iMac (OSX 10.10.2) infected with Win.Trojan.Graftorr-1897 and Heuristics.Physhing.Email.SpoofedDomain

Ignore it. Maybe try to resist forwarding those e-mails to Windows users.

Those are emails. Maybe delete the offending emails from within Mail?

kriscena wrote:

Does it mean that the OS X and Safari security are 100% effective and strong?

Nothing is 100% anything.

If so, why there are numerous commercial anti-malware tools available (e.g. by Norton and Kaspersky, and even the free AppStore ClamXav) developed and offered specifically for Mac ?

Because you have money in your bank account and those corporations would prefer if that money were in their bank account.

To be perfectly clear about this: Let's assume OS X and Safari are 93% effective and strong against malware. Installing a 3rd party antivirus tool is not going to get you to 100% or even 94%. It will get you to maybe 37%.

The only significant Mac malware problem today is with adware. The antivirus software will not block adware. People who come here with adware infections often have antivirus software installed too. If you are concerned about adware, install an adware blocker like AdBlock from https://getadblock.com. Be careful about installing an adware blocker from any other source. I know this specific adblock site is good, other sites may not be. Some ad blockers actually facilitate the delivery of ads to your Mac. If you haven't guessed by now, the internet is bursting at the seams with scams. One of the biggest scams is antivirus. If Apple thinks you need it, it will already be installed on your Mac.

My intuition would be to delete those files but the advice on the fora is to be careful as such action might corrupt the mail system.

Please comment/advise.

Delete your antivirus instead. The only thing it has accomplished so far is waste your time.

kriscena wrote:

From the few sources I perused (including the ClamXav forum) the general conclusion is to do nothing.

That conclusion is justified.

Better yet, use nothing. The emails appear to contain Windows malware that is inert in OS X. ClamXav's "heuristics" will often implicate emails that are nothing to be concerned about either. Delete the email messages, or just ignore them.

Does it mean that the OS X and Safari security are 100% effective and strong?

It means nothing. There are effective approaches to device information security, and ineffective ones. Software is an ineffective defense against threats that exist today. The epoch characterized by the prevalence of "computer viruses" is ending, along with the demise of the Windows PC platform that engendered its proliferation. Using "anti-virus" software on a Mac is a waste of time and effort.

- If so, why there are numerous commercial anti-malware tools available

The reason is that anti-virus peddlers are desperate to assert continue their continued relevance as their legacy market collapses around them. They only recently turned their attention to Macs, which was never vulnerable to viruses to begin with, not since OS X anyway. Ignore their increasingly desperate cries for attention and the fawning "news" media that eagerly feeds it. Eventually they'll all go away. By that time the only people left using computers will be large-scale users, developers and others unlikely to be as easily gulled into installing garbage. The rest of us will be using iPhones or whatever device fills a similar need.

An effective approach to computer security is a multifaceted one that requires your active participation, and is explained below.

There will always be threats to your information security associated with using any Internet - connected communications tool:

1. You can mitigate those threats by following commonsense practices
2. Delegating that responsibility to software is an ineffective defense
3. Assuming that any product will protect you from those threats is a hazardous attitude that is likely to result in neglecting point #1 above.

OS X already includes everything it needs to protect itself from viruses and malware. Keep it that way with software updates from Apple.

A much better question is "how should I protect my Mac":

• Never install any product that claims to "clean up", "speed up", "optimize", "boost" or "accelerate" your Mac; to "wash" it, "tune" it, or to make it "shiny". Those claims are absurd.

  Such products are very aggressively marketed. They are all scams.

• Never install pirated or "cracked" software, software obtained from dubious websites, or other questionable sources.
  • Illegally obtained software is almost certain to contain malware.
  • "Questionable sources" include but are not limited to spontaneously appearing web pages or popups, download hosting sites such as C net dot com, Softonic dot com, Soft pedia dot com, Download dot com, Mac Update dot com, or any other site whose revenue is primarily derived from junk product advertisements.
  • If you need to install software that isn't available from the Mac App Store, obtain it only from legitimate sources authorized by the software's developer.
• Don’t supply your password in response to a popup window requesting it, unless you know what it is and the reason your credentials are required.
• Don’t open email attachments from email addresses that you do not recognize, or click links contained in an email:
  • Most of these are scams that direct you to fraudulent sites that attempt to convince you to disclose personal information.
  • Such "phishing" attempts are the 21st century equivalent of a social exploit that has existed since the dawn of civilization. Don’t fall for it.
  • Apple will never ask you to reveal personal information in an email. If you receive an unexpected email from Apple saying your account will be closed unless you take immediate action, just ignore it. If your iCloud, iTunes, or App Store account becomes disabled for valid reasons, you will know when you try to buy something or log in to this support site, and are unable to.
• Don’t install browser extensions unless you understand their purpose:

  Go to the Safari menu > Preferences > Extensions. If you see any extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone.

