Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 6 subscribers
  • Views 4053 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatically Deleted Malware?

arricalee

Recently, Sophos detected a few Mal-A Phishing(I can't remember the exact name) viruses. I unlocked by entering my account's password to get rid of the viruses. Right after I have entered my password, the entry disappeared. I could no longer trace and delete it manually. So, I was wondering...is it possible that Sophos automatically deleted the phishing virus after I authenticated as the administrator?

Thank you so much for your help and guidance.

:1002883


This thread was automatically locked due to age.
  • 0

    The detection would have been on an email message... if you deleted the spam message, the detection would go away.  If you check the detection logs and it points to your mail folder to a file that no longer exists, that's your answer :)

    :1002899
  • 0

    Hi,

    Thanks for the prompt reply. Where can I find the detection log?

    :1002905
  • 0
    arricalee wrote:

    Hi,

    Thanks for the prompt reply. Where can I find the detection log?

    After doing a manual scan, you can select View Scan Log (command-shift-L) from the Scan menu; if you want to view all the logs, the easiest way to do so is press command-spacebar, type in console, hit return, and navigate to FILES > ~/Library/Logs > Sophos Anti-Virus > Scans.  This will list a separate "folder" for each scan you've created, with a single log entry inside for each time it was run.

    :1002915
  • 0

    Thanks. I found the file it's in the private/temp/... folder. But I have no idea why the file keeps appearing and disappearing. After a quick check I found out that the file is not accessible. How can I get rid of it?

    :1002919
  • 0

    If it's in the temp folder, that means it is a temporary file created by some other program, likely a mail program -- are you using IMAP via Mail.app?

    The reason it keeps vanishing and coming back is that the program loading the file is just caching it temporarily.

    If you want to dig under the hood, you could try opening terminal.app and typing lsof when the file exists -- this command will list all open files, and tell you what application has the file open.  This will give you a clue as to where to look to find the root of the issue.

    :1002925
  • 0

    thank you so much. I did as you said but the path came out to be quicklook and I am not even sure what quicklook is.

    quicklook 1621 arricalee  cwd      DIR       14,2       204     24965

    Is it dangerous if I just leave it there or do I need to get rid of it. But how? Since it is hidden and only appear sometimes, I can't find it.

    I appreciate your help and guidance.

    :1002927
  • 0

    Quicklook is the engine that lets you preview files in the Finder, Mail, and many other apps by pressing the space bar.  If you don't have the document open via Quicklook (which I presume you don't), then it is likely that the file is being indexed by the process to create a preview.

    :1002933
  • 0

    so is it safe to leave it there?

    :1002935
  • 0

    Yes, as it's a phish detection -- which means it depends on your falling for the ruse for anything to happen.  However, if you're so inclined, it's probably worth trying to track down what is generating this temp file in the first place that quicklook is scanning.  Hint: it's likely a .doc, .pdf or .xls file attached to an email.

    :1002937