Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 3035 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom scan cannot delete threat from Time Machine backup

Quandary

Hello, Team!

My Computer Specs:

iMac Intel Desktop OS X Lion. Home Edition. Latest updates. (Auto-Updated daily). 

Two hard drives installed when purchased: Mac HD and HD 2.

HD 2 holds my backups:

2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/

I'm the Admin.  I set my mac to show all hidden files. 

No Windows software is being used.

Problem:

Finder alerted me that the file cannot be removed via Finder because it's in a backup file in Time Machine.

I am only using Sophos, (no other 3rd party A/V's, etc) which I just installed a few days ago, after the news briefs.

I did as thorough a search in the community forum for the Mac home edition, including advanced searches, as possible, to the best of my knowledge. 

I also read and absorbed this topic, but am holding off doing Andrew's "gutsy solution"  :smileyhappy: in case it is not relevant to this issue:

http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Issues-with-deleting-some-malware-through-custom-scans/m-p/2941

Screenshot shows the issue, the custom scan, the instructions from Sophos and the threat itself.

I no longer have the account to which the cache files refer, so I cannot delete them that way. You'll see from the path.

I tried to find the exact cache file, by copying the entire string and got it to where i could create two custom scans. There are hundreds of cache files and I tried to find that single one, from within TIME MACHINE, but it became extremely difficult. Because of the difficulty of finding that one specific cache file, I created a custom scan that contains the direct folder that has these cache files. (Per other posts in this forum).  Thank you!

Quarantine Manager reported finding the following:

Threat:  Mal/Iframe-F

Clicking the threat brought me to the below page which says:

"Affected Operating Systems: Windows" 

That suggests I install your free Virus Removal Tool which, of course, I clicked on the Free Mac A/V for OS X link which brought me to the installer for the same software I'm using.

I am not using Windows (in case this matters).

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-F.aspx

Threat:  Mal/Iframe-F

Aliases:Trojan-Downloader.JS.Iframe.bxs

Notes:  entered the word "blank" for user names, ID's and account names from the full paths for posting this info in the forum.

Quarantine Manager thorough paths reported:

Threat:  Mal/Iframe-F

Path and FN:

/Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/cache/http/cache_16a50254fb67a90aeabadc97f938534b767c87f1.cache

Action Available: The threat cannot be cleaned up. Please click the threat name above for manual cleanup instructions.

Followed Steps 11 through 15 from here:

KB: http://www.sophos.com/support/knowledgebase/article/112129.html

 Ran the CUSTOM SCANS six times, including overnight. Time Machine just stays there until I get out of it with ESC. 

The file does not get removed.

Log:

Sophos Anti-Virus

Product version: 8.0.2C

Detection engine version: 3.30.0

Detection data version: 4.76

Release date: 02 April 2012

Detects 3482976 threats

NSHumanReadableCopyright

Using IDE files:  **deleted for brevity**

CREATED CUSTOM SCAN and selected two paths to scan:

Scan name: "manual threat removal"

Scan items:

Path: /Volumes/Macintosh HD 2/Backups.backupdb/blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/browser_profile/cache/http enabled: yes

Path: /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident enabled: yes

Configuration:

Scan inside archives and compressed files: Yes

Automatically clean up threats: Yes

Action on infected files: Delete

Live Protection enabled: Yes

Immediate scan started at 2012-04-19 09:39:38 -0400

2012-04-19 09:39:57 -0400 Threat: 'Mal/Iframe-F' detected in /Volumes/Macintosh HD 2/Backups.backupdb/Blank iMac/2011-11-29-131433/Macintosh HD/Users/blank/Library/Application Support/SecondLife/blank_resident/browser_profile/cache/http/cache_16a50254fb67a90aeabadc97f938534b767c87f1.cache

Clean up not available for this threat

Issue deleting threat

Scan completed at 2012-04-19 09:40:08 -0400.

3250 items scanned, 1 threats detected, 1 issues

Threat can't be removed from Time Machine via custom scan

I hope I provided enough info.  Thank you for your time and help!

Quandary

:1006345


This thread was automatically locked due to age.
  • 0

    Did I give too much information? I hope someone - maybe an admin - can help me with this. I ran another full scan and it found the threat again 

    Thank you.

    :1006385
  • 0

    Since the malicious iFrame was detected in a web cache, you can actually delete ALL the contents of the web cache folder (they aren't needed in backups; I'm actually surprised Time Machine backs them up).  To prevent this from happening in the future, you could add the path to the cache folder to your on-access exclusion list if you wanted to.  Or, you could go one step further and add it to your Time Machine exclusion list, which would also save space and speed up backups.

    :1006411
  • 0

    Hi, Andrew,

    I'll follow your tips for excluding those cache files from being backed up. Please see the next message for the results that resolved this problem and got rid of the threat.

    Thanks so much for the replies!

    :1006415
  • 0

    Fixed. Thank you very much, Andrew! Big Kudos to you!  (I hope others will give credit to the people who help us. Maybe they don't understand how to rate the support answers)

    I attempted to delete one cache file from the backups folder on my HD, to see if that would work.  It didn't:  The trash can indicated: "The operation can't be completed because backup items can't be modified." 

    Next, I rebooted, ran Time Machine and was able to delete the cache folder that held the threat.

    I closed Time Machine and then right-clicked some more cache folders on my backup HD and was able to delete them (as you suggested) after entering my password. (I'm not sure why it wouldn't let me delete those the first time).

    I then ran the manual scan and the threat was gone.  I'm currently rescanning both local drives.

    Less of a Quandary now! :)

    :1006423
  • 0

    Full scan completed. No threats found. The Sophos T.S. is great! Thank you for it!

    Per Andrew's suggestion, I also excluded the cache files folder that Time Machine was unnecessarily backing up.

    I'll try to contribute here, if I happen to know an answer, but being a new user, I prefer to leave it to the experts.

    :1006527