Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 40 replies
  • Subscribers 6 subscribers
  • Views 66666 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/Zbot - HAD

dakotaspurs

Hi everybody,

I am using Sophos Anti-Virus 8.0.20C on the Mac and I am having a very annoying alert recurring constantly throughtou the day.

I have an alert come up saying that it has detected the Troj/Zbot - HAD (sometimes the HAD is replaced with something else).  So I open up Quarantine Manager and Authenticate to be able to remove it, but as soon as I have authenticated, the threat in the window disappears without giving me a chance to clear it.

This has been going on for weeks and I have run the full scan of the machine a number of times, which comes up clean, but it keeps coming up.

Does anyone know why this is and how I can stop this happening?

UPDATE - I have since truned off the Scan inside archives and compressed files option in the preferences pain as suggetsed on another post but this hasn't solved the issue.

:1014787


This thread was automatically locked due to age.
  • 0

    Just to be sure:  If you filter the log by 'BredoZp' is nothing found?

    2014-01-15_15-07-22.png

    If not, if you filter by 'com.sophos.intercheck' (excludes AutoUpdate lines) can you screenshot that at the right time (or better yet copy the contents to a txt file and attach that to your next post)?

    2014-01-15_15-06-09.png

    :1015437
  • 0

    Hi ruckus, I have results come up but nothign for those dates.

    For past dates, they are coming up in Mail or in Time Machine.  I have looked for the latest threats in Mail and they are not there anymore.  I have looked for them in Time Machine and managed to delete one file, but thee is still nothing coming up for the dates that I posted.

    Simon

    :1015441
  • 0

    I have deleted both copies of the files I can find on Time Machine, so hopefully that will cure the problem.  I will let you know if it comes up again.

    Thank you for your help.


    Simon

    :1015443
  • 0

    Good morning Ruckus,

    Here is what I have been greeted with this morning ...

    Screen Shot 2014-01-16 at 09.52.57.png

    I have looked under both the ~/Library/Logs menu and the /Library/Logs menu at the Anti-Virus logs and there is nothing for these dates appearing.

    I have also searched for BredoZp and BredoZp-B in these logs and the only things cominf up are historical searches back on the 6th January with threats on the Time Machine backups and in Mail attachments (both of which I deletd yesterday).

    I have no idea why this warning is coming up, what threat it is relating to and how I can get rid of it.

    Have you got any other ideas as to why it's coming up with nothing appearing in the logs?

    :1015457
  • 0

    Going back to your reply and I asked about on-access scanner Time Machine exclusions...

    dakotaspurs wrote:

    No there's nothing like that in my logs.  It looks as though it is searching Time Machine.

    In the screenshot at the top of this page what is the /Volumes/Data/ drive?  That's showing as an exclusion.

    :1015459
  • 0

    Yes I noticed that later on, that is the Time Machine I think.

    But still not sure what this other message is I keep getting.

    :1015461
  • 0

    As things have be going on for a while let's recap to see what the issue is:

    1. Problem: On-acess scanner detects a threat(s) and alerts.  Cleanup for the items does not finish and just hangs.  In the QM there is no path to the threat so it cannot be located.  Checking the on-access scanner log with Console shows the item alerted is not record in there.
    2. Started with version 8 but continues with version 9 now the installations has been upgraded.
    3. Full on-demand scan of the entire drive (inc. TM?) comes up clean - no threat is found.
    4. Excluding compressed files from the on-access scanner fails to stop the on-access alerts from appearing.
    5. Problem may center on TM drive and files being read from that volume, however the on-access exclusion for TM is in place as show from the log in Console that shows a /Volumes/Data/ exclusion and this is the TM drive.

    Does that sound like a correct summary?

    Is it possible for you to post the entire on-access scanner log (or email it to me if you prefer not to post it in the forum (sophossupport at icloud dot com)) as a txt/log file?

    And can you test point 5 by unmounting TM from the Mac (disconnect it)?  Then see if the pop-ups stop or not.

    :1015465
  • 0

    Yep all sounds about right.

    I am running another scan at the moment and will test 4 and 5 again.

    I will get back to you with any updates.

    Thanks

    :1015467
  • 0

    Result of test on number 4, turning off the scan compresed files.  The threat is still coming up.

    I will disconnect the Time Machine next and see what happens.

    :1015471
  • 0

    Hi Ruckus,

    Well it's been 2 and a quarter hours since I turned off the Time Machine back-ups and the threat has not re-appeared ... so gets me thinking that it might be linked to that.

    Also, the scan I was running came up with no threats but 12 issues, I will email the text file to you.

    :1015473