No Option for Cleaning Up Threats / Mac OSX

Two options:

1) Clear your Java web cache -- you can do this by deleting the folder those files are listed in when you click on them in the quarantine manager, or by running a tool like AppleJack

2) Do a manual cleanup, as listed in the Manual Cleanup thread on here.

Thank you but --

1a.) When I click on these files in the QM, it takes me to a web page.  Not the files.  The web page gives me a link to instructions --

1b.) Downloaded and installed AppleJack.  Searched for program but nowhere to be found.  

2.) Big thread.  Lots of questions, lots of answers.  Read through them and didn't find an answer to this particular question.

These instructions are no help:

http://www.sophos.com/support/knowledgebase/article/112129.html

These are better:

http://openforum.sophos.com/t5/Mac-tools-help/Sophos-Anti-Virus-for-Mac-how-to-manually-remove-malware/td-p/1779

But how do I browse to location of infected file(s) when they're hidden and don't show up in search?  

Search for "how to locate infected files" and I'm back at:

http://www.sophos.com/support/knowledgebase/article/112129.html

---

markgrant wrote:

Thank you but --

1a.) When I click on these files in the QM, it takes me to a web page.  Not the files.  The web page gives me a link to instructions --

1b.) Downloaded and installed AppleJack.  Searched for program but nowhere to be found.  

2.) Big thread.  Lots of questions, lots of answers.  Read through them and didn't find an answer to this particular question.

These instructions are no help:

http://www.sophos.com/support/knowledgebase/article/112129.html

These are better:

http://openforum.sophos.com/t5/Mac-tools-help/Sophos-Anti-Virus-for-Mac-how-to-manually-remove-malware/td-p/1779

But how do I browse to location of infected file(s) when they're hidden and don't show up in search?  

Search for "how to locate infected files" and I'm back at:

http://www.sophos.com/support/knowledgebase/article/112129.html

---

For 1a) Don't click on the threat link, click on the quarantine line item (anywhere but the link) -- the threat details show up at the bottom of the window.  If you just have a line that says "> Threat Details," click on the triangle to reveal the details.  At first review, it displays "..." in the middle of the path.  Click on the details and it will show the entire path, although you might have to select the text and scroll sideways to view it.

However, you can select the entire path, copy it, go to the finder, select Go->Go to Folder... and paste the path in to view it in the Finder.

1b) Did you read the documentation?  It clearly outlines how to use AppleJack.  To use it, you restart your computer in single user mode (holding down command-S during a reboot), type applejack at the command prompt, and follow the menu instructions.

2) Please follow http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Help-with-Creating-a-Custom-Scan-to-remove-a-Threat/td-p/1625

I keep getting the warning that I have the W32/Bagle-Zip, to be removed manually.
Unfortunately, the path and file name that Sophos indicates does not seem to exist on my computer. I searched for the full file name (including hidden files) both on the MAC OS system and the Parallel system, with no avail.

When I scan with other antivirus software (MacKeeper for Mac and Essentials for Parallel), no malware is detected.

May I ask what the path is?  Did you check to see if the same path was listed in the scan log as is listed in quarantine?

The malware is W32/Bagle-Zip, a Text.zip.

The path given in the quarantine is:

/Users/bernardportier/Library/Mail/V2/Mailboxes/Hobbies.mbox/PC.mbox/Internet.mbox/F736105

The scan log does not seem to be accessible (greyed out) from the Sophos console.

bernard

That explains things :)

The path listed in quarantine is to a attached file cache within your Internet.mbox bundle for Mail.app. 

The malware in question is the mass-mailing Bagle worm, which replicates by sending zipped copies of itself over email.

So, if you delete the email that came in containing the bagle worm, it should clear from Quarantine and also from your mailbox.

Thanks, this is a very cogent tip!

However, how do I identify the damaging incoming email?

Furthermore, does this mean that I have spread the malware in my own emails?

The "damaging" incoming mail will have an attachment, likely with a .exe, .pif, or .com extension.  This email might be from someone you know, but the message content should look a little strange.

However, this is a Windows-only piece of malware, and will not execute or spread on a Mac.  So to prevent spreading it yourself, you just have to ensure that you never intentionally forward the message to anyone who uses Windows.  Of course, with On-Access scanning enabled, SAV will prevent you from doing this in the first place.

I could not find the attachment you are pointing to, but I deleted a number of old files in the folders specified by the quarantine message.

This seems to work and the quarantine window is now empty.

Two more questions: 

1.  "On-access scanning" refers to my current free Sophos application or is it one to be purchased?

2.  Can Sophos work safely simultaneously with other antiviruses, specifically MacKeeper for Mac and Windows Essentials for Parallel? [this seems to be the case, with Sophos able to spot out malware that the two others do not see]?