Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 4146 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to restore access to a threat file so I can delete it?

AWray

Hi,

Sophos has detected threats, placed them in quarantine, and then they disappeared. After checking preferences I realized that it wasn't getting rid of them, but just restricting my access to them. This seems like the opposite of what you would want to to, as this ensures the file stays on your computer.

In any case, I have changed the preferences, but want to delete the most recent threat. it is in the /private/tmp folder, which I was able to view and every 10-15 seconds I see the file name for a fraction of a second and then it disappears, which imagine is being controlled by Sophos.

I would like to delete this file! My changing the preferences does not seem to be retroactive...and I still can't access this malware file.

Any help with this would be greatly appreciated, as this is going to BUG me like crazy. I wnat to get that stuff off my Mac.

:1010374


This thread was automatically locked due to age.
Parents
  • 0

    If something disappears from quarantine with "delete files" disabled, that just means something else has deleted it.

    I'd suggest switching the setting to "quarantine and move" as then you'll still have the file if you need it.

    The behaviour you're describing sounds more like some other process is repeatedly attempting to write the file to your tmp folder, and Sophos is deleting it as it arrives.  As such, you'll want to figure out what process is writing this file to the temp folder; the command-line tool lsof should work for this (or Sloth.app, which is a front-end for this that you can download).

    Deleting by default is generally a bad idea, as if there's a false positive, you've lost the file for good.  Instead, Sophos prevents access to the file, essentially making it unusable, but leaves it in-place for an actual person to handle (either through the quarantine manager, where you can delete it, or by disabling on-access scanning, removing from quarantine, and then doing what you want with it).

    :1010376
Reply
  • 0

    If something disappears from quarantine with "delete files" disabled, that just means something else has deleted it.

    I'd suggest switching the setting to "quarantine and move" as then you'll still have the file if you need it.

    The behaviour you're describing sounds more like some other process is repeatedly attempting to write the file to your tmp folder, and Sophos is deleting it as it arrives.  As such, you'll want to figure out what process is writing this file to the temp folder; the command-line tool lsof should work for this (or Sloth.app, which is a front-end for this that you can download).

    Deleting by default is generally a bad idea, as if there's a false positive, you've lost the file for good.  Instead, Sophos prevents access to the file, essentially making it unusable, but leaves it in-place for an actual person to handle (either through the quarantine manager, where you can delete it, or by disabling on-access scanning, removing from quarantine, and then doing what you want with it).

    :1010376
Children
No Data