Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 40 replies
  • Subscribers 6 subscribers
  • Views 66677 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Troj/Zbot - HAD

dakotaspurs

Hi everybody,

I am using Sophos Anti-Virus 8.0.20C on the Mac and I am having a very annoying alert recurring constantly throughtou the day.

I have an alert come up saying that it has detected the Troj/Zbot - HAD (sometimes the HAD is replaced with something else).  So I open up Quarantine Manager and Authenticate to be able to remove it, but as soon as I have authenticated, the threat in the window disappears without giving me a chance to clear it.

This has been going on for weeks and I have run the full scan of the machine a number of times, which comes up clean, but it keeps coming up.

Does anyone know why this is and how I can stop this happening?

UPDATE - I have since truned off the Scan inside archives and compressed files option in the preferences pain as suggetsed on another post but this hasn't solved the issue.

:1014787


This thread was automatically locked due to age.
  • 0

    Got the log thanks.  It shows no threats and the issues are the usual 'encrypted file' etc. that are explained here: http://www.youtube.com/watch?v=zrYo_EJAusg

    One point though: The scan log shows that it detected three volumes are the start...

    New volume detected at /Volumes/Time Machine Backups
New volume detected at /
New volume detected at /Volumes/Macintosh 1TB HD

    and then at the end there is an 'issue' with the TM volume...

    Error: cannot open item at path "/Volumes/Time Machine Backups": No such file or folder

     Did you switch off TM during the scan or unmount the volume?  That would explain it - just want to make sure there are no obvious problems with how SAV is accessing the TM volume.

    One suggestion I would make is that 'log only' for detected threats is perhaps better than 'cleanup' and if that fails 'delete'...

    Scan name: "Scan Local Drives"
Scan items:
Configuration:
	Scan inside archives and compressed files: Yes
	Automatically clean up threats: Yes
	Action on infected files: Delete
	Live Protection enabled: Yes

    The QM should flush items that are cleaned up but you could have a detection of a threat and a cleanup or delete and then the QM fails to clear and things get out of sync.  I recommend setting the option back to 'log only' and then if something is found you can review the QM and see what's found knowing that SAV took no action is if the QM says it's somewhere then it's probably still there.

    After that, the next thing to try would be to set up a custom scan of just the TM volume and see what that find (scan log for that would be good).  Example (browse (+ button) for your TM volume to add it to the scan correctly):

    2014-01-16_14-41-25.png

    :1015479
  • 0

    Thank you for all of those options Ruckus,

    Couple of things:

    Did you switch off TM during the scan or unmount the volume?

    I turned Time Machine off before that scan had finished so yes.

     One suggestion I would make is that 'log only' for detected threats is perhaps better than 'cleanup' and if that fails 'delete'...

    This is fine, but I think the issue I have is with the On-Access Scanner.  These threats keep popping up when I am not running a scan.  But in the On Access pane of the System Preferences there isn't a 'log only' option, I have 'deny access', 'clean up threat' 'deny access and move threat' or 'delete threat'.  So what should I set in here?  I have always had it as 'clean up threat' and then 'delete threat'.

    Thanks :)

    :1015481
  • 0

    And as soon as I turn on Time Machine again and it starts a backup I get this ... 

    Screen Shot 2014-01-16 at 15.13.39.png

    :1015485
  • 0

    Here's an excerpt fom the Anti-Virus log ... after I checked a box to 'Write threat and error events to system log' in the system preferences.

    com.sophos.intercheck: Info: Exclusion: /Volumes/Data/ at 15:11 on 16 January 2014
    com.sophos.intercheck:
    com.sophos.intercheck: 2014-01-16 15:12:57 +0000 Threat: 'Mal/BredoZp-B' detected in
    com.sophos.intercheck: Access to the file denied

    :1015487
  • 0
    ruckus wrote:

    One suggestion I would make is that 'log only' for detected threats is perhaps better than 'cleanup' and if that fails 'delete'...

    Scan name: "Scan Local Drives"
Scan items:
Configuration:
	Scan inside archives and compressed files: Yes
	Automatically clean up threats: Yes
	Action on infected files: Delete
	Live Protection enabled: Yes

    Sorry, to clarify: It was just a side note for the 'Scan This Mac' on-demand scan you ran, not for on-access scanning. :0)

    Can you run a scan of the TM volume only and see what is found?  No exclusions for the TM volume and leave compressed files on.  May take some time to complete so set it going and wander off or leave it over night.  THat's not to say you can't use the Mac while it's scanning, but it may slow the Mac down grinding through the TM backups.

    :1015489
  • 0

    With this scan of the TM, do you want me to have it as 'Log Only' for threats?

    :1015491
  • 0
    dakotaspurs wrote:

    And as soon as I turn on Time Machine again and it starts a backup I get this ... 

    Screen Shot 2014-01-16 at 15.13.39.png

    FYI: Make sure you select the item/ an item before screenshot etc.  Need to have an item select to see lower panel info.

    :1015493
  • 0
    dakotaspurs wrote:

    With this scan of the TM, do you want me to have it as 'Log Only' for threats?

    Please.  For a normal volume this will leave the items behind for review.  For TM volumes SAV can't delete from an backup anyway (complex file structure) so there is no point.

    :1015499
  • 0

    Ok, it's running now.  Although last time I did this it took hours and then hung about 3 quarters of the way through.  I may have to get back to you tomorrow.

    :)

    :1015501