Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 5865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos apparently has trouble dealing with "deleted" messages

whmagill

For whatever reason, Sophos constantly lists a "MyDoom" virus in the Quarantine Manager -- even after running a scan.

Here is one excerpt from /Library/Logs/Sophos Anti-Virus.log:

com.sophos.intercheck: 2011-05-20 13:02:54 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156108/2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'Mal/ZipMal-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156063/2/letter.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156047/2/mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck:                              Scan of local drives required to complete cleanup

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:03:45 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Notify.imapmbox/Attachments/156112/3.3.2.2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied  

All of these entries are generated (one assumes) when Sophos first scans the incoming mail on launch of the Mail app.

I have my own IMAP server, as well as using procmail to sort incoming mail into various inboxes.

I have a high volume of mail, perhaps 100+ messages a day.

I happen to have the mail app flag junk mail.

If I read mail and delete messages, most of these detected items wind up being deleted without being read.

I routinely empty the trash multiple times during a reading session.

When I'm done (and the trash emptied)  I run Scan Local Drives:

Scan name: "mail + java"

Scan items: Path: /Users/magill/Library/Mail enabled: yes

                     Path: /Users/magill/Library/Caches/Java enabled: yes

                     Configuration:Scan inside archives and compressed files: Yes

                     Automatically clean up threats: No

                     Action on infected files: Delete

It invariably reports:  21524 items scanned, 0 threats detected, 0 issues

However, the Quarantine Manager still reports: MyDoom as an entry. All of the other entries are cleared.

If I mouse over the Threat details section, I see an assortment of attachments, none of which still exist.

:1002765


This thread was automatically locked due to age.
Parents
  • 0

    Here's another data point.

               i have 125 mail boxes for various mailing list, with incoming mail sorted into them by procmail. 

               Typically only 4 or 5 receive 10-15 messages a day while "incoming" receives probably around 100 a day.

               Primary mail server is a Dec Alpha running Tru64 Unix and an IMAP server.

               Additionally, my Gmail and .Mac mail accounts forward to this IMAP server but the Apple Mail app also queries

        them directly.

               All spam filtering is done on the iMac. (Except for whatever Gmail and .Mac do.)

    Doing some fairly systematic mail reading last evening.

    1- launch mail app. launch "activity window." 

    2- begin reading mail while waiting for misc messages to clear from activity.

    3- Sophos pops up with a quarantine Manager listing during reading.

    4- finish reading mail, having probably deleted 75% of messages (most marked by the mail app as "junk).

    6- empty mail trash

    5- again wait for activity to complete.

    6- quit mail

    7- Open quarantine manager -- note that there are 5 "W32/MyDoom-O" messages listed.

          Four are listed "Clean up manually." Each lists a single file in the "Threat Details Section"

          One is listed "Scan Local Drives." This one lists two files in the "Threat Details."

    8- Run "Custom Scan" -- "mail+java" -- as it scans, those listed as "Clean up Manually" are removed from the Quarantine Manager window.Quarantine

    Scan name: "mail + java"

    Scan items:

         Path: /Users/magill/Library/Mail enabled: yes

         Path: /Users/magill/Library/Caches/Java enabled: yes

    Configuration:

         Scan inside archives and compressed files: Yes

         Automatically clean up threats: No

         Action on infected files: Delete
    Scan started at 2011-05-22 18:02:55 -0400
    2011-05-22 18:03:26 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

             magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip/message.exe                                                            Deleted threat

    2011-05-22 18:03:26 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

             magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

                                 Deleted threat

    2011-05-22 18:03:43 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

            magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip/message.exe

                                 Deleted threat

    2011-05-22 18:03:43 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

            magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip

                                 Deleted threat

    Scan completed at 2011-05-22 18:05:14 -0400.22151 items scanned, 4 threats detected, 0 issues

    =============

    9 - at this point only one item remains in the Quarantine Manager window -- the W32/MyDoom-O item, which lists two files in "Thereat details."

    /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip

    /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

    10- Re-run "mail+java" scan.

    11- no threats detected, but the Quarantine manager listing is unchanged.

