Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 5859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos apparently has trouble dealing with "deleted" messages

whmagill

For whatever reason, Sophos constantly lists a "MyDoom" virus in the Quarantine Manager -- even after running a scan.

Here is one excerpt from /Library/Logs/Sophos Anti-Virus.log:

com.sophos.intercheck: 2011-05-20 13:02:54 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156108/2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'Mal/ZipMal-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156063/2/letter.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156047/2/mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck:                              Scan of local drives required to complete cleanup

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:03:45 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Notify.imapmbox/Attachments/156112/3.3.2.2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied  

All of these entries are generated (one assumes) when Sophos first scans the incoming mail on launch of the Mail app.

I have my own IMAP server, as well as using procmail to sort incoming mail into various inboxes.

I have a high volume of mail, perhaps 100+ messages a day.

I happen to have the mail app flag junk mail.

If I read mail and delete messages, most of these detected items wind up being deleted without being read.

I routinely empty the trash multiple times during a reading session.

When I'm done (and the trash emptied)  I run Scan Local Drives:

Scan name: "mail + java"

Scan items: Path: /Users/magill/Library/Mail enabled: yes

                     Path: /Users/magill/Library/Caches/Java enabled: yes

                     Configuration:Scan inside archives and compressed files: Yes

                     Automatically clean up threats: No

                     Action on infected files: Delete

It invariably reports:  21524 items scanned, 0 threats detected, 0 issues

However, the Quarantine Manager still reports: MyDoom as an entry. All of the other entries are cleared.

If I mouse over the Threat details section, I see an assortment of attachments, none of which still exist.

:1002765


This thread was automatically locked due to age.
Parents
  • 0

    I just thought of something... some mailboxes tend to have an index file and a data file... when you delete a message, it deletes the index entry, but the data is still inside the data file.

    Since the index entry is gone, you can no longer "see" the malware in the mailsystem... but if you open the data file with a text editor, you'll find the actual email is still there.

    Since mailboxes of this sort contain more than one message, you often cannot "delete" the message without wiping out the entire data file.  If the file is still open for access from your mail app, it won't be deletable.

    However, Mail.app can still extract the attachments from this file, and those can be detected and deleted.

    SAV will detect many malicious files right through a base64 or MIME encoded wrapper inside a larger database.

    I wonder if some of this is what's going on here.... I haven't investigated recently how Apple is currently handling local indexes of IMAP folders.

    Of course, this might all be way off, and we're dealing with some Quarantine Manager logfile index management corruption here.

    :1002805
Reply
  • 0

    I just thought of something... some mailboxes tend to have an index file and a data file... when you delete a message, it deletes the index entry, but the data is still inside the data file.

    Since the index entry is gone, you can no longer "see" the malware in the mailsystem... but if you open the data file with a text editor, you'll find the actual email is still there.

    Since mailboxes of this sort contain more than one message, you often cannot "delete" the message without wiping out the entire data file.  If the file is still open for access from your mail app, it won't be deletable.

    However, Mail.app can still extract the attachments from this file, and those can be detected and deleted.

    SAV will detect many malicious files right through a base64 or MIME encoded wrapper inside a larger database.

    I wonder if some of this is what's going on here.... I haven't investigated recently how Apple is currently handling local indexes of IMAP folders.

    Of course, this might all be way off, and we're dealing with some Quarantine Manager logfile index management corruption here.

    :1002805
Children
No Data