11 Replies Latest reply: Apr 10, 2014 2:01 PM by U2GT
NYCMAC Level 1 Level 1 (0 points)

i would like to have step by step instruction to get rid of malware.

thanks


IMAC WITH LEOPARD, Mac OS X (10.5)
  • Kappy Level 10 Level 10 (252,765 points)

    What malware?

     

    Helpful Links Regarding Malware Protection

     

    An excellent link to read is Tom Reed's Mac Malware Guide.

    Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.

    See these Apple articles:

     

              Mac OS X Snow Leopard and malware detection

              OS X Lion- Protect your Mac from malware

              OS X Mountain Lion- Protect your Mac from malware

              About file quarantine in OS X

     

    If you require anti-virus protection I recommend using ClamXav.

  • thomas_r. Level 7 Level 7 (30,155 points)

    There is no one single set of instructions to get rid of any malware. It depends entirely on the malware in question.

     

    Why do you ask about this? Are you just trying to learn more about malware and how to handle it on a Mac? If so, see my Mac Malware Guide.

     

    If you actually think you're infected with something, tell us why you think that. Give us as many details as possible.

  • asoedjito Level 1 Level 1 (0 points)

    Hello Thomas,

     

    I read your guide and I'm pretty certain someone hacked into my email (exchange) account. The server support people is asking me to make sure I get rid of possible malware in my mac, before they re-enable my account.

     

    I'm using your recommended ClamXav. Is there any follow up things that I need to do to ensure there is no malware left?

     

    Thanks in advance.

  • MadMacs0 Level 5 Level 5 (4,560 points)

    asoedjito wrote:

     

    I'm using your recommended ClamXav. Is there any follow up things that I need to do to ensure there is no malware left?

    You appear to be running an unsupported OS X, so you do need to be more cautious about malware. It's doubtful that you will find anything, but let us know if you do before you do anything about it. There are some specific cautions concerning possibly infected e-mails that require special handling by ClamXav or any  other A-V software. That is to say, don't let it move any e-mail messages to quarantine or trash.

     

    If you have any issues running the software come to the ClamXav Forum for most efficient answers.

  • thomas_r. Level 7 Level 7 (30,155 points)

    I read your guide and I'm pretty certain someone hacked into my email (exchange) account. The server support people is asking me to make sure I get rid of possible malware in my mac, before they re-enable my account.

     

    Typical clueless IT folks. Sounds like they're worrying you, and hassling you, for nothing. E-mail accounts get hacked all the time, and that seldom involves malware on the victim's machine. (I've never heard of it involving malware when the victim is using a Mac.) Yet, for some reason, IT folks always insist that you check for malware.

     

    If it shuts them up and gets you access to your e-mail again, just tell them you scanned with ClamXav. That should be enough to get them off your back.

     

    Note that, as MadMacs0 said, Mac OS X 10.5 is no longer receiving security updates, so it's not as safe as more recent systems. That still doesn't make it very dangerous, as there's not a lot of malware targeting older systems like that these days. However, on such an old system, it's never a bad idea to run some low-profile anti-virus software. I prefer Sophos over ClamXav for that purpose.

  • asoedjito Level 1 Level 1 (0 points)

    Thanks for the notice MadMacs0.

     

    I have run ClamXav and I found a whole bunch of 'infection', but there are only two types of them:

     

    Heuristics.Phishing.Email.SpoofedDomain

    Heuristics.Phishing.Email.SSL-Spoof

     

    Please let me know if you need more info to get more context. I read around, and it seems the above 'infection' is not threatening. Thoughts?

  • asoedjito Level 1 Level 1 (0 points)

    However, on such an old system, it's never a bad idea to run some low-profile anti-virus software. I prefer Sophos over ClamXav for that purpose.

    Trying Sophos right now. Will see if I find anything new. Thanks.

