This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos apparently has trouble dealing with "deleted" messages

For whatever reason, Sophos constantly lists a "MyDoom" virus in the Quarantine Manager -- even after running a scan.

Here is one excerpt from /Library/Logs/Sophos Anti-Virus.log:

com.sophos.intercheck: 2011-05-20 13:02:54 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156108/2/FedEx mail.zip

com.sophos.intercheck: Access to the file denied

com.sophos.intercheck:

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'Mal/ZipMal-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156063/2/letter.zip

com.sophos.intercheck: Access to the file denied

com.sophos.intercheck:

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156047/2/mail.zip

com.sophos.intercheck: Access to the file denied

com.sophos.intercheck: Scan of local drives required to complete cleanup

com.sophos.intercheck:

com.sophos.intercheck: 2011-05-20 13:03:45 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Notify.imapmbox/Attachments/156112/3.3.2.2/FedEx mail.zip

com.sophos.intercheck: Access to the file denied

All of these entries are generated (one assumes) when Sophos first scans the incoming mail on launch of the Mail app.

I have my own IMAP server, as well as using procmail to sort incoming mail into various inboxes.

I have a high volume of mail, perhaps 100+ messages a day.

I happen to have the mail app flag junk mail.

If I read mail and delete messages, most of these detected items wind up being deleted without being read.

I routinely empty the trash multiple times during a reading session.

When I'm done (and the trash emptied) I run Scan Local Drives:

Scan name: "mail + java"

Scan items: Path: /Users/magill/Library/Mail enabled: yes

Path: /Users/magill/Library/Caches/Java enabled: yes

Configuration:Scan inside archives and compressed files: Yes

Automatically clean up threats: No

Action on infected files: Delete

It invariably reports: 21524 items scanned, 0 threats detected, 0 issues

However, the Quarantine Manager still reports: MyDoom as an entry. All of the other entries are cleared.

If I mouse over the Threat details section, I see an assortment of attachments, none of which still exist.

This thread was automatically locked due to age.

Parents

0 whmagill over 14 years ago

Added another "twist."
After yesterday's update, I then did a "rebuild" on the inbox and deleted boxes.
Prior to that, yes there was quite a bit of "crud" in both of them, especially "deleted." -- old messages which in fact were not there, but
did exist on disk. (visible via terminal and "ls -als")
The rebuild clears the directory and then re-downloads and re-indexes the messages. ... all of the "crud" was gone. Went from about 75 entries
visible in "deleted" (after the "trash" had been emptied) to the current deleted messages, i.e. zero.
One thing which I noticed in "today's" launch of mail.app ... The Quarantine Manager has multiple My/Doom messages "clean up manually," all for single files, but seems to always have one My/Doom entry "scan local drives" which contains multiple files (in the Threat Details section.
Also...
The Quarantine Manager has 10 entries -- all stamped 4:05PM. However, the "/Library/logs/Sophos Anti-Virus.log" file only shows 8 entries.
half of which are stamped 16:05 and half 16:36.
--------<start log>-------
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
\com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.autoupdate: Info:Checked primary server at 16:49 on 23 May 2011com.sophos.autoupdate: Sophos Anti-Virus is up to date
----------<end log> ----------
What is interesting (besides the fact that the two groups of 4 are the same files... is that they are the same files showing in the
Quarantine Manager window under the single "My/Doom - scan local drives" entry.
Apparently, the reason that "access is denied" is ...
----------<cut here> ----------
ls -ale@ 158514/*
total 32
drwxr-xr-x 3 magill magill 102 May 23 16:05 .
drwxr-xr-x 3 magill magill 102 May 23 16:05 ..
-rw-r--r--@ 1 magill magill 29104 May 23 16:05 message.zip
   com.apple.quarantine 70
----------<cut here> ----------
xattr -l
158490/2/document.zip: com.apple.quarantine: 0000;4dd9d4cc;Mail;BA111E79-7B99-471C-BCCB-08925E0D6F14|com.apple.mail158495/2/tedbf.zip: com.apple.quarantine: 0000;4dd9f184;Mail;8F51489E-044C-4B24-8C43-61642C4DC7AA|com.apple.mail158503/2/text.zip: com.apple.quarantine: 0000;4dda21ed;Mail;58BAEC14-158A-47AD-8B9B-5BDA2BD9A166|com.apple.mail158514/2/message.zip: com.apple.quarantine: 0000;4dda3ccb;Mail;D47EFB9B-27C9-40B1-B0ED-6AC487D645FA|com.apple.mail
----------<cut here> ----------
At any rate, only those 4 files show up in the log, not the "clean up manually" files.
Then when I run the scan it cleans them all up, but doesn't delete that last entry from the Quarantine Manager. (All 9 entries are gone. Only the last entry containing the multiple entries (apparently of the same files listed individually).
----------<cut here> ----------
Scan name: "mail + java"
Scan items:
   Path: /Users/magill/Library/Mail enabled: yes
   Path: /Users/magill/Library/Caches/Java enabled: yes
Configuration:
   Scan inside archives and compressed files: Yes
   Automatically clean up threats: No
   Action on infected files: Delete
Scan started at 2011-05-23 17:59:03 -0400
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip/DOCUMENT.COM
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
   Deleted threat2
011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip/tedbf.htm .com
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip/text.scr
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip/message.zip/MESSAGE.SCR
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip/message.zip
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
   Deleted threat
Scan completed at 2011-05-23 18:01:08 -0400.
21171 items scanned, 9 threats detected, 0 issues
----------<cut here> ----------
Let me know if there is anything else I can send you.
:1002803
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 whmagill over 14 years ago

