Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

quarantine manager finds trojan, but then it disappears

karlusmagnus

i have free sophos for mac, and i get Quarantine Mgr tellin me it finds a trojan called something like "trojan/iframe/jl" but the button to activate cleaning is dark (not active) and then within about 20 seconds the message disappears, and there is nothing to clean. Any idea? (i googled but dod not find anything really similar). Thanks. Karl.

:38281


This thread was automatically locked due to age.
  • 0

    Hello Karl,

    the forum for questions related to the the Mac HE version is FreeTalk, in particular the Sophos Anti-Virus for Mac Home Edition board.

    To answer your question: The scanner tells QM what has been found and where, QM maintains this list along with the available actions. When you open QM it does a quick rescan and if it finds nothing in the indicated locations it prunes the list (as an aside, the scanner might have kicked off a cleanup routine which depending on the circumstances could take time - if it succeeds it also informs QM which removes the threat from the list). Thus if a threat is found in a temporary file which is subsequently deleted by the application the threat (listing) will "magically" disappear. As to the button - you have to "unlock" QM before the actions become available.

    HTH

    Christian 

    :38283
  • 0

    Gotcha. Appreciate the answer, thanks.

    :38311
  • 0

    I had the same thing happen to me today. I was just on the computer and all of a sudden Sophos pops up and says I have a trojan. I then go to the QM, and it's gone. And I can't recall the name of the Trojan.

    So here's the question: How do I know if the Trojan took effect or not? Or, did the QM detect it as soon as I got it? I wasn't doing a scan, mind you, when this happened.

    I want to know if I should change all my passwords.

    Thanks.

    :44591
  • 0

    Hello OceanDream,

    Sophos pops up and says I have a trojan

    it's probably beneficial to pay attention to phrasing: The pop up informs you about a detection, have is a fuzzy term. Of course you have a trojan in the sense that it is contained in some file(s). You don't necessarily have it in the sense that the program is actually executing. The detection means that the threat is at least blocked, i.e. execution is prevented. Depending on your settings following the detection a cleanup (if available) might be attempted or the file deleted.If this is the case there will naturally be nothing in QM. 

    Whenever you get a pop up the event is also logged - thus you should find the details (what it was, where it has been detected and what happened to it) there.

    Note that in this simple form this applies to the Mac HE and detection by on-access scanning.

    Christian

    :44609
  • 0

    I appreciate your answer, QC.

    1. Any way to know if the program was actually executing or not? I don't recall ever downloading anything from any questionable sites. Moreover, I haven't installed anything in a very, very long time.

    2. I looked into 'system.log' and could not find any reference to the pop up that ocurred on October 30. Is there an obvious place for me to look so I can find it and get more details on the trojan? An obvious search term that will lead me to the specific log I'm looking for? I searched for "trojan" but didn't find anything.

    Thank you.

    P.S. - I have the free version. Sorry if I'm posting in the wrong forum.

    :44635
  • 0

    Hello OceanDream,

    not the system.log, the Sophos Anti-Virus.log. Just open Sophos' Preferences->Logging->View Log.

    Christian

    :44649
  • 0

    Hi Christian,

    Thank you for pointing me in the right direction.

    The following was the trojan in the logs: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~SWFRed-D.aspx

    The trojan is: Troj/SWFRed-D

    When I researched it on the link above, it said the "affected operating system" is Windows. In that case, does this mean it doesn't affect OS X? I would assume this is the case, but want to double check with you first.


    Thanks a billion,

    OceanDream

    :44675
  • 0

    Hello OceanDream,

    I'm not Sophos and even less Sophos Labs so this is just my personal opinion.

    You should take the Affected Operating Systems with a grain of salt and generally not interpret it as can not/will not/does not affect other OSs. It's a technical detail with a certain meaning - no more, no less. 

    Trying to answer your questions and address your concerns:

    I don't recall ever downloading anything from any questionable sites

    Web pages can be made up of dozens or even hundreds of elements and most of them you don't "download" - many of them often don't come from the site you visit. The threat could have been some animated ad (SWF referring to Flash).

    I wasn't doing a scan

    Unless you have on-access scanning turned off (which you shouldn't do) all files are assessed when they are opened and if necessary scanned. A browser usually downloads a page's elements to its cache and then opens them to process/display their contents.

    Any way to know if the program was actually executing or not?

    Troj/ detections are pre-execution - the file has been blocked before it could execute (whether it would have affected you or not).

    Christian

    :44705