  • MadMacs0 Level 5 Level 5 (4,560 points)

    asoedjito wrote:

     

    Heuristics.Phishing.Email.SpoofedDomain

    Heuristics.Phishing.Email.SSL-Spoof

    The word "Heuristics" indicates that the e-mail purported to be from a list of mostly financial institutions and was processed using a special scanner that looks for anything suspicious in the message format. In this case it looks like both involved possible "Spoofed Domain"s (the column width seems to have cut off the full infections name). That would indicate that one or more hyperlinks in the message used different wording what you see in blue underline and the url of the site you will be taken to if you click on it. To see the latter, hover your cursor over the visible link and a tooltip window will pop up showing you where you would end up.

     

    Since such legitimate links are also done that way to cut down on confusion, it's improtant that you open the e-mail and read it to make certain it's not something you need before getting rid of it. As an example, most actual American Express statements contain such links as images of their mobile app's availability on iTunes and Google Play.

     

    So here's my standard guidance:

     

    When possibly infected e-mail files are found:

    • Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
    • Right-click/Control-click on the entry. 
    • Select "Reveal In Finder" from the pop-up menu.
    • When the window opens, double-click on the file to open the message in your e-mail client application.
    • Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).
    • If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
    • If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.
  • U2GT Level 1 Level 1 (0 points)

    From above, "That is to say, don't let it move any e-mail messages to quarantine or trash."

     

    Why? I can't find an explanation that makes sense for why one should not trash a message from ClamXav?  It turns out that my wife and I have been doing this because Clam give you this option so easily.  Why would Clam give a popup to delete something if you are not supposed to trash this way?  Just doesn't make sense.

     

    What do I do now that we've already trashed many emails using ClamXav?  I've never had any trouble with this.

     

    Why can't there be a malware program that just works easily on a Mac?  I have thousands of emails on my mac and having to find them in the Finder and check each one and then go back into the email program to delete them seems like a highly inefficient way of doing this.  If I get 10 of these, it takes way too much time.

     

    Can someone please explain why ClamXav offers this pop up option but we shouldn't use it?  And do I need to fix anything now that we've already done this many times? 

  • MadMacs0 Level 5 Level 5 (4,560 points)

    For fastest, most efficient answers to questions such as these, please visit the ClamXav Forum.

    U2GT wrote:

     

    From above, "That is to say, don't let it move any e-mail messages to quarantine or trash."

     

    Why? I can't find an explanation that makes sense for why one should not trash a message from ClamXav?

    Sorry that I didn't include that part.

     

    Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

     

    So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

     

    This is slowly changing in that the latest versions of ClamXav 2.6.2 will not automatically move Apple Mail e-mail and ignores the Quarantine setting. Sentry still does, so those are the preferences you need to pay attention to for now. If you use the popup menu in the ClamXav window and select Quarantine or Delete then you will get a popup asking you if you're sure you want to do that.

    What do I do now that we've already trashed many emails using ClamXav?  I've never had any trouble with this.

    Then you may not have to do anything. Even though the mailbox index was corrupted, it may not ever cause you the type of problems I outlined above (recurring e-mail and inability to search). If it does then you will need to either rebuild or reindex each affected mailbox. Instructions for doing this vary somewhat by version of OS X, but you can either check support.apple.com for the appropriate one or let me know what you are using and I can google it for you. In the past, Gmail users seem to have more of these issues than with other e-mail providers.

    Why can't there be a malware program that just works easily on a Mac?

    Mark, the developer, has been struggling with finding a means of doing just that for a number of years now, so if you have any ideas please share them with him. As it stands right now, it's an Apple requirement that Mail, iPhoto, iTunes and probably other apps of theirs be 100% responsible for the files they control. If there were a lot of infected photos or music files around, then you'd be reading the same cautions for them. Many of the other A-V products just tell you they are unable to "clean" the infection and tell you to do it manually. It's the same issue.

  • U2GT Level 1 Level 1 (0 points)

    Thank you for taking the time to write such a comprehensive response.  Much appreciated!