Re : How to tell what threats Sophos Deleted

Hello Thomas,

Sophos always writes a log. From the scan menu select View scan log. Or open Console (for example with a spotlight search - command+spacebar, type console, hit return) and select the appropriate log in the left pane.

Christian

hey christian :) thanks for the quick reply, i found the large log and read from top to bottom and i simply don't see anything even implying threat found threat deleted, or anything of the sort so odd, and i am a techie guy i can usually spot these things. if my log wasn't so long i would post it. it was the very first scan i ever did with sophos that showed 1 threat found, after that all other scans showed up nothing,  so it should be the first on the log but i am seeing nothing.  sigh :smileyindifferent:

Hi,

A new log is created for every "Scan Local Drives" you run, so what you want to look at is presumably the log of the very first scan than you ran?  In which case navigate to /Users/<your account>/Library/Logs/Sophos Anti-Virus/Scans/Scan This Mac/   and open the oldest log file in there.

I hope this helps.

David

hey :smileyhappy: thank you, i didn realize that,  ok soooooo i followed the file path you presented and it was certainly there..  this is what i found..

Scan name: "Scan Local Drives"Scan items:Configuration: Scan inside archives and compressed files: Yes Automatically clean up threats: No Action on infected files: Delete
Scan started at 2011-02-21 22:01:06 -0500
New volume detected at /2011-02-21 22:41:48 -0500 Threat: 'Troj/JavaDl-BH' detected in /Users/ThomasEstwick/Library/Caches/Java/cache/6.0/19/33adce13-2434ac61/direct/bear.class                             Deleted threat
Scan completed at 2011-02-21 22:46:33 -0500. 448167 items scanned, 1 threats detected, 0 issues

its deleted now but, is that a mac trojan or a windows trojan ? and its also a java file or association of some sort. odd

hey guys i did some googling... and it seems that particular one was a windows virus, maybe transferred over from my flash drive.. but  i scanned my flash drive and theres nothing there, so i am scanning my segate harddrive now,  can a mac pic up a windows trojan from just visiting the internet ?

thanks for your time and help in advance

Hello Thomas,

you don't have to use an internet search to get (some) information on the threat. For outstanding alerts you get a link in Quarantine manager, if you find a threat in the logs go to the Analyses page and enter the name there. Troj/JavaDl-BH is - as you've found out - a Windows Trojan in a Java class file. These things are most likely picked up by visiting a webpage. It was probably sitting there from a time before Sophos has been installed and it's safe to delete (a cache is just a cache).

Please note that a detection does not necessarily mean infection - not even potential infection. So it's not uncommon to get a "cross-platform" or "cross-environment" detection (and example of the latter would be a Word macro virus).

Christian       

It's likely a windows-targeted malicious drive-by written in Java.  That path is to the JavaWebCache, where Java referenced by your web browser ends up.

However, since it's in Java, it can likely download files to OS X as well -- but unless the malware authors were intending it for OS X, the malicious Java will end up downloading a useless Windows executable.

So the final answer is: it's malicious, and what it does is download a payload... that is likely targeted at Windows right now, but could at any point in time contain OS X malware.

If you google Troj/JavaDl-BH, the first result is the Sophos security analysis, which states: Affected operating systems: Windows.