Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 6 subscribers
  • Views 9653 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quarantined file disappeared from the manager

doxsys
I'm running a scan on my entire hard drive using the Mac OS free edition. I had a warning pop up that a file was infected and quarantined. I opened the quarantine manager per instructions, which had one file in it. I highlighted the file, and when I clicked on the 'more details' button, the file disappeared. The scan is set to just log bad files (rather than move them or clean them up), so this is a bit disconcerting. The only thing I noticed about it was that it was called Info.plist. Any thoughts on whether this is something to worry about?
:1006353


This thread was automatically locked due to age.
  • 0

    It just happened again, but in a different way -- I got a popup warning about three infected files. When I clicked on the quarantine manager window, all three files disappeared from the list after about two or three seconds. What's up with that?

    :1006355
  • 0

    Hello doxsys,

    you can find the details about the detection (threat detected and path to the file) in the log. Please post the relevant part if you can't figure out what it's saying.

    Christian 

    :1006369
  • 0

    The issue isn't with logging, or with understanding the logs. The issue is why the reportedly bad files are disappearing mysteriously from the Quarantine Manager window shortly after it's brought into focus.

    :1006569
  • 0

    Hello doxsys,

    "mysterious" events fall into one of three categories: 1) the observed behaviour is normal and explainable but not intuitive, 2) the observed behaviour is normal but some information is missing to assess it, 3) the sequence of events is a symptom of an underlying bug.

    What we have here with QM could be case 2: When a threat is detected QM is informed what has been found and where (together with information how cleanup thinks it could deal with it). At open time QM checks if the "where" is still valid and in case the offending file has disappeared the entry is removed from the list - silently that is though, there's no corresponding entry in the log. IMO this action should be logged.  It's quite simple to test this with EICAR. In practice this is likely to occur with caches and temporary files.

    Christian 

    :1006575
  • 0

    Welcome to the club. :smileyindifferent:

     Every time my Quarantine Manager shows threats, they vanish after after a second or two, before I can even read them.

    I must then resort to reading the log to find the threat and its location - not very convenient! :smileyfrustrated:

    I'm starting to see why this is free software - it's one bug after another.

    I brought up this problem before, and although "Employee Agile Employee" replied to my post, they failed to comment on the issue:

    When I opened the Quarantine Manager, there were several items visible, but they all vanished after about 2 seconds, before I could even check them.

    My preferences are also set to only log threats, not to clean, move or delete them.
    .
    The instructions for dealing with threats don't even apply since threats disappear before they can be dealt with.

    .

    What to do

    1. Open the Quarantine Manager.
    2. Click the Action Available column heading to sort the list of threats according to the action available.
    3. Select all the threats for which the action available is Clean up.
    4. Click Clean Up Threat. 

    etc.

    etc.

    How am I supposed to "select all the threats", when the threats have vanished from the window?
    I don't even understand what Christan said above: "When a threat is detected QM is informed what has been found and where (together with information how cleanup thinks it could deal with it). At open time QM checks if the "where" is still valid and in case the offending file has disappeared the entry is removed from the list - silently that is though, there's no corresponding entry in the log. IMO this action should be logged.  It's quite simple to test this with EICAR. In practice this is likely to occur with caches and temporary files."

    When the threats vanish from QM, the offending file isn't moved at all - I had to remove them manually after looking at the log, so there is a corresponding entry in the log. 

    The "where" was still valid because the files were still there.

    :1006579
  • 0

    Hello Rebel,

    I must then resort to reading the log to find the threat and its location

    so you are saying that the threats are still present? If so - could you please list some examples (it's ok to use color and big fonts (indeed I like your layout) but the crucial information is missing). If not - what's my attempted explanation lacking?

    Christian

    :1006583
  • 0

    I've already deleted the logs.

    I ran Sophos, and it said there were 4 threats. Opened QM, several lines of text appeared then quickly vanished.

    I opened the log and at the bottom the 4 threats were listed - 2 were animated gifs, and I don't remember what the others were.

