Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Clarification about some basic questions

Hi there, Recently, I've been getting an alarming number of on-access scanning alerts which tell me that there's Exp/MS04-028 (this happens during normal internet browsing - no funny sites), so I open Quarantine Manager - but the clean up threat and the other button are greyed out, and the threat listing disappears after a couple of seconds - this happens when I've set the 'when a threat is found' option to deny access and other times to clean up threat.

Just some stupid questions:

- Why does it disappear from the quarantine manager list by itself?

- Does deny access mean that the spyware/virus is barred from infecting my Mac?

- What's everyone's personal 'when a threat is found' option?

- If I pick clean up threat as the first option of the 'when a threat is found' action, does that mean the spyware is allowed to access my Mac?

- Every time I get one of these, should I change my passwords and etc just in case? I'm not actually sure whether the spyware has actually infected my Mac if i set the option to deny access or clean up threat.

- When the on-access warning window pops up, does it mean that Sophos has encountered the spyware while I've been doing my usual internet browsing, or has it encountered it while 'patrolling' my Mac's folders and whatever (so a file I already have is infected with this)?

Not related to this issue, but when I do an on-demand scan, the scanning animation for the last couple of thousand files does not occur - it goes straight to the final results (which also happens to be no threats detected all the time). Is that normal?

This has just worried me a lot, and clarification would be great! Thanks in advance.

:1003637


This thread was automatically locked due to age.
  • You've raised some excellent questions in an easy to follow way; I'll attempt to answer them in-line below.

    morphemes wrote:

    Hi there, Recently, I've been getting an alarming number of on-access scanning alerts which tell me that there's Exp/MS04-028 (this happens during normal internet browsing - no funny sites), so I open Quarantine Manager - but the clean up threat and the other button are greyed out, and the threat listing disappears after a couple of seconds - this happens when I've set the 'when a threat is found' option to deny access and other times to clean up threat.

    Just some stupid questions:

    - Why does it disappear from the quarantine manager list by itself?

    The Quarantine Manager reflects the actual state of your filesystem; when the detected file is gone from your disk, it is automatically gone from the QM.

    - Does deny access mean that the spyware/virus is barred from infecting my Mac?

    Essentially, yes.  It means that no other process on your computer can access the file.

    - What's everyone's personal 'when a threat is found' option?

    Mine's "Deny Access".  If I wasn't as conversant with the OS, I'd probably choose "Deny Access and Move Threat" so that finding the detected files would be easy (and they'd be automatically pulled from caches/etc. where they could cause harm)

    - If I pick clean up threat as the first option of the 'when a threat is found' action, does that mean the spyware is allowed to access my Mac?

    No; it means that when malware is detected on your computer, the first attempt will be to remove malicious code from the file if it is infected with a virus, or the file will be deleted from your computer if the entire file is malicious.  Some supporting files affected by the malware may also be restored to a known-good state (removing domain redirects from the hosts file, removing self-running configurations from launchd, etc.)  If all this fails, the detected file will still be denied access to other processes.

    - Every time I get one of these, should I change my passwords and etc just in case? I'm not actually sure whether the spyware has actually infected my Mac if i set the option to deny access or clean up threat.

    This specific detection is for a badly formed JPEG image that can cause a security hole in unpatched versions of Microsoft Windows.  As such, it will not affect your Mac at all.  You're likely seeing it on JPEG files that are partially downloaded to your web cache during browsing.  Once the entire image is downloaded, or when the image is removed from the temporary cache, the detection will usually disappear.

    - When the on-access warning window pops up, does it mean that Sophos has encountered the spyware while I've been doing my usual internet browsing, or has it encountered it while 'patrolling' my Mac's folders and whatever (so a file I already have is infected with this)?

    On-Access gets to look at all file access on your computer before the access is allowed/denied.  Since the file needs to exist for detection, files are usually detected just after the file has been written to disk, but before they are read from disk by any other process.  Detection happens in real-time as you're using your files, and every attempt to read data from your computer gets vetted by On-Access scanning.

    Not related to this issue, but when I do an on-demand scan, the scanning animation for the last couple of thousand files does not occur - it goes straight to the final results (which also happens to be no threats detected all the time). Is that normal?

    Yes.  Likely, one of the files just before that is an archive, which causes the progress bar to stall while its contents are unpacked and scanned; the files after that are likely so small that scanning is near-instantaneous from a human perspective, so they're all scanned before the progress bar updates.  Updating the progress bar for each file scanned would cause very noticable system slowdown.

    This has just worried me a lot, and clarification would be great! Thanks in advance.

    I hope the clarification has cleared things up for both you and others :)


    :1003643
  • Hi there,

    The exact same thing the OP described has been happening to me over the past few days (and I'm also on a Mac), so I just wanted to clarify - the notification disappearing means that Sophos has handled the threat and my computer is not infected in any way? I had a knack for getting lots of viruses on my past PCs which is part of why I switched to a Mac, so I freaked out the first time this happened, thinking that of course I'd managed to get a virus on a Mac as well. Is there anything I can do to keep from getting this virus in the first place?

    Thank you!

    :1003831
  • Hi,

    Just switched from ESET to Sophos for my Mac OS X 10.7.1, and overall am happy with the product.

    However, I didn't notice any alert message pop-up when a malware is detected. Tested by downloading the EICAR test file, though Sophos managed to delete the EICAR test file, and the status icon shown exclamation symbol. But, there isn't any pop up alert message.

    Think is rathe important to have the pop up alert message whenever a malware is detected, so I am aware of what contained such malware will can be caution about it.

    Cheers.

    :1003835
  • The notification disappearing means that the malicious file is no longer on your computer -- this is either because Sophos removed it (in which case you would have got an alert or message stating this was happening) or because the malicious file was in your cache folder and the OS purged it automatically.

    To repeat: if you already have Sophos installed and you're getting these alerts via the On-Access scans, Sophos is preventing anything from happening; the file has ended up on your computer, but is completely harmless, as it is being blocked by Sophos.  Your computer has never become infected, it has just had a malicious file dropped onto it via some means (likely your web browser).

    On any platform, the best way to prevent these files from showing up in the first place is to disable Java and Javascript in the web browser.  My particular favourite method is to run the NoScript plugin in Firefox; I only use Safari on specific sites which dd not like this setup, and which are digitally signed.  You should also ensure that the "Open 'safe' files after downloading" checkbox in Safari's General Preferences pane is UNCHECKED.  Safari considers PDF documents and Zip archives to be "safe" and will run them.  Javascript is enabled by default in most PDF viewers, which means with that checkbox checked, any web site attempting to serve a PDF to a Safari web browser can automatically run malicious javascript within the PDF, and your web browser has no way to stop it.  All browsers except Safari prevent this sort of activity by default.

    The reason we tend to use the term "malware" instead of "virus" is that viruses attach themselves to software already running on your computer to spread and perform their design tasks -- most other malicious software (malware) requires you or your computer to intentionally run it, and it runs as a unique process that can be identified and controlled/eliminated.  Almost all malware for OS X falls under this category.

    Remember too, that Sophos detects ALL malware, including all the Windows drive-by malware that your web browser will happily download and attempt to run on your Mac -- but it won't run even without Sophos Anti-Virus, because it's designed to work on Windows.  It will, however, still sit there in your browser cache until the OS cleans it up.

    :1003837