Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 4599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/Zbot-GEW in system.log?

Grant

Earlier this evening, Sophos updated itself on my Mac (10.8.4 but now 10.8.5). When it reloaded, the on access scanning didn't come back so I took the opportunity to reboot and install 10.8.5.

When the computer came back up, a short while later I noticed Sophos popup with a virus in quarantine - it dissapeared quicker than I could read but on consulting the logs I saw this:

com.sophos.intercheck: 2013-09-19 23:36:16 +0100 Threat: 'Troj/Zbot-GEW' detected in /private/var/log/system.log
com.sophos.intercheck:                              Access to the file denied

I manually ran a scan against the system.log file and it came back clean - how can Sophos detect what looks to be a windows virus, in the OSX system.log file?

As a precaution, I am running a full scan - during the running of this, Sophos again put something in quarantine and then removed it almost immediately, checking the logs again I see this:

com.sophos.intercheck: 2013-09-20 02:13:07 +0100 Threat: 'Troj/Zbot-GEW' detected in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/hu.lproj/InfoPlist.strings
com.sophos.intercheck:                              Access to the file denied

Running sweep again this file, it came back clean?

Is this something I should be concerned about? Help!

Thanks,


Grant

:1013515


This thread was automatically locked due to age.
Parents
  • 0

    On subsequent scans, the files show as clean.

    I upgraded to Sophos 9 to see if that would solve it - I haven't had the issue reoccur since until tonight, when I switched 'Scan inside archives and compressed files' to on - shortly after doing that I got another popup for Troj/Zbot-GEW - this time though, in the logs and in the Sophos UI, it didn't seem to know the location of what had triggered it!

    This made me remember, that when I had the issues before, it was also shortly after turning 'Scan inside archives and compressed files' to on so perhaps this setting is causing Zbot-GEW to be falsely detected in OSX....

    I've turned that setting off for now and will monitor.

    Thanks,


    Grant

    :1013565
Reply
  • 0

    On subsequent scans, the files show as clean.

    I upgraded to Sophos 9 to see if that would solve it - I haven't had the issue reoccur since until tonight, when I switched 'Scan inside archives and compressed files' to on - shortly after doing that I got another popup for Troj/Zbot-GEW - this time though, in the logs and in the Sophos UI, it didn't seem to know the location of what had triggered it!

    This made me remember, that when I had the issues before, it was also shortly after turning 'Scan inside archives and compressed files' to on so perhaps this setting is causing Zbot-GEW to be falsely detected in OSX....

    I've turned that setting off for now and will monitor.

    Thanks,


    Grant

    :1013565
Children
No Data