Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 40 replies
  • Subscribers 6 subscribers
  • Views 66689 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/Zbot - HAD

dakotaspurs

Hi everybody,

I am using Sophos Anti-Virus 8.0.20C on the Mac and I am having a very annoying alert recurring constantly throughtou the day.

I have an alert come up saying that it has detected the Troj/Zbot - HAD (sometimes the HAD is replaced with something else).  So I open up Quarantine Manager and Authenticate to be able to remove it, but as soon as I have authenticated, the threat in the window disappears without giving me a chance to clear it.

This has been going on for weeks and I have run the full scan of the machine a number of times, which comes up clean, but it keeps coming up.

Does anyone know why this is and how I can stop this happening?

UPDATE - I have since truned off the Scan inside archives and compressed files option in the preferences pain as suggetsed on another post but this hasn't solved the issue.

:1014787


This thread was automatically locked due to age.
Parents
  • 0

    Got the log thanks.  It shows no threats and the issues are the usual 'encrypted file' etc. that are explained here: http://www.youtube.com/watch?v=zrYo_EJAusg

    One point though: The scan log shows that it detected three volumes are the start...

    New volume detected at /Volumes/Time Machine Backups
New volume detected at /
New volume detected at /Volumes/Macintosh 1TB HD

    and then at the end there is an 'issue' with the TM volume...

    Error: cannot open item at path "/Volumes/Time Machine Backups": No such file or folder

     Did you switch off TM during the scan or unmount the volume?  That would explain it - just want to make sure there are no obvious problems with how SAV is accessing the TM volume.

    One suggestion I would make is that 'log only' for detected threats is perhaps better than 'cleanup' and if that fails 'delete'...

    Scan name: "Scan Local Drives"
Scan items:
Configuration:
	Scan inside archives and compressed files: Yes
	Automatically clean up threats: Yes
	Action on infected files: Delete
	Live Protection enabled: Yes

    The QM should flush items that are cleaned up but you could have a detection of a threat and a cleanup or delete and then the QM fails to clear and things get out of sync.  I recommend setting the option back to 'log only' and then if something is found you can review the QM and see what's found knowing that SAV took no action is if the QM says it's somewhere then it's probably still there.

    After that, the next thing to try would be to set up a custom scan of just the TM volume and see what that find (scan log for that would be good).  Example (browse (+ button) for your TM volume to add it to the scan correctly):

    2014-01-16_14-41-25.png

    :1015479
Reply
  • 0

    Got the log thanks.  It shows no threats and the issues are the usual 'encrypted file' etc. that are explained here: http://www.youtube.com/watch?v=zrYo_EJAusg

    One point though: The scan log shows that it detected three volumes are the start...

    New volume detected at /Volumes/Time Machine Backups
New volume detected at /
New volume detected at /Volumes/Macintosh 1TB HD

    and then at the end there is an 'issue' with the TM volume...

    Error: cannot open item at path "/Volumes/Time Machine Backups": No such file or folder

     Did you switch off TM during the scan or unmount the volume?  That would explain it - just want to make sure there are no obvious problems with how SAV is accessing the TM volume.

    One suggestion I would make is that 'log only' for detected threats is perhaps better than 'cleanup' and if that fails 'delete'...

    Scan name: "Scan Local Drives"
Scan items:
Configuration:
	Scan inside archives and compressed files: Yes
	Automatically clean up threats: Yes
	Action on infected files: Delete
	Live Protection enabled: Yes

    The QM should flush items that are cleaned up but you could have a detection of a threat and a cleanup or delete and then the QM fails to clear and things get out of sync.  I recommend setting the option back to 'log only' and then if something is found you can review the QM and see what's found knowing that SAV took no action is if the QM says it's somewhere then it's probably still there.

    After that, the next thing to try would be to set up a custom scan of just the TM volume and see what that find (scan log for that would be good).  Example (browse (+ button) for your TM volume to add it to the scan correctly):

    2014-01-16_14-41-25.png

    :1015479
Children
No Data