Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 6 subscribers
  • Views 5865 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos apparently has trouble dealing with "deleted" messages

whmagill

For whatever reason, Sophos constantly lists a "MyDoom" virus in the Quarantine Manager -- even after running a scan.

Here is one excerpt from /Library/Logs/Sophos Anti-Virus.log:

com.sophos.intercheck: 2011-05-20 13:02:54 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156108/2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'Mal/ZipMal-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156063/2/letter.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:02:59 -0400 Threat: 'W32/MyDoom-O' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Incoming.imapmbox/Attachments/156047/2/mail.zip

com.sophos.intercheck:                              Access to the file denied

com.sophos.intercheck:                              Scan of local drives required to complete cleanup

com.sophos.intercheck: 

com.sophos.intercheck: 2011-05-20 13:03:45 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/magill/Library/Mail/IMAP-magill@spacecat.mcgillsociety.org/Mail/Notify.imapmbox/Attachments/156112/3.3.2.2/FedEx mail.zip

com.sophos.intercheck:                              Access to the file denied  

All of these entries are generated (one assumes) when Sophos first scans the incoming mail on launch of the Mail app.

I have my own IMAP server, as well as using procmail to sort incoming mail into various inboxes.

I have a high volume of mail, perhaps 100+ messages a day.

I happen to have the mail app flag junk mail.

If I read mail and delete messages, most of these detected items wind up being deleted without being read.

I routinely empty the trash multiple times during a reading session.

When I'm done (and the trash emptied)  I run Scan Local Drives:

Scan name: "mail + java"

Scan items: Path: /Users/magill/Library/Mail enabled: yes

                     Path: /Users/magill/Library/Caches/Java enabled: yes

                     Configuration:Scan inside archives and compressed files: Yes

                     Automatically clean up threats: No

                     Action on infected files: Delete

It invariably reports:  21524 items scanned, 0 threats detected, 0 issues

However, the Quarantine Manager still reports: MyDoom as an entry. All of the other entries are cleared.

If I mouse over the Threat details section, I see an assortment of attachments, none of which still exist.

:1002765


This thread was automatically locked due to age.
Parents
  • 0
    To Agile- re: web cache and my Troj/iFrame-DV virus: I clear my web cache every single time I close my web browers. And at least once every few days through an external program. And I had cleared my web cache NUMEROUS times during this problem. Yet Sophos ALWAYS found the file once again, after I deleted it, and it came back. Also- the infected file that Sophos was detecting was actually an .emlx file, in my Mac mail in-box. I'm not certain that it isn't a related issue. For me, FINALLY, I was able to clear it (at least for 1 day- a record thus far!), by setting Sophos to move the infected file to a folder, and then, per one of the help articles here, setting my Spotlight preferences to exclude that folder. I turned off the Sophos scanning. Then I used an external app to securely delete and overwrite the infected file. After a re-start, everything has been okay but it SURE has not been easy. Lots of trial and error, and throwing the proverbial kitchen sink out to try to get rid of this.
    :1002807
Reply
  • 0
    To Agile- re: web cache and my Troj/iFrame-DV virus: I clear my web cache every single time I close my web browers. And at least once every few days through an external program. And I had cleared my web cache NUMEROUS times during this problem. Yet Sophos ALWAYS found the file once again, after I deleted it, and it came back. Also- the infected file that Sophos was detecting was actually an .emlx file, in my Mac mail in-box. I'm not certain that it isn't a related issue. For me, FINALLY, I was able to clear it (at least for 1 day- a record thus far!), by setting Sophos to move the infected file to a folder, and then, per one of the help articles here, setting my Spotlight preferences to exclude that folder. I turned off the Sophos scanning. Then I used an external app to securely delete and overwrite the infected file. After a re-start, everything has been okay but it SURE has not been easy. Lots of trial and error, and throwing the proverbial kitchen sink out to try to get rid of this.
    :1002807
Children
No Data