Greetings all,
Running MacOS X 10.8.4 (Mountain Lion) with Sophos 8.0.16C, Threat Detection Engine 3.45.0, Threat Data 4.91.
Last evening (July 28) I started receiving Quarantine notifications about several files (log snippet follows):
com.sophos.autoupdate: Updating catalogue information at 22:37:41 28 July 2013
com.sophos.autoupdate: Catalogue updated at 22:37:42 28 July 2013
com.sophos.autoupdate: Download started at 22:37:42 28 July 2013
com.sophos.autoupdate: Download completed at 22:37:59 28 July 2013
com.sophos.autoupdate: Software is up-to-date at 22:38:13 28 July 2013
com.sophos.autoupdate: Info: Checked primary server at 22:38 on 28 July 2013
com.sophos.autoupdate: Sophos Anti-Virus is up to date
com.sophos.autoupdate:
com.sophos.intercheck: Encrypted file: /Users/firstname_lastname/Library/SyncedPreferences/com.apple.syncedpreferences.plist
com.sophos.intercheck: Encrypted file: /Users/firstname_lastname/Library/SyncedPreferences/com.apple.Safari.plist
com.sophos.intercheck: 2013-07-28 22:49:32 -0400 Threat: 'Mal/Packer' detected in /Users/firstname_lastname/Library/SyncedPreferences/com.apple.Safari.plist
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 22:49:42 -0400 Threat: 'W32/Sality-AM' detected in /Library/Sophos Anti-Virus/VDL/sus01.vdb
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 22:49:51 -0400 Threat: 'Mal/Packer' detected in /Library/Sophos Anti-Virus/IDE/vbinj-ha.ide
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 22:50:11 -0400 Threat: 'Mal/Packer' detected in /Library/Preferences/com.sophos.sav.plist
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 22:52:54 -0400 Threat: 'Mal/Packer' detected in
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: Corrupt file: /Library/Preferences/com.sophos.sav.plist
com.sophos.intercheck: Corrupt file: /Library/Preferences/com.sophos.sav.plist
com.sophos.intercheck: Corrupt file:
com.sophos.intercheck: Encrypted file: /private/var/log/system.log
com.sophos.intercheck: 2013-07-28 23:19:04 -0400 Threat: 'Troj/BredoZP-LT' detected in /System/Library/CoreServices/Finder.app/Contents/Resources/tr.lproj/InfoPlist.strings
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 23:20:28 -0400 Threat: 'Mal/BredoZp-B' detected in /Users/firstname_lastname/Library/SyncedPreferences/com.apple.Safari.plist
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 23:20:28 -0400 Threat: 'Mal/BredoZp-B' detected in /Library/Preferences/com.sophos.sav.plist
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: 2013-07-28 23:20:29 -0400 Threat: 'Mal/JSRedir-M' detected in /Library/Preferences/.GlobalPreferences.plist
com.sophos.intercheck: Access to the file denied
com.sophos.intercheck:
com.sophos.intercheck: Sophos Anti-Virus
com.sophos.intercheck: Version 4.91, 10 July 2013
com.sophos.intercheck: Includes detection for 5362598 viruses, trojans and worms
com.sophos.intercheck: Copyright (c) 1989-2012 Sophos Ltd, www.sophos.com
Some detections were Sophos files, others were system plist files. After researching the threats, all appear to only affect the Windows platform, not Mac OS X. In addition to that, Sophos seems to be detecting some of it's own files, which is also strange.
Has anyone else seen this or similar behavior?
I've attempted to clean the threat on a couple of them from within Quarantine Manager, but Sophos just hangs forever and doesn't actually clean them, so that's likely not a viable option.
Appreciate any thoughts anyone might have.
This thread was automatically locked due to age.
