DELETING A THREAT MANUALLY - FINDING THE THREAT

SOOO....

Since I am in a similar boat....let me try and clarify what I did and present my results to make sure that I am not missing something!!

I downloaded the MAC home edition for my Macbook Pro - installed - no issues - ran my first scan and discovered 15 threats - the Quarantine Manager indicated that they all had to be 'cleaned manually' - 'clean up threat' was not an option.  I used this forum and the instructions to create a custom scan - all the threats were confined to the Users folder - JAVA cache. I included the Users folder in my custom scan and 17 (?!) threats were now discovered - again, all in the JAVA cache.  BUT, I was still not given the option to 'clean up threat'.  I re-read the instructions here: http://www.sophos.com/support/knowledgebase/article/112129.html   and it was indicated to open the Options tab in the custom scan and choose 'delete threat' - then run the scan.  Again - it discovered 17 threats -  but this time Quarantine Manager had no selections to choose since I chose 'delete threat'. 

NOW, has this removed these threats from my machine? Or am I required to track them down individually? When the Quarantine Manager of a custom scan does not give you the option to 'clean up threat', is simply choosing to delete it sufficient?  AND, since I don't know where these threats originated, will SOPHOS initially stop them in the future?

Thanks!!

I just went through the same frustration, but got it fixed. Sophos should list a file name with the threat. I had to go to my Java cache and each folder to find the file, I then just deleted it. That got rid of the threat. Hope this helps.

Hello TEL,

is simply choosing to delete it sufficient

simply put cleanup are (can be) two (different) things:  1) removing malicious code or instructions from an infected file and 2) reverting or at least "nullifying" potential side effects and/or modifications. If a file is malicious in its entirety then deletion is the only way to "clean it up" anyway. Also it's not always feasible to remove a malicious item from an archive.

There's no need to deal with threats individually if a scan encompasses all of them. If you've first scanned without the delete option setting this option a rerunning the scan will delete the threats.

will SOPHOS initially stop them

It might not prevent downloading them but as soon they are accessed (i.e. about to be "used") the on access scanner will detect and block (or cleanup/delete if it is configured to do so) them.

HTH

Christian 

Sounds good!

I'll give it a few days/weeks, run some scans and see what turns up.

Thanks

If you're running the software with on-access enabled and the default settings, you should never have to "run" anoher scan for anything but manual cleanup, as it will detect malicious files when they're opened for access.  If you're excluding archives or certain directories from your on-access scans, you'll probably want to do a full scan every once in a while, however.

I have 8 items of listed threats that have to be removed manually and the sophos page should simply include a path or way to help automatically delete them by simply selecting the file. I am not a computer whiz and I have no idea to do an advanced scan including the 8 threats to delete them. Once they are in the quarantine box I would gladly pay for a way to select them and have sophos manually delete them.

      I say name a resonable price and I'll pay

Thank you for the feedback :)

While you are waiting for this feature, try the following:

When in the quarantine manager with the detected malware selected, click the triangle to the left of Threat Details.

Next to Path and Filename is the complete path to the malware.  You can select the file path (not the actual filename at the end), copy (command-c), go to the finder, select Go->Go To Folder... (command-shift-g) and paste the path.  Then press Return, and a Finder window displaying the item should pop up.

Alternatively, try an advanced scan.  You don't need to be a computer whiz:

1. go to the main Sophos Anti-Virus window (the one that says Scan Local Drives at the top),
2. click the triangle next to Custom Scans,
3. click the + at the bottom, name your scan,
4. click the + at the bottom of the new window, click Open,
5. click the Options tab
6. change "Log only" to "Clean up threat" (or "Delete threat" if you know it's a stand-alone file, and not part of an archive you don't want deleted),
7. click Done and
8. click the Play button for the new scan you created.  

Except for certain situations where removing the file could harm something else on your computer, this should delete the malware.

Sophos is telling me that I have the trojan OSX/Flashplr-D on my computer (I gather that this one has hit an awful lot of Mac users in the past few days, so maybe someone out there has some specific knowledge).

After scanning my home drive, the quarantine window tells me I need to clean up manually.

I've followed the instructions to create a custom scan and set it to delete. Home drive now seems clean. However...

Re-running a scan on all local drives (just to make sure it was all gone) it seems the trojan is still there on my backup drive. The quarantine window tells me that OSX/Flashplr-D is still there and gives me several locations on my Time Machine backup drive:

/Volumes/FreeAgent GoFlex Drive/Backups.backupdb/<name>'s Computer (2)/2012-03-28-075956/Hard Disk/Users/<name>/.null

Checking the custom scan log, it says at the end "Threat not deleted because cleanup is available"

Not sure what this means. Can someone tell me, please?

I have tried to browse to this location in Finder and Time Machine in order to delete the trojan manually, but can't find the path/file specified by quarantine (I gather a few of you have been this far).

I'm now at a loss. How do I go further with manually removing this trojan from my backup drive? Any help will be much appreciated.

Thanks.

That's a strange path for OSX/Flashplyr-D -- the ".null" seems suspect.

If you open the scan log in Console.app, does it provide a better path?

I found that I actually had to enter Time Machine and search the virus/worm, then delete it. It was not possible to do it by searching the folder within Finder. It was a while ago and I can't remember all the details but try that.