Non believer

Do NOT delete these files, as this is definitely not a legitimate detection; Mal/Phish-A should not fire on those sorts of files (should not even be referenced for those sorts of files).  In normal operation, Mal/Phish-A should only fire on email attachments or documents similar to email attachments (and some web pages).

This sounds like a memory or disk corruption issue.  Does the problem go away after you reboot your computer?

I'd definitely take this opportunity to run Disk Utility and repair file permissions and verify your drive as well.

Have rebooted iMac and same thing happening...

On MacBook Pro booted from Lion Recovery partition and ran (Repair Disk & Repair permissions) x 2

- Ran supplied removal tool on Ver 7 and installed Ver 8.04

- problem persists.

Anything else I can try?

Can you submit some of those files via the web submission interface, indicating an FP?  Don't submit the keychain, unless you know there's nothing too private in there.  This seems like a very strange situation.

Thanks; items received and being looked into.

OK.

Here is a new wrinkle.

On the iMac Sophos has now dreamed up some original locations for the files...

Threat: Mal/Phish-A

Date: 2012-06-18 3:34 PM and 2012-06-18 5:27 PM

Path and Filename:

/Users/rjm/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/5/8/2/Attachments/285161/2/Application.htm,

/Users/rjm/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/6/8/2/Attachments/286906/2/Application.htm,

/Users/rjm/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/8/7/2/Attachments/278642/2/Application.htm  

Original Locations:

/Library/Preferences/com.sophos.sav.plist,

/private/var/db/launchd.db/com.apple.launchd/overrides.plist,

/private/var/db/ntp.drift,

/System/Library/Framworks/CoreServices.fra…work/Versions/A/Support/SFLSharedPrefsTool,

/usr/lib/system/libremovefile.dylib,

/usr/share/icu/icudt46l.dat

The new locations are correct for that detection.  The other locations were incorrect (as far as detection itself goes) as the detections could never actually fire on those other files (we've examined the files in-depth and have not been able to trigger the detection on a setup similar to yours, even after messing around with the data a bit).  Are you sure the old paths were still there after a reboot?

All the files I checked whether listed under "Path and Filename" or "Original Locations" actually existed.

Those that were mail attachments in spam folders I located by cutting from the Quarantine Manager window and pasting into a Finder "Go to Folder" window (removing the filename). I deleted these files manually and Sophos no longer reported on them. These are files and locations that I would suspect to carry viruses.

My Sophos preferences are set to "Log only" for "Scan Local Drives" and "Deny access" for "On-access Scanning". The last time I did a local drive scan was after I started to notice filenames listed as threats I would not wish to delete. That was under Ver 7. so I updated to Ver 8.0.4C and ran a local drive scan 2012-06-07 8:00 AM. 

On-access Scanning resumed and so did the anomalies. (Our conversation started at that time)

According to your Technical Guide - Original Locations: If the threat has been moved during scanning or partially removed, this element is displayed. All the original files that comprise the threat are listed.

I find it improbable that a list of spam attachments would originate in various system libraries.

I got an email back from the sample files I sent. In case you don't get to see these it reads…

-----

Hello,

Thank you for submitting a sample to our Sophos Labs, after investigation they have stated the submitted xml files are from our system, this wouldnt have fired the ID's indicated.

Please submit samples of actual detection's made on your machine after a system scan

Please advise, if no response is received within 3 days this case will be automatically closed.

Regards, 

Sophos Technical Support

-----

To be in charge of the bleeding obvious for a moment. I think that has been my point… An "ntp.drift" file or "com.sophos.sav.plist" file is unlikely to be harbouring a virus and should not be showing up in Quarantine Manager. I'm happy the lab was able to confirm it.

If I read the next line correctly they would like me to run a local drive scan and submit threat samples…

I ran a Disk Utility Volume Repair & Repair Preferences on the iMac today - no volume errors.

I will run a Sophos drive scan tonight and let you know what happens. I'll submit samples of threats detected...

Thanks!  If/when you submit again, if you note that this is an ongoing product issue and the files are known to not actually be malicious although flagged as so, hopefully that will prevent any mis-filing.  I had already attached a note to your submission, but I guess it got missed by the person sending the eventual reply.  Reference to item number 266729-3 might help.

Good Morning Andrew.

The scan ran until 3:04 AM

Sophos reported one threat in three separate spam mail attachments. The same ones I did not clean up last night.

Threat: Mal/Phish-A

Date:  2012-06-20 3:04 AM

Path and Filename: 

/Users/rjm/Library/Containers/com.agilebits.onepassword-osx/Data/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/5/8/2/Attachments/285161/2/Application.htm,

/Users/rjm/Library/Containers/com.agilebits.onepassword-osx/Data/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/6/8/2/Attachments/286906/2/Application.htm,

/Users/rjm/Library/Containers/com.agilebits.onepassword-osx/Data/Library/Mail/V2/IMAP-Morton.Robert@imap.gmail.com/[Gmail].mbox/Spam.mbox/C87B5462-3786-4D77-95C2-19203B87A72D/Data/8/7/2/Attachments/278642/2/Application.htm

The only odd bit is that it found them via an alias of the "/HD/Users/rjm/Library/Mail" directory found in another application's directory tree???

I suspect that these files do indeed contain viruses. Should I still ship them to you?

I would normally restart the system, fire up mail and wait for "On-access Scanning" to find another threat... 

but I think I will wait for your reply in case you want me to do something more esoteric...

These look like legitimate phish detections in your IMAP cache -- they'll likely show up linked to any app that uses your mail.app mail connections.

Since it's all just links to the same cache, the easiest method of removing the files (even easier than using Sophos) is to just delete the actual emails via your email client (or web interface).  There's nothing in them that is malicious to your computer itself; they contain a link to malicious data or fake web pages stored on a malicious webserver.