    Scan name: "mail + java"Scan items

    . . .
    Scan started at 2011-05-22 18:10:36 -0400
    . . .
    Scan completed at 2011-05-22 18:11:34 -0400.22149 items scanned, 0 threats detected, 0 issues

    12 - 

    The file:  magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

    does not exist -- but the folder "Attachments 157283/2/ Does exist.

    157283/2:

    total 0

    0 drwxr-xr-x  2 magill  magill   68 May 22 18:03 .

    0 drwxr-xr-x  3 magill  magill  102 May 22 17:48 ..

    13- Same result for the attachment in the incoming box.

    14 - So I highlight and  "Clear from list".  .... until the next time.

    Note, the Forum software tagged my message as follows:

    "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied. "

    I did not have any HTML code in the message and see no obvious changes in my text.... who knows what just happened ... :(

    :1002789
Reply
  • 0

    Here's another data point.

               i have 125 mail boxes for various mailing list, with incoming mail sorted into them by procmail. 

               Typically only 4 or 5 receive 10-15 messages a day while "incoming" receives probably around 100 a day.

               Primary mail server is a Dec Alpha running Tru64 Unix and an IMAP server.

               Additionally, my Gmail and .Mac mail accounts forward to this IMAP server but the Apple Mail app also queries

        them directly.

               All spam filtering is done on the iMac. (Except for whatever Gmail and .Mac do.)

    Doing some fairly systematic mail reading last evening.

    1- launch mail app. launch "activity window." 

    2- begin reading mail while waiting for misc messages to clear from activity.

    3- Sophos pops up with a quarantine Manager listing during reading.

    4- finish reading mail, having probably deleted 75% of messages (most marked by the mail app as "junk).

    6- empty mail trash

    5- again wait for activity to complete.

    6- quit mail

    7- Open quarantine manager -- note that there are 5 "W32/MyDoom-O" messages listed.

          Four are listed "Clean up manually." Each lists a single file in the "Threat Details Section"

          One is listed "Scan Local Drives." This one lists two files in the "Threat Details."

    8- Run "Custom Scan" -- "mail+java" -- as it scans, those listed as "Clean up Manually" are removed from the Quarantine Manager window.Quarantine

    Scan name: "mail + java"

    Scan items:

         Path: /Users/magill/Library/Mail enabled: yes

         Path: /Users/magill/Library/Caches/Java enabled: yes

    Configuration:

         Scan inside archives and compressed files: Yes

         Automatically clean up threats: No

         Action on infected files: Delete
    Scan started at 2011-05-22 18:02:55 -0400
    2011-05-22 18:03:26 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

             magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip/message.exe                                                            Deleted threat

    2011-05-22 18:03:26 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

             magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

                                 Deleted threat

    2011-05-22 18:03:43 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

            magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip/message.exe

                                 Deleted threat

    2011-05-22 18:03:43 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-

            magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip

                                 Deleted threat

    Scan completed at 2011-05-22 18:05:14 -0400.22151 items scanned, 4 threats detected, 0 issues

    =============

    9 - at this point only one item remains in the Quarantine Manager window -- the W32/MyDoom-O item, which lists two files in "Thereat details."

    /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/157030/2/message.zip

    /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

    10- Re-run "mail+java" scan.

    11- no threats detected, but the Quarantine manager listing is unchanged.

    Scan name: "mail + java"Scan items

    . . .
    Scan started at 2011-05-22 18:10:36 -0400
    . . .
    Scan completed at 2011-05-22 18:11:34 -0400.22149 items scanned, 0 threats detected, 0 issues

    12 - 

    The file:  magill@spacecat.mcgillsociety.org/Mail/Deleted Messages.imapmbox/Attachments/157283/2/message.zip

    does not exist -- but the folder "Attachments 157283/2/ Does exist.

    157283/2:

    total 0

    0 drwxr-xr-x  2 magill  magill   68 May 22 18:03 .

    0 drwxr-xr-x  3 magill  magill  102 May 22 17:48 ..

    13- Same result for the attachment in the incoming box.

    14 - So I highlight and  "Clear from list".  .... until the next time.

    Note, the Forum software tagged my message as follows:

    "Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied. "

    I did not have any HTML code in the message and see no obvious changes in my text.... who knows what just happened ... :(

    :1002789
Children
No Data