Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

files with a ".$$$" extension

mthill
Following is an observation, which in all probability as well is of interest for the Sophos threat team, or what it is called. I use the free Sophos for Mac home edition as well. Besides VirusBarrier X6, the log of which the clues stem from. The files with a ``.$$$'' extension in all probability must be treated as threats. It appears that these files disrupt the operation of VirusBarrier X6. I find traces of these files in the VirusBarrier X6 log file. They are located in the /private/tmp directory. The following behaviour is a consistent observation. You can see at the very to of the screenshot that VirusBarrier X6 starts getting trouble with one of these files. Then it continues to have trouble with normal files, for no good reason. A further thing of importance is that I get the issue only when the ethernet cable is plugged in at boot time. Indeed, the computer has trouble starting up when the ethernet cable is plugged in. If the ethernet cable is not plugged in at boot time, the computer starts up rapidly.
:1009536


This thread was automatically locked due to age.
Parents
  • 0

    The files with '.$$$' are temporary files; the reason scanners have problems with them is that they are incomplete files which are usually renamed and moved once the file has been fully written to disk.

    As such, if it is in the tmp folder and has the extension .$$$, it is almost guaranteed to be a "corrupt file".  Sophos logs these but does not crash on them or bring up needless alerts.

    However, it *is* possible that the issues some people have been having with "calculating..." taking too long have to do with these files swapping in and out of the temp folder.  To test this, you can try excluding /private/tmp *temporarily* from scans to see if this fixes your issue.

    I say temporarily, because tmp is a common staging ground for both legitimate and malicious software, and if something is caught while still in this folder (which is readable and writeable by everyone), it will likely never get as far as doing anything actually malicious on the system it is attacking.

    That said, could someone with .$$$ files logged please use either the free app Sloth, or the terminal command:

    lsof |grep \.\$\$\$$

    and post the results?  This should tell us what application, running process etc. is involved in creating these specific temp files.

    :1009540
Reply
  • 0

    The files with '.$$$' are temporary files; the reason scanners have problems with them is that they are incomplete files which are usually renamed and moved once the file has been fully written to disk.

    As such, if it is in the tmp folder and has the extension .$$$, it is almost guaranteed to be a "corrupt file".  Sophos logs these but does not crash on them or bring up needless alerts.

    However, it *is* possible that the issues some people have been having with "calculating..." taking too long have to do with these files swapping in and out of the temp folder.  To test this, you can try excluding /private/tmp *temporarily* from scans to see if this fixes your issue.

    I say temporarily, because tmp is a common staging ground for both legitimate and malicious software, and if something is caught while still in this folder (which is readable and writeable by everyone), it will likely never get as far as doing anything actually malicious on the system it is attacking.

    That said, could someone with .$$$ files logged please use either the free app Sloth, or the terminal command:

    lsof |grep \.\$\$\$$

    and post the results?  This should tell us what application, running process etc. is involved in creating these specific temp files.

    :1009540
Children
No Data