Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 6 subscribers
  • Views 9655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quarantined file disappeared from the manager

doxsys
I'm running a scan on my entire hard drive using the Mac OS free edition. I had a warning pop up that a file was infected and quarantined. I opened the quarantine manager per instructions, which had one file in it. I highlighted the file, and when I clicked on the 'more details' button, the file disappeared. The scan is set to just log bad files (rather than move them or clean them up), so this is a bit disconcerting. The only thing I noticed about it was that it was called Info.plist. Any thoughts on whether this is something to worry about?
:1006353


This thread was automatically locked due to age.
Parents
  • 0

    Hello doxsys,

    "mysterious" events fall into one of three categories: 1) the observed behaviour is normal and explainable but not intuitive, 2) the observed behaviour is normal but some information is missing to assess it, 3) the sequence of events is a symptom of an underlying bug.

    What we have here with QM could be case 2: When a threat is detected QM is informed what has been found and where (together with information how cleanup thinks it could deal with it). At open time QM checks if the "where" is still valid and in case the offending file has disappeared the entry is removed from the list - silently that is though, there's no corresponding entry in the log. IMO this action should be logged.  It's quite simple to test this with EICAR. In practice this is likely to occur with caches and temporary files.

    Christian 

    :1006575
Reply
  • 0

    Hello doxsys,

    "mysterious" events fall into one of three categories: 1) the observed behaviour is normal and explainable but not intuitive, 2) the observed behaviour is normal but some information is missing to assess it, 3) the sequence of events is a symptom of an underlying bug.

    What we have here with QM could be case 2: When a threat is detected QM is informed what has been found and where (together with information how cleanup thinks it could deal with it). At open time QM checks if the "where" is still valid and in case the offending file has disappeared the entry is removed from the list - silently that is though, there's no corresponding entry in the log. IMO this action should be logged.  It's quite simple to test this with EICAR. In practice this is likely to occur with caches and temporary files.

    Christian 

    :1006575
Children
No Data