Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 60 replies
  • Subscribers 6 subscribers
  • Views 170230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DELETING A THREAT MANUALLY - FINDING THE THREAT

colettenorris

Whenever I do a full scan, Sophos finds the same two threats which need to be manually removed.  The trouble is I can't find the location folder of these threats as whenever I search for the filename on my mac they just can't be found.

Does anyone know of a way I can find the path to where these threats are located so I can manually remove them?  

Thanks

Colette     :smileyvery-happy:

:1001219


This thread was automatically locked due to age.
  • 0

    Andrew - thanks for replying. Yes, that's what I don't understand, that .null folder isn't anywhere on Time Machine or Finder. The same path is in the console log.

    I tried to cd to this .null folder in the console, but couldn't find it either. I'm not an advanced user anyhow and don't really want to go executing console commands when I don't really know what I'm doing.

    :1006141
  • 0

    Another new user here, impressed by Sophos' ability to find threats, but disheartened by its inability to do anything about them.

    I've read everything posted in this forum and I'm pretty sure I understand it all, but I'm still having little luck removing the threats.

    You say to select the path of the infected file in the Quarantine Manager. All of my 21 threats are listed first as Path and Filename (those can be selected), but they are all Time Machine backup files which must be cleaned manually. Many of them (though not all) are also listed as Original Locations, but those cannot be selected. Ideally, I should be able to select the full path (which can't be seen -- it's too long for the fixed-size window), Search for the file and delete it (with the option to delete its backup, too). But that's impossible since I can't select the the file path or even read all of it.

    I've also tried the Custom Scan route. Sophos said it found 3 threats that way, but displayed only 2 of them in the Quarantine Manager. It did let me clean those 2 up. I then ran the same Custom Scan again. Sophos said it found 5 threats this time, but displayed none of them. That does not inspire confidence.

    Looks like all of the threats are Windows threats and were found in email attachment files (that have never been opened and will never be opened), so it's not like I'm overly worried about them. But if Sophos can't help getting rid of them, I'm not confident it can block or get rid of other future threats either.

    :1006147
  • 0

    We currently have a policy not to clean up inside backup archives, as this could damage the integrity of the backup.

    You will find that if you click on the path listed, you are actually able to see the entire path, as well as select it and copy/paste to somewhere else.  The path is also available in the scan log.

    The issue with finding threats and then not displaying them is usually down to finding threats in temporary files that are gone by the time the QM is opened.  Since they no longer exist, it doesn't display them.

    :1006153
  • 0
    Agile wrote:

    You will find that if you click on the path listed, you are actually able to see the entire path, as well as select it and copy/paste to somewhere else.  The path is also available in the scan log.

    I can't see the entire path, no matter what I do. I have figured out that I can select the entire path and copy/paste it into a text editor where the full path will be visible, but there is no way to display the full path in Sophos. And pulling up the Scan Log opens Console and displays what seems to be non-stop gibberish that extends into infinity (only a slight exaggeration) -- hard to make heads or tails out of it.

    Since I can't/shouldn't try to remove threats from my Time Machine backup, I've excluded that disk from Sophos. I've also deleted all those threats from the Quarantine Manager. And, lastly, since they were all contained in email attachments, I have removed all suspect files from my Library/Mail folder so the threats should now exist only in my backup. And, since they aren't files I would ever restore intentionally or open under any circumstances, there is no harm in just leaving them there.

    :1006189
  • 0

    OK managed to find a solution to this for anyone else struggling to manually delete the .null files.

    Apparently these .null files are another variant of the Flashback virus and the files are hidden as Finder/Time Machine thinks they're system files and hides them by default.

    All you need to do is switch on "show hidden files" in finder, which is detailled here:

    http://www.macworld.com/article/1051830/showallfinder.html

    I was then able to browse to the .null file in Time Machine, click on it then go actions->delete from all backups.

    Rerunning a full scan now just to make sure, but looks like it's sorted.

    :1006235
  • 0

    At step 7 there is no + sign in the box to click on.

    :1009832
  • 0

    When I click on the blue threat I get a page that says safari cannot connect to the server.

    :1009838
  • 0

    I followed your instructions , found the thread, did three custom scans and the virus is still there. 

    :1009842
  • 0

    Good job finding your way through the instructions -- those instructions were for SAV 7, and so are not completely accurate for SAV 8.

    The most up-to-date instructions can be found at http://www.sophos.com/en-us/support/knowledgebase/112129.aspx which is linked from the product.  I do have some more instructions that will soon be added to that Knowledge Base article for situations where cleanup still fails.

    However, most of those instructions come directly from this thread.

    What is the path to the files that you're having problems cleaning?  What is the threat name?

    :1009844