    These gifs have been on my computer for several years, but this was the first time I've run a-v software.

    I went to the folder, which contains thousands of animated gifs, and deleted the 2 that were listed.

    So, as I said, the threats were still there, they had not been moved/deleted by Sophos, I had to do it.

    I still have these files on my TM, if you want to see them for some reason.

    I don't know what "crucial information" is missing.

    I've already said (in two threads) that when threats are detected, they appear in QM for a second or two then disappear. I've already said that I then had to go read the log to see what the threats were. And I've already said I had to manually delete the files after that.

    What did I leave out that you need to know?

    I'm running 7.3.10c.

    And since no one from Sophos seems interested in responding to this issue in my other topic, I'll say it again here:

    HOW ABOUT SOME RELEASE NOTES AND A VERSION NUMBER ON THE DOWNLOAD PAGE?!

    I'm still waiting for Sophos to let me know which version it was that I downloaded 9 days ago.

    I'm not going to install something without knowing which version it is, especially when I've already had trouble with one version and had to downgrade.

    :1006587
  • 0
    Rebel wrote:

    I've already deleted the logs.

    I ran Sophos, and it said there were 4 threats. Opened QM, several lines of text appeared then quickly vanished.

    I opened the log and at the bottom the 4 threats were listed - 2 were animated gifs, and I don't remember what the others were.

    These gifs have been on my computer for several years, but this was the first time I've run a-v software.

    I went to the folder, which contains thousands of animated gifs, and deleted the 2 that were listed.

    So, as I said, the threats were still there, they had not been moved/deleted by Sophos, I had to do it.

    I still have these files on my TM, if you want to see them for some reason.

    I don't know what "crucial information" is missing.

    I've already said (in two threads) that when threats are detected, they appear in QM for a second or two then disappear. I've already said that I then had to go read the log to see what the threats were. And I've already said I had to manually delete the files after that.

    What did I leave out that you need to know?

    I'm running 7.3.10c.

    And since no one from Sophos seems interested in responding to this issue in my other topic, I'll say it again here:

    HOW ABOUT SOME RELEASE NOTES AND A VERSION NUMBER ON THE DOWNLOAD PAGE?!

    I'm still waiting for Sophos to let me know which version it was that I downloaded 9 days ago.

    I'm not going to install something without knowing which version it is, especially when I've already had trouble with one version and had to downgrade.

    Item 1: would you please submit the animated gifs via the website submission tool?  I have my suspicions that you've encountered a QM bug, and that the wrong files were listed in the log.  We do have one other example of this happening to someone on the forum.  If you submit the files, we can examine them locally to verify that they are not malicious.

    Item 2: Release notes would definitely be nice.  Version number = "latest" with a caveat -- the files are served via Akamai, and the data store sometimes takes a while to sync to some locations worldwide -- so while one person may be downloading 8.0.2, someone else may be still downloading 8.0.1 from the same link.  My guess is that if you are having issues with the installer for 8.0.1, you'll likely have the same issues with 8.0.2, as the installer doesn't change AFAIK.  Someone closer to the release side of things will have to verify this.

    As a test, I just re-downloaded the installer, and it has the same sha value as when I downloaded it to install 8.0.1.  This means that the initial installer component has not changed -- but the last step of the install process, to download and install all updates, will ensure that 8.0.2 is what gets installed.

    As a question to other users of the forums: is anyone seeing the same "detection is there, then it's not" issue on SAV 8?  I know that the QM interface underwent a number of changes, so I'd expect that this behaviour may change a bit.  I haven't taken time yet to test it out for myself.

    :1006623
  • 0

    I had no trouble with the installer, I had the problem with 8.0.1C where Scan Local Drives takes a long time to run.

    I've been unable to find the "website submission tool," so how about a link?

    :1006633
  • 0

    I managed to find the submission page, but only accidentally. 

    There should be a prominent link on the website (and maybe a sticky in the forums) so people can easily find it.

    :1006643