Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 40 replies
  • Subscribers 6 subscribers
  • Views 66664 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/Zbot - HAD

dakotaspurs

Hi everybody,

I am using Sophos Anti-Virus 8.0.20C on the Mac and I am having a very annoying alert recurring constantly throughtou the day.

I have an alert come up saying that it has detected the Troj/Zbot - HAD (sometimes the HAD is replaced with something else).  So I open up Quarantine Manager and Authenticate to be able to remove it, but as soon as I have authenticated, the threat in the window disappears without giving me a chance to clear it.

This has been going on for weeks and I have run the full scan of the machine a number of times, which comes up clean, but it keeps coming up.

Does anyone know why this is and how I can stop this happening?

UPDATE - I have since truned off the Scan inside archives and compressed files option in the preferences pain as suggetsed on another post but this hasn't solved the issue.

:1014787


This thread was automatically locked due to age.
  • 0

    Is the on-access scanner detecting the file but either the file is moved/deleted on its own or your on-access scanners cleanup settings are set to cleanup?

    Start by checking the on-access scanner log in Console.  Example threat highlighted.

    2013-12-04_17-12-36.png

    :1014801
  • 0

    Hi ruckus,

    It seems that whenever it appears it has "Access to the file denied" written below it.

    Some of these are on the Time Machine folder, so it may be running out of time to access it before Time Machine closes, so I am running a scan on that drive now.

    Some other cases are listed below:

    com.sophos.intercheck: 2013-12-10 15:21:59 +0000 Threat: 'Troj/Zbot-HAD' detected in /Users/simonjudd/Library/Application Support/Google/Chrome/Local State
    com.sophos.intercheck: Access to the file denied

    com.sophos.intercheck: 2013-12-10 12:05:57 +0000 Threat: 'Troj/Zbot-HAD' detected in /Users/simonjudd/.Extensis/FMCore/NameServer.db
    com.sophos.intercheck: Access to the file denied

    com.sophos.intercheck: 2013-12-10 09:48:51 +0000 Threat: 'Troj/Zbot-HAD' detected in /Users/Shared/.ST150
    com.sophos.intercheck: Access to the file denied

    Any ideas?

    :1014973
  • 0

    Can you get hold of one of the files detected?  If so can you submit it as a sample?

    https://secure2.sophos.com/support/contact-support/sample-submission.aspx

    :1014997
  • 0

    Hi Ruckus,

    I have been trying to locate some of these files for you but a new issue has been coming up which is making it impossible.

    I now get the warning pop up coming on screen saying I have two issues to look at, but when I open Quarantine Manager there is nothing in there at all.

    This seems to keep happening when Time Machine is running, so I am guessing that it is trying to detect issues on the Time Machine backup, but can't see them properly.

    I have run scans on the whole system and no warnings are coming up.  I have also tried to run a scan on the Data folder in Time Machine but it keeps timing out so I never get a full scan done.

    Is there any way I can exclude Time Machine from the automatic scanning?

    :1015349
  • 0

    If you check in the on-access scanner log you should see an exclusion for Time Machine already...

    2014-01-10_13-50-28.png

    Have you considered upgrading to v9?  Not saying that will fix it, but it's a more advanced version etc. so the behavior may be different.

    :1015359
  • 0

    No there's nothing like that in my logs.  It looks as though it is searching Time Machine.


    Also, I have updated to version 9 and now getting a new issue.  It flags up that I have 2 warnings, I go to them in quarantine manager and there is no thread identifying where they are.  So I select them and click Clean Up Threat, and then it just spoins for ages saying Claen Up In Progress ... never actually cleaning anything up!

    UPDATE:

    Just to add that the two threats it is identifying are Troj/BredoZp-UT and Mal/BredoZp-B

    :1015405
  • 0
    dakotaspurs wrote:

    I have 2 warnings, I go to them in quarantine manager and there is no thread identifying where they are.  So I select them and click Clean Up Threat, and then it just spins for ages saying Clean Up In Progress ... never actually cleaning anything up!

    This now sounds like the detection is an item in the Time Machine backup or an email - something it can scan, but can't delete.

    Go back to console and location what is detected (the Quarantine Manager may not show the item, but the log should).  Watch/listen to the videos below as they should help explain what to do.

    :1015419
  • 0

    Thanks ruckus,

    They are useful and I wil deffinitely use them.  However here is my issue, attached is a screen shot of my quarantine manager, as you can see from it there is no path for the threats.  These have come from the automatic scan that Sophos does, not a manual one I have done (which comes up clean).  Where can I find these files?

    I have looked under the Sophos Anti-Virus Scans menus but there is nothing with these dates.  Where else should I be looking?

    :1015421
  • 0

    If it's not displayed in the QM then the only other place to check is in the log - open Console.

    I posted a screenshot of the on-access several posts back.  The video also talk about accessing the logs.  Watch them for help there.

    :1015423
  • 0

    There's nothing in there either,

    Here is a snapshot of one of the times, nothing there for that time at all - 14 Jan 2014 19:31

    Screen Shot 2014-01-15 at 14.55.50.png

    :1015429