Sophos found a virus and trojan in Time Machine backup. What to do?

I can track down the files by going into the drive and manually deleting them, but would that mess up Time Machine?

Yes. If the emails no longer exist on your source volume then just forget about them, unless you have reason to restore your system or the emails from the Time Machine backup. In that event, just delete the suspect email, as you normally would.

You should never poke around in your Time Machine backups to delete files in the Finder. That can damage the backups. You also should make sure that Sophos does not attempt to quarantine files from your Time Machine backup. In fact, you probably should ensure that Sophos (and any other anti-virus software) never touches your Time Machine backups in any way, even just for scanning. Let Sophos do its job of keeping the malware off your main hard drive, and leave Time Machine alone to back up freely without interference.

As for how to handle those e-mail messages in your backups, I would just leave them. They're not doing any harm there, and there's almost no chance that a chain of circumstances would arise that would result in you restoring those messages and then sending them to a Windows user. They will eventually be removed from your backups, when the backup drive fills up and Time Machine has to start removing the oldest deleted files from the backup to make room for new stuff.

Leave them alone, they also could be false positives.

If you restore those emails, or attachments, simply run a ClamXav scan on them to confirm, then delete them rather than sending them onto Windows users.

Eventually TM will forget that saved state and the malware files will be gone.

TopTechWriter.US wrote:

I can track down the files by going into the drive and manually deleting them, but would that mess up Time Machine? Is there a better solution?

Let me start by saying I agree completely with what others have told you so far, but to answer this part of your question directly, the only way to safely delete files from a TimeMachine backup is by entering TimeMachine, highlighting the file and using the "Delete All Backups of..." command from the Action (gear) menu in the Toolbar. That, to me would not be worth the effort involved in figuring out the name and location of the file. The best time to do that is if and when you discover confirmed malware on your hard drive, before you delete it from there. I would simply make a mental note that restoring from backup may result in the restoration of confirmed or suspected malware and run an A-V scan immediately after you have restored.

That, to me would not be worth the effort involved in figuring out the name and location of the file.

No effort at all.

- In Sophos you can click "Show in Finder", which takes you to the file (within the backup)

- Right click on the file and select "Get Info"

- Select the path after "Where" and copy (e.g. using Cmd-C)

- Go to Time Machine (e.g. via icon in menu)

- Press Cmd-Shift-G and paste the path in the pop-up window. This will take you directly to the file.

- Richt click on the file and select "Delete all backups of ..."

- Done!

Why are you replying to a two year old discussion? I'm sure the OP has closed the Sophos window by now.

Yes, for sure the OP has closed the Sophos window. But sometimes different people have similar problems.

So my Sophos window is still open and I am very thankful for the tip of jan.claes.

Finally. Thank you for this simple and effective solution. Yes, it was an old topic and yes, people still need an answer.