Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 1139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus that will try to Remove Sophos?

Ekin

I am a new user of Sophos, just switched from iAntivirus because it has been update free on my end for the past few months (something I thought was odd), so I installed Version 8.0.1C.  I have a MBP 10.5.8 running OSX

Here is my question, in your finder at the bottom left there is a "Search For" drop menu with Today, Yesterday, Past Week, All Images/Movies/Documents. I like to look at this to make sure nothing terrible is happening or running when it shouldn't (humor me if this is dumb). But I noticed that Today I had Sophos open at 4am (I was asleep) and Remove Sophos run at 4am. 

Sophos is still installed on my computer as its Uninstalling would need my admin password, but I am worried that something is trying to remove sophos from my computer. Ive run 2 full scans since installing it a few days back and it turned up no detected threats nor did it quarantine anything.

So is this normal? Why would the Sophos Application run by itself and more importantly why would the Remove Sophos Application run at exactly the same time?

Thank you for any input, if you need more info I can give it

Ekin

:1006167


This thread was automatically locked due to age.
Parents
  • 0

    The Remove Sophos app running by itself seems extremely suspicious; the Sophos Anti-Virus app running is not so suspicious, especially if you have a scheduled scan.

    You may want to check:

    System Prefences -> Sharing

    and see if you're sharing anything you shouldn't be.  Remember that Remote Login is password based by default.

    Beyond this, you may want to familiarize yourself with Activity Monitor.  Set it to All Processes, Hierarchically -- you'll probably have around 80 listed.  You can sort by user to see which processes are running as root, and which are running as you.  The hierarchical view is useful as it shows you how the various processes were launched, and at what user level.

    Beyond this, you may want to run console.app  System Log Queries is useful to check for things that aren't running as expected, and /Library/Logs/Sophos Anti-Virus.log will show you when it last updated -- if this was at 4 AM, you've got your answer as to what was happening (an upgrade).

    You may also want to check /Library/Logs/appfirewall.log, as it will show you what network activity is being allowed, and from where.

    Look around at the other logs too, as everything's there for a reason :)  If you don't understand what something means, a quick google search should help, if it's an important log item.

    :1006187
Reply
  • 0

    The Remove Sophos app running by itself seems extremely suspicious; the Sophos Anti-Virus app running is not so suspicious, especially if you have a scheduled scan.

    You may want to check:

    System Prefences -> Sharing

    and see if you're sharing anything you shouldn't be.  Remember that Remote Login is password based by default.

    Beyond this, you may want to familiarize yourself with Activity Monitor.  Set it to All Processes, Hierarchically -- you'll probably have around 80 listed.  You can sort by user to see which processes are running as root, and which are running as you.  The hierarchical view is useful as it shows you how the various processes were launched, and at what user level.

    Beyond this, you may want to run console.app  System Log Queries is useful to check for things that aren't running as expected, and /Library/Logs/Sophos Anti-Virus.log will show you when it last updated -- if this was at 4 AM, you've got your answer as to what was happening (an upgrade).

    You may also want to check /Library/Logs/appfirewall.log, as it will show you what network activity is being allowed, and from where.

    Look around at the other logs too, as everything's there for a reason :)  If you don't understand what something means, a quick google search should help, if it's an important log item.

    :1006187
Children
No Data