Clarification about some basic questions

You've raised some excellent questions in an easy to follow way; I'll attempt to answer them in-line below.

---

morphemes wrote:

Hi there, Recently, I've been getting an alarming number of on-access scanning alerts which tell me that there's Exp/MS04-028 (this happens during normal internet browsing - no funny sites), so I open Quarantine Manager - but the clean up threat and the other button are greyed out, and the threat listing disappears after a couple of seconds - this happens when I've set the 'when a threat is found' option to deny access and other times to clean up threat.

Just some stupid questions:

- Why does it disappear from the quarantine manager list by itself?

The Quarantine Manager reflects the actual state of your filesystem; when the detected file is gone from your disk, it is automatically gone from the QM.

- Does deny access mean that the spyware/virus is barred from infecting my Mac?

Essentially, yes.  It means that no other process on your computer can access the file.

- What's everyone's personal 'when a threat is found' option?

Mine's "Deny Access".  If I wasn't as conversant with the OS, I'd probably choose "Deny Access and Move Threat" so that finding the detected files would be easy (and they'd be automatically pulled from caches/etc. where they could cause harm)

- If I pick clean up threat as the first option of the 'when a threat is found' action, does that mean the spyware is allowed to access my Mac?

No; it means that when malware is detected on your computer, the first attempt will be to remove malicious code from the file if it is infected with a virus, or the file will be deleted from your computer if the entire file is malicious.  Some supporting files affected by the malware may also be restored to a known-good state (removing domain redirects from the hosts file, removing self-running configurations from launchd, etc.)  If all this fails, the detected file will still be denied access to other processes.

- Every time I get one of these, should I change my passwords and etc just in case? I'm not actually sure whether the spyware has actually infected my Mac if i set the option to deny access or clean up threat.

This specific detection is for a badly formed JPEG image that can cause a security hole in unpatched versions of Microsoft Windows.  As such, it will not affect your Mac at all.  You're likely seeing it on JPEG files that are partially downloaded to your web cache during browsing.  Once the entire image is downloaded, or when the image is removed from the temporary cache, the detection will usually disappear.

- When the on-access warning window pops up, does it mean that Sophos has encountered the spyware while I've been doing my usual internet browsing, or has it encountered it while 'patrolling' my Mac's folders and whatever (so a file I already have is infected with this)?

On-Access gets to look at all file access on your computer before the access is allowed/denied.  Since the file needs to exist for detection, files are usually detected just after the file has been written to disk, but before they are read from disk by any other process.  Detection happens in real-time as you're using your files, and every attempt to read data from your computer gets vetted by On-Access scanning.

Not related to this issue, but when I do an on-demand scan, the scanning animation for the last couple of thousand files does not occur - it goes straight to the final results (which also happens to be no threats detected all the time). Is that normal?

Yes.  Likely, one of the files just before that is an archive, which causes the progress bar to stall while its contents are unpacked and scanned; the files after that are likely so small that scanning is near-instantaneous from a human perspective, so they're all scanned before the progress bar updates.  Updating the progress bar for each file scanned would cause very noticable system slowdown.

This has just worried me a lot, and clarification would be great! Thanks in advance.

I hope the clarification has cleared things up for both you and others :)

---

You've raised some excellent questions in an easy to follow way; I'll attempt to answer them in-line below.

---

morphemes wrote:

Hi there, Recently, I've been getting an alarming number of on-access scanning alerts which tell me that there's Exp/MS04-028 (this happens during normal internet browsing - no funny sites), so I open Quarantine Manager - but the clean up threat and the other button are greyed out, and the threat listing disappears after a couple of seconds - this happens when I've set the 'when a threat is found' option to deny access and other times to clean up threat.

Just some stupid questions:

- Why does it disappear from the quarantine manager list by itself?

The Quarantine Manager reflects the actual state of your filesystem; when the detected file is gone from your disk, it is automatically gone from the QM.

- Does deny access mean that the spyware/virus is barred from infecting my Mac?

Essentially, yes.  It means that no other process on your computer can access the file.

- What's everyone's personal 'when a threat is found' option?

Mine's "Deny Access".  If I wasn't as conversant with the OS, I'd probably choose "Deny Access and Move Threat" so that finding the detected files would be easy (and they'd be automatically pulled from caches/etc. where they could cause harm)

- If I pick clean up threat as the first option of the 'when a threat is found' action, does that mean the spyware is allowed to access my Mac?

No; it means that when malware is detected on your computer, the first attempt will be to remove malicious code from the file if it is infected with a virus, or the file will be deleted from your computer if the entire file is malicious.  Some supporting files affected by the malware may also be restored to a known-good state (removing domain redirects from the hosts file, removing self-running configurations from launchd, etc.)  If all this fails, the detected file will still be denied access to other processes.

- Every time I get one of these, should I change my passwords and etc just in case? I'm not actually sure whether the spyware has actually infected my Mac if i set the option to deny access or clean up threat.

This specific detection is for a badly formed JPEG image that can cause a security hole in unpatched versions of Microsoft Windows.  As such, it will not affect your Mac at all.  You're likely seeing it on JPEG files that are partially downloaded to your web cache during browsing.  Once the entire image is downloaded, or when the image is removed from the temporary cache, the detection will usually disappear.

- When the on-access warning window pops up, does it mean that Sophos has encountered the spyware while I've been doing my usual internet browsing, or has it encountered it while 'patrolling' my Mac's folders and whatever (so a file I already have is infected with this)?

On-Access gets to look at all file access on your computer before the access is allowed/denied.  Since the file needs to exist for detection, files are usually detected just after the file has been written to disk, but before they are read from disk by any other process.  Detection happens in real-time as you're using your files, and every attempt to read data from your computer gets vetted by On-Access scanning.

Not related to this issue, but when I do an on-demand scan, the scanning animation for the last couple of thousand files does not occur - it goes straight to the final results (which also happens to be no threats detected all the time). Is that normal?

Yes.  Likely, one of the files just before that is an archive, which causes the progress bar to stall while its contents are unpacked and scanned; the files after that are likely so small that scanning is near-instantaneous from a human perspective, so they're all scanned before the progress bar updates.  Updating the progress bar for each file scanned would cause very noticable system slowdown.

This has just worried me a lot, and clarification would be great! Thanks in advance.

I hope the clarification has cleared things up for both you and others :)

---