Added another "twist."
After yesterday's update, I then did a "rebuild" on the inbox and deleted boxes.
Prior to that, yes there was quite a bit of "crud" in both of them, especially "deleted." -- old messages which in fact were not there, but
did exist on disk. (visible via terminal and "ls -als")
The rebuild clears the directory and then re-downloads and re-indexes the messages. ... all of the "crud" was gone. Went from about 75 entries
visible in "deleted" (after the "trash" had been emptied) to the current deleted messages, i.e. zero.
One thing which I noticed in "today's" launch of mail.app ... The Quarantine Manager has multiple My/Doom messages "clean up manually," all for single files, but seems to always have one My/Doom entry "scan local drives" which contains multiple files (in the Threat Details section.
Also...
The Quarantine Manager has 10 entries -- all stamped 4:05PM. However, the "/Library/logs/Sophos Anti-Virus.log" file only shows 8 entries.
half of which are stamped 16:05 and half 16:36.
--------<start log>-------
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:05:11 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
\com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.intercheck: 2011-05-23 16:36:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck: Scan of local drives required to complete cleanup
com.sophos.intercheck:
com.sophos.autoupdate: Info:Checked primary server at 16:49 on 23 May 2011com.sophos.autoupdate: Sophos Anti-Virus is up to date
----------<end log> ----------
What is interesting (besides the fact that the two groups of 4 are the same files... is that they are the same files showing in the
Quarantine Manager window under the single "My/Doom - scan local drives" entry.
Apparently, the reason that "access is denied" is ...
----------<cut here> ----------
ls -ale@ 158514/*
total 32
drwxr-xr-x 3 magill magill 102 May 23 16:05 .
drwxr-xr-x 3 magill magill 102 May 23 16:05 ..
-rw-r--r--@ 1 magill magill 29104 May 23 16:05 message.zip
   com.apple.quarantine 70
----------<cut here> ----------
xattr -l
158490/2/document.zip: com.apple.quarantine: 0000;4dd9d4cc;Mail;BA111E79-7B99-471C-BCCB-08925E0D6F14|com.apple.mail158495/2/tedbf.zip: com.apple.quarantine: 0000;4dd9f184;Mail;8F51489E-044C-4B24-8C43-61642C4DC7AA|com.apple.mail158503/2/text.zip: com.apple.quarantine: 0000;4dda21ed;Mail;58BAEC14-158A-47AD-8B9B-5BDA2BD9A166|com.apple.mail158514/2/message.zip: com.apple.quarantine: 0000;4dda3ccb;Mail;D47EFB9B-27C9-40B1-B0ED-6AC487D645FA|com.apple.mail
----------<cut here> ----------
At any rate, only those 4 files show up in the log, not the "clean up manually" files.
Then when I run the scan it cleans them all up, but doesn't delete that last entry from the Quarantine Manager. (All 9 entries are gone. Only the last entry containing the multiple entries (apparently of the same files listed individually).
----------<cut here> ----------
Scan name: "mail + java"
Scan items:
   Path: /Users/magill/Library/Mail enabled: yes
   Path: /Users/magill/Library/Caches/Java enabled: yes
Configuration:
   Scan inside archives and compressed files: Yes
   Automatically clean up threats: No
   Action on infected files: Delete
Scan started at 2011-05-23 17:59:03 -0400
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip/DOCUMENT.COM
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158490/2/document.zip
   Deleted threat2
011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip/tedbf.htm .com
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158495/2/tedbf.zip
Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip/text.scr
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158503/2/text.zip
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip/message.zip/MESSAGE.SCR
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip/message.zip
   Deleted threat
2011-05-23 17:59:44 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/158514/2/message.zip
   Deleted threat
Scan completed at 2011-05-23 18:01:08 -0400.
21171 items scanned, 9 threats detected, 0 issues
----------<cut here> ----------
Let me know if there is anything else I can send you.
:1002803
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data