Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 5672 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

transient warnings

antwerpenr

Hello, sometimes when working on the computer I see a popup message which says that Sophos has detected a threat and puts up a window where I can open quarantine manager.  When I click on that the eooro message disappears and there is no trace any more of the error/warning.   This makes me suspect that there is some sort of rootkit running that detects that the antivirus has detected it and then elimiantes all trace.  Is this possible?  How to know or do a ground-up re-test?

Another clue, maybe.  Although properly installed (as far as I know) the Sophos Scans window says that the Scan Local Disks has "never been run" though I have run it many times and the Scan / shows last scanned on 5 May even though i have run it many times since....

:1013583


This thread was automatically locked due to age.
  • 0

    You should check the real time scanner log for any detections.  Click on the Sophos shield in the menu bar, select 'Open Preferences' and then click the 'Logging' tab.  The click 'View Log Contents'...

    Screen_Shot_2013-10-02_at_19.30.06.png

    This opens Console and selects the correct log in the right-hand panel.  Scroll back up the log file and see if there are detections mentioned.

    If you cannot see anything so far you could carry on working and watch out for the problem to appear again.  Then make a note of what was open (applications), what you were doing and what the computer may have been doing/accessing/trying to do at the time.  Then check the real time scanner log again for recent activity.

    If you believe the software isn't working right you could uninstall and reinstall it (is this version 8 or 9?), but it's probably not a great idea to uninstall until you can work out what the detection name is.  If it is a Mac Trojan then you want to keep protection enabled.  If the detection is W32/... or Troj/... then it's a file that can only affect a Windows operating system.

    If you need to post back include an extract of the log file - it'll help.

    :1013609
  • 0

    Thanks - I had already done the uninstall/reinstall step before you replied.

    A subsequent scan identified Mal/FBlack-l as per the screenshot below.  This time I was quick enough to catch it and clean it up.

    The "issues" seem to relate to "Corrupt" files which I have now removed (all but one which refers to a file in one of Aperture libraries....so I want to be careful with that).

    Am now re-doing the scan....

    A subsequent scanFblack.jpg

    :1013619
  • 0

    Glad to hear it.

    I see from the screenshot Time Machine is backing up while a full hard drive scan is running.  You may want to pause the back up while the scan runs - just an option so the computer runs a bit faster.

    You may also want to configure the custom scan and exclude the /Volumes/Time Machine folder.  Not too much point scanning it as the files are locked away.  Plus the scan will go faster and you won't get detections from files inside the back ups (TM will eventually overwrite the back ups containing the malware when the space is filled).

    :1013625