Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 6 subscribers
  • Views 3893 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Non believer

rjm1

On iMac running Lion (current version)

I am getting strange lists of files to be deleted from Quarantine Manager (V 8.0.4C)

Jun 11...

Threat: Mal/Phish-A

Path and Filename: /Library/Sophos Anti-Virus/com.sophos.sxl.plist,
    /Users/rjm/Library/Keychains/login.keychain,
    /Applications/MacFamilyTree.app/Contents/Resources/RippleShading.tiff
---
Did not clean up threat. Today Jun 13 got same threat  but file was an email attachment. More normal.
I am also getting the same thing on a MacBook Pro running Sophos Ver 7 and Ver 8
Filename: ,
   /Library/Keychains/System.keychain,
   /usr/lib/dyld
I do NOT want to delete these files...
Any idea what is going on???
:1007663


This thread was automatically locked due to age.
  • 0

    Funny you should mention that…

    All the legitimate files that Sophos identified were from one particular Gmail account.

    I just went on a hunt to find them… and when I found one of them in the Spam folder it had this box…

    Why is this message in Spam? It's similar to messages that were detected by our spam filters.

    I guess similar means that it did not think it should remove the virus.

    …and here comes the Catch-22

    Sophos finds it and deletes it. Since it is from an IMAP mail account that keeps it for 30 days, it will keep syncing… OK this is a different issue and not yours. I don't even want to think about why 1Password creates alias files to my Mail directory?

    I did however move a couple of these files (Application.htm) and Sophos found them and correctly identified their new locations and their original locations.

    This all leads back to my original reason for posting, why was Sophos pointing at "/usr/lib/dyld" ?


    :1007811
  • 0

    > Original Locations:

    > /Library/Preferences/com.sophos.sav.plist,

    > /private/var/db/launchd.db/com.apple.launchd/overrides.plist,

    > /private/var/db/ntp.drift,

    > /System/Library/Framworks/CoreServices.fra…work/Versions/A/Support/SFLSharedPrefsTool,

    > /usr/lib/system/libremovefile.dylib,

    > /usr/share/icu/icudt46l.dat

    Do you still have those paths in the Quarantine Manager?  I thought the paths had already been replaced with the correct locations?

    The response to why they originally flagged those locations is "Possibly memory corruption, which is fixed by a reboot."  The problem here is that the issue has not been reproducable to date and we've seen such a small number of incidents that we haven't been able to isolate the variables.

    If you're still seeing them in the Quarantine Manager, if you forcibly remove them from teh quarantine manager and re-scan, the detections should either go away or show the proper location.

    The one thing I *have* noticed from all occurances of this issue is that the files flagged as malicious are the ones that would have been most recently accessed at the time the detection was flagged.

    :1007815
  • 0

    Ah the joys of time delayed conversations...

    I too thought the system files listed might be some remnant of some kind. So…

    on the iMac I killed the Application.htm files manually and cleared any remaining "bogus" items from the quarantine manger list. Also, deleted the original files back at source (Gmail).

    on the MacBook Pro I did a complete new scan of the hard drive. Rebooted and Cleaned the two Application.htm files found in Mail… Now we wait for On-access Scanning to find a new threat.

    a day later… here is what I found on the MacBook Pro

    Threat: Mal/Phish-A

    Date: 2012-06-21 12:32 PM

    Path and Filename: 

    ,

    /Library/Preferences/com.sophos.sav.plist

    Threat: Troj/BredoZp-S

    Date: 2012-06-21 12:30 PM

    Path and Filename: 

    /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist

    I have submitted these two files with Reference to 266729-3

    :1007833
  • 0

    2012-06-22 20:23

    I have not touched the threats on the MacBook and when Sophos found the same threats on another pass. The number of "infected" files increased.

    Threat:Mal/EncPk-ACR

    Date:2012-06-21 4:38 PM and 2012-06-22 5:10 PM

    Path and Filename:

    /.Spotlight-V100/Store-V2/FE8F6CB9-1C20-44DA-98FC-0C2D86A22EFD/reverseStore.updates,

    /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist,

    /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/English.lproj/NetworkInterface.strings,

    /Users/rjm/Library/Cookies/Cookies.binarycookies,

    /usr/lib/dyld

    Threat:Mal/Phish-A

    Date:2012-06-21 12:32 PM and 2012-06-22 5:26 PM

    Path and Filename:

    ,

    /Library/Preferences/com.sophos.sav.plist,

    /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist,

    /private/var/log/DiagnosticMessages/2012.06.22.asl,

    /Users/elm/Library/PubSub/Feeds/67985d021933e1acca0a511092b9b134fd71a89e.xml

    Threat:Troj/BredoZp-S

    Date:2012-06-21 12:30 PM and 2012-06-22 5:24 PM

    Path and Filename:

    /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist,

    /Library/Preferences/SystemConfiguration/preferences.plist,

    /private/var/log/asl/2012.06.22.U0.G80.asl,

    /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/Resources/English.lproj/NetworkInterface.strings,

    /Users/npm/Library/Preferences/com.apple.PubSubAgent.plist,

    /Library/Keychains/System.keychain

    Any ideas?

    :1007857