Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 6 subscribers
  • Views 2719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware removal

djlapin

Hello, this is a message for Andrew. I'm sorry I don't know a better way to contact you.

i have had Sophos AV Mac installed for as long as I have had my MacBook, which is on 10.6.8. Recently I made the mistake of clicking on phony Facebook email that said something like "So-and-so has commented on your photo -- click here". When I did so, it momentarily took the browser to an *.ru address (don't remember it exactly), but nothing showed up.

I scanned the system folder and applications folder with Sophos but turned up nothing.

When I looked through this forum ("FreeTalk"), I found some advice you gave to someone, some time ago, on a similar subject (below). When I related this information to my brother (who can be somewhat irascible), he had a rather scathing reply (also below).

I apologize in advance for the caustic nature of my brother's reply. But I was hoping for your insight into what might be done in the present circumstances. As far as I can tell, my computer is working normally.

Thank you very much,

Don

----- your reply to Peter in 2011 ------

> Re: Newbie question: Any need to boot from CD for a "clean" scan?
> Options
>
> 06-17-2011 10:06 AM
>
> Peter, thank you; this is a set of extremely good questions.
>
> Because Macs use EFI instead of a BIOS and Master Boot Record, all  
> those boot sector viruses will not work on a Mac.  So far, there  
> have been no EFI-style infectors written, likely due to the security  
> architecture designed into the EFI framework itself.
>
> There are also no currently known rootkits in the wild, so the  
> standard initial scan procedure is just to perform a full system  
> scan.  Once the professional malware authors get to understand the  
> intricacies of the HFS+ partitioning system, we may see more linux-
> style rootkits show up, but not right now.
>
> Because of the way the operating system and filesystem work, Sophos  
> is unlikely to be unable to access a file due to it's being "in use"  
> -- the malware would have to be loaded by the kernel before Sophos  
> in order to block it from looking at files, as Sophos uses the same  
> filesystem events that are used by the filesystem manager itself.   
> In essence, Sophos gets to look at the files before other processes  
> start   If your machine is compromised enough that malicious  
> software has loaded something prior to this point, your best bet is  
> to scrub the entire system, preserving only your own user folder,  
> and start again from scratch.
>
> If you do want to step outside of your normal operating environment,  
> keep an emergency hard disk around -- it could be another Mac that  
> you can connect via Firewire, a USB disk, or even a large USB key.   
> Install the OS on it, and install SAV on that.  You'll need a   
> volume that's at least 8GB (so no CD boots).
>
> Alternatively, if you have another Mac, use a firewire cable to  
> connect the two and mount the suspicious Mac as and external volume  
> and scan the volume.
>
> So in summary, you don't need a "BootCD" at this time, and due to  
> the architecture of the OS and hardware, many of the reasons for  
> needing this on Windows don't exist on OS X... but most of the Unix/
> Linux dangers also exist on OS X, so it is wise to keep a backup  
> known-clean boot drive around somewhere that you can install SAV  
> onto if needed.  An 8GB USB key would do the job perfectly, although  
> it couldn't be locked.
> -
> Andrew
> Threat Researcher
> SophosLabs

------ my brother's comments -------

First, the guy asking is asking the wrong question.  The reason for  
scanning from a read-only source (CD/DVD/etc) is to avoid malware that  
might have altered the OS, not just the boot sector.

The answer cleverly (or naively) avoids that issue and perpetuates the  
hackneyed notion that Macs are somehow immune from what is called  
"permission elevation" (gaining admin privileges).  The use of the  
term "rootkit" appears to be an attempt to baffle with b*hit, since  
rootkits are often installed after an exploit; they aren't the exploit  
itself.

Even in 2011, it was almost laughable to suggest there aren't  
vulnerabilities in MacOS that could allow malware to alter the OS, or  
even to alter Sophos software's ability to find vulnerabilities.   
Having a computer's OS scan itself when you suspect trouble is the  
equivalent of asking an insane person if they are sane.  The suggested  
work-around (creating a whole other system on a flash drive) is a  
dangerous and burdensome kluge.  And not only is a USB key unlocked in  
this approach, it's pitifully slow.  Hardly a "perfect" solution.  But  
MacOS doesn't boot from a locked drive very well, so their suggested  
kluge may be the best alternative, unless some other vendor provides a  
bootable read-only source for scanning a Mac.  With a read-write  
system, the act of booting the hopefully pristine second system  
endangers it.  If the system is taken off all networks and Firewire  
target mode is used, at least the chances of an infection are much  
lower.

A quick look didn't turn up any bootable Mac scanning tools, so it  
appears that MacOS is either too complex or vendors don't think there  
is a market for a real offline scanner.  I have three kinds of  
scanners for my Windows and Linux systems.  All boot with a light and  
fast Linux OS, and all were free.

:1011622


This thread was automatically locked due to age.