Whenever I do a full scan, Sophos finds the same two threats which need to be manually removed. The trouble is I can't find the location folder of these threats as whenever I search for the filename on my mac they just can't be found.
Does anyone know of a way I can find the path to where these threats are located so I can manually remove them?
Thanks
Colette :smileyvery-happy:
I found that I actually had to go into Time Machine, find one instance of the infected file, right click on the file, and then select: delete all backups. That deleted all of the files of the same name in Time Machine. I was not able to find those files searching in Finder and when I found them manually, I was not able to delete them. The work had to be done within Time Machine.
I just installed Sophos last night.
My experience in my first 24 hours with Sophos has not been particularly encouraging.
It installed easily enough, but that's where the positive experience ended.
Sophos never completed the "scan local drives," (1 million out of 3 million files) but that is a different issue.
(And yes, I was able to continue to do things while it was apparently running.)
That scan, or the mail intercept, did come up with 4 files in the Quarantine Manager. All four are marked "Clean up manually."
Being new to Sophos, I tried to follow the Quarantine Manager's instructions, so I clicked on the triangle "Thread details."
Three of the four file are in "Backups.backupdb" which resides on a "real voluime".
The fourth file however, shows only "/.../" for the volume name, as well as what is probably a bogus filename, but since I can't find it, I can't tell.
/Volumes/…/2/mail.zip [mail.zip/mail.txt .exe]
Then it tells me "Please click the threat name above for manual cleanup instructions."
I click the link and I'm taken to a web site and page giving instructions for every operating system EXCEPT the Mac OSX.
And those instructions are not easily found themselves. The page looks itself like a typical "phishing" web-page advertising anti-virus software. "Download a free security scan. Find threats your anti-virus missed".... duh... Sophos was the anti-virus, and now you want me to download something else ... yeah, right. ... and I happen to be an old VMS Sys Admin, so THAT reference was interesting.
At any rate...
Agile wrote:The complete path to the threat can be found in the scan log.
In fact the scan log (Preferences/Logging).... /Library/Logs/Sophos anti-Virus.log - clicking "view log" does not contain these "successful" problems found... only lots of ".ide" file listings. AND several files which were never listed in the quarantine and which apparently no longer exist...
so, I'm kind of at a loss as to how to "clean up manually" these files.
The issue of sophos being able to deal with Time-Machine backups, I'll let ride at the moment, since it appears that others have commented on it extensively.
I decided to try Sophos because of the review it received in MacTech Magazine (January 2011), but it appears that whoever wrote that article was not really a Mac person at all. As this piece of software, while superficially "Mac-like" is like so much other software .... simply Windows software that now runs on OSX because it's an Intel box.
Thank you for sharing your first time experiences with the product. We DO listen to your feedback.
While finding the infected file path can sometimes be a bit confusing in the current version, there's extensive discussion on here about which Sophos log does what (and also in the help found under the Help menu). However, I always find the easiest way is to open up Console.app and navigate to FILES > ~/Library/Logs > Sophos Anti-Virus > Scans
This area has a complete log of all scans. The logfile you were looking at is the one found at /Library/Logs/Sophos Anti-Virus.log, and has to do with updates, installs, configurations, etc. -- everything EXCEPT scans.
While this only answers one of your issues, I hope it at least helps you clean up the files you've detected.
Agile wrote:... there's extensive discussion on here about which Sophos log does what (and also in the help found under the Help menu). However, I always find the easiest way is to open up Console.app and navigate to FILES > ~/Library/Logs > Sophos Anti-Virus > Scans
1- I hate this BBS system you are using... (or whatever you want to call Lithium) it has to have the most non-intuitive interface -- I.e. unlike the rest of such software on the web that I use :(
2- Thanks for the pointer! As far as I can tell, this log file you mention is completely undocumented. (Or if it is... that documentation is seriously hidden.) The only log "documented," is the System level log found in the Preferences/logging panel.
3- This log's location is completely illogical. Why on earth would a program which runs as root store its output under some arbitrary user id... especially when it is at the same time maintaining a system level log.
4- Now that I've looked at this scan log, I see why you don't tell people that it exists.... you'd have to explain all the messages found in the log, such as:
Corrupt file: ... (most seem to be .zip files, but also a couple of zhtml, rar, Z formats)
Interestingly, I know what all these files are and in most cases haven't touched them for ages, implying that A) they might really be
corrupt or B) they are from "ancient" versions of compression programs.
Issue: engine found an unrecognised file format at: ... (all seem to be .dmg files)... and actually the same file with multiple iterations in
"Backups.backupdb"
The log does show that the threat files are all also in the infamous "Backups.backupdb" ... i.e. on the Time Machine backup disk.
lynne wrote:I found that I actually had to go into Time Machine, find one instance of the infected file, right click on the file, and then select: delete all backups. That deleted all of the files of the same name in Time Machine. I was not able to find those files searching in Finder and when I found them manually, I was not able to delete them. The work had to be done within Time Machine.
That is to be expected with Time Machine.
The contents of Time Machine are not "normally" visible to the finder.... only via the Time Machine interface.
Because of the structure of Time Machine (it is basically a database, not a file system as such), the Finder is "prohibited" from working with those files.
whmagill wrote:4- Now that I've looked at this scan log, I see why you don't tell people that it exists.... you'd have to explain all the messages found in the log, such as:Corrupt file: ... (most seem to be .zip files, but also a couple of zhtml, rar, Z formats)
Interestingly, I know what all these files are and in most cases haven't touched them for ages, implying that A) they might really be
corrupt or B) they are from "ancient" versions of compression programs.
Exploring the corrupt files has been interesting. Several of them are ".doc" files ... from ancient versions of word. (probably circa 1997).
Word:Mac 2008 could read and convert (i.e. suck the text out of them, but not format them) however, there were also several which Word:Mac 2008 could not read at all.
I can read the documents via emacs and they are clearly MSWord documents, but not knowing Word formats, I don't know what versions.
Now to tackle the zip files.
Thanks for your updates! I'd definitely be interested in hearing about any files that are identified as corrupted that aren't... if you feel comfortable sending them to us, I can send you the link to the submission form; just make sure you indicate it's reported as corrupt and isn't.
