to locate the infected files in your Time Machine "Finder" window?  Once you do this, you should be able to control/right click on the file and select "Delete All Backups of 'infectedfile.app'", then Click OK when it warns you you can't undo.

Thank you Merril444 for taking the time to write this brilliant piece of tech writing. I followed it word for word, was led correctly through every step of the process with no uncertainty or ambiguity in the text. A glowing example of really good instructional writing.

Thank you so very, very much for this fantastic step by step post Merril444!!!   All threats on my mac are now gone!  And I am very happy!  I am a computer moron and you made this easy for me.  I didn't think that was possible.  Thanks again!   :smileyvery-happy:

Hi merril444,

Your instructions were more straight-forward and clear than those of Sophus employees. I've bookmarked this page on the likelihood I'll forget some of these details and have to refer back to them. THANKS!

Cheers!

Wayne

I cannot see how to add /private/tmp/ to a custom scan since finder does not seem to see this file.