Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 5863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos apparently has trouble dealing with "deleted" messages

whmagill

For whatever reason, Sophos constantly lists a "MyDoom" virus in the Quarantine Manager -- even after running a scan.

Here is one excerpt from /Library/Logs/Sophos Anti-Virus.log:

com.sophos.intercheck: 2011-05-20 13:02:54 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156108/2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'Mal/ZipMal-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156063/2/letter.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156047/2/mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck:                              Scan of local drives required to complete cleanup

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:03:45 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Notify.imapmbox/Attachments/156112/3.3.2.2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied  

All of these entries are generated (one assumes) when Sophos first scans the incoming mail on launch of the Mail app.

I have my own IMAP server, as well as using procmail to sort incoming mail into various inboxes.

I have a high volume of mail, perhaps 100+ messages a day.

I happen to have the mail app flag junk mail.

If I read mail and delete messages, most of these detected items wind up being deleted without being read.

I routinely empty the trash multiple times during a reading session.

When I'm done (and the trash emptied)  I run Scan Local Drives:

Scan name: "mail + java"

Scan items: Path: /Users/magill/Library/Mail enabled: yes

                     Path: /Users/magill/Library/Caches/Java enabled: yes

                     Configuration:Scan inside archives and compressed files: Yes

                     Automatically clean up threats: No

                     Action on infected files: Delete

It invariably reports:  21524 items scanned, 0 threats detected, 0 issues

However, the Quarantine Manager still reports: MyDoom as an entry. All of the other entries are cleared.

If I mouse over the Threat details section, I see an assortment of attachments, none of which still exist.

:1002765


This thread was automatically locked due to age.
Parents
  • 0
    sublime323 wrote:
    I am having the exact same problem with Sopho's Quarantine Manager somehow remembering deleted files. In my case, it is Troj/Iframe-DV. The actual file associated with the virus will disappear, and then re-appear. And I will have clean scans for an hour or so, then Quarantine Manager pops up again with the same file. I've done countless Custom Scans. I've manually deleted the file. I've turned off Constant Scanning and Sophos, and then deleted the file. I've cleared all caches, and cookies, searched and scanned various libraries. Yet this file always returns. Any advice for resolving this once and for all? It is very frustrating.

    This sounds like a slightly different issue; Troj/iFrame-DV detects malicious iFrames on web pages.  Most likely you had a web page refresh and re-add the malicious file to your web cache.  The only way to resolve it once and for all is to avoid visiting the website with the hidden iFrame (via your web browser, or possibly via an app you're using that grabs content via HTTP).

    The IMAP issue is a bit trickier as he's got both a server and a client running, and has multiple processes managing the same files.

    :1002787
Reply
  • 0
    sublime323 wrote:
    I am having the exact same problem with Sopho's Quarantine Manager somehow remembering deleted files. In my case, it is Troj/Iframe-DV. The actual file associated with the virus will disappear, and then re-appear. And I will have clean scans for an hour or so, then Quarantine Manager pops up again with the same file. I've done countless Custom Scans. I've manually deleted the file. I've turned off Constant Scanning and Sophos, and then deleted the file. I've cleared all caches, and cookies, searched and scanned various libraries. Yet this file always returns. Any advice for resolving this once and for all? It is very frustrating.

    This sounds like a slightly different issue; Troj/iFrame-DV detects malicious iFrames on web pages.  Most likely you had a web page refresh and re-add the malicious file to your web cache.  The only way to resolve it once and for all is to avoid visiting the website with the hidden iFrame (via your web browser, or possibly via an app you're using that grabs content via HTTP).

    The IMAP issue is a bit trickier as he's got both a server and a client running, and has multiple processes managing the same files.

    :1002787
Children
No Data