• Don’t install Java unless you are certain that you need it:
  • Java, a non-Apple product, is a potential vector for malware. If you are required to use Java, be mindful of that possibility.
  • Java can be disabled in System Preferences.
  • Despite its name JavaScript is unrelated to Java. No malware can infect your Mac through JavaScript. It’s OK to leave it enabled.
  • The same precaution applies to Adobe Flash Player. Newly discovered Flash vulnerabilities appear almost weekly.
• Beware spontaneous popups: Safari menu > Preferences > Security > check "Block popup windows".
  • Popup windows are useful and required for some websites, but unsolicited popups are commonly used to deceive people into installing unwanted software they would never intentionally install.
  • Popups themselves cannot infect your Mac, but many contain resource-hungry code that will slow down Internet browsing.
  • If you ever receive a popup window indicating that your Mac is infected with some ick or that you won some prize, it is 100% fraudulent. Ignore it.
  • The same goes for a spontaneously appearing dialog insisting that you upgrade your video player right this instant. Such popups are frequently associated with sites that promise to deliver "free" movies or other copyrighted content that is not normally "free".
  • The more insistent it is that you upgrade or install something, the more likely it is to be a scam. Close the window or tab and forget it.
• Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them:
  • The most serious threat to your data security is phishing. Most of these attempts are pathetic and are easily recognized, but that hasn't stopped prominent public figures from recently succumbing to this age-old scam.
  • OS X viruses do not exist, but intentionally malicious or poorly written code, created by either nefarious or inept individuals, is nothing new.
  • Never install something without first knowing what it is, what it does, how it works, and how to get rid of it when you don’t want it any more.
  • If you elect to use "anti-virus" software, familiarize yourself with its limitations and potential to cause adverse effects, and apply the principle immediately preceding this one.
  • Most such utilities will only slow down and destabilize your Mac while they look for viruses that do not exist, conveying no benefit whatsoever - other than to make you "feel good" about security, when you should actually be exercising sound judgment, derived from accurate knowledge, based on verifiable facts.
• Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.

Summary: Use common sense and caution when you use your Mac, just like you would in any social context. There is no product, utility, or magic talisman that can protect you from all the evils of mankind.

kriscena wrote:

I used the ClamXav tool only because it came from the AppStore. Was there any reason Apple decided to offer it there and for free ?

Warm regards -

Kris

Apple isn't "offering" it. The software developer is offering it via the App Store. The only thing Apple did was make sure it didn't violate their rules for what could be distributed on the App Store.

Apple's barriers for entry to the Mac App Store are set rather low. Essentially, if an app does no harm, its approval is almost assured. An app's presence in the App Store should never be construed as any kind of endorsement from Apple.

There are plenty of free, but time-wasting apps in the App Store. The value of your time is yours to determine.

A slightly disappointing conclusion, I fear.

Not an entirely unexpected one though. Apple could either create a means of obtaining Mac software and keeping it up to date, or leave Macs open to millions of inept, untrustworthy, or nefarious developers distributing garbage software that has the potential to diminish their brand. Apple is very conscious of the value of the brand they created and will devote all the resources necessary to protect it.

At present we have a broad choice of sources for Mac software, but I don't believe it will always be that way. The App Store is simply Apple responding to the realities of the market.

For faster, more efficient answers to questions such as these, please visit the ClamXav Forum.

See Dealing with Infected Files.

The first four can safely be deleted by using a right-click/<Control>-click on the file or infection name and choosing "Delete File". Any time you see "Win." in the infection name, it means Windows Only. If you ever see "Osx." in the infection name, then you should take notice.

Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

When possibly infected e-mail files are found:

• Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
• Right-click/<Control>-click on the entry.
• Select "Reveal In Finder" from the pop-up menu.
• When the window opens, double-click on the file to open the message in your e-mail client application.
• Read the message and if you agree that it is junk/spam/phishing then note the date and subject of the message and close the e-mail window. Now, using your e-mail client, locate that message in whatever mailbox folder it was found in and delete the message using the delete button. Reading it is especially important when the word "Heuristics" appears in the infection name.If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
• If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.

"Heuristics" referred to here means that they are from or mention a financial institution and "SpoofedDomain" means it contains hyperlink(s) that are not known to be associated with that organization and may be a phishing attempt which is trying to obtain privacy information (e.g. UserID and Password credentials). It has not been positively identified as such, just that something about the format of one or more links is suspicious. You can see exactly where a link will take you by hovering the cursor over the underlined words or image in the e-mail. Don't click the link unless you are certain that it will take you to a legitimate site. There is a significant probability that these are legitimate e-mail messages from a financial institution that you need, so trashing them could very well be a mistake. The only way to know is to read them. There is also a distinct possibility that you or your e-mail system have already decided that they are spam / junk / phishing and they came from your Spam / Junk / Deleted Items / Trash folders, so you should always check to make certain they are not needed and then delete them before running an e-mail scan.

Although both Barney and John are correct about App Store apps not being recommended by Apple, I hasten to point out that the same scan engine used in ClamXav is included in every copy of the OS X Server that Apple sells.

kriscena wrote:

"Apple's barriers for entry to the Mac App Store are set rather low`'

A slightly disappointing conclusion, I fear.

Although true, this is somewhat unfair to ClamXav. Admittedly, the need for it to detect Mac malware is quite low. However, it's the only anti-virus software I would currently recommend using at all, and it is very reasonable to use it to protect against passing Windows malware on to other people inadvertently.

The issue at hand here is how to deal with infected files detected by your anti-virus software - any anti-virus software. As you have already determined through your own research, you should be cautious about removing such things using the anti-virus software.

In your case, these are probably all e-mail messages or attachments. (I'd bet the three "click here.html" files identified as Graftor are probably attachments to the three e-mail messages identified as Graftor.) MadMacs0 has posted excellent instructions for how to find and remove these from within Mail.

For some more general advice on this topic, see:

How to remove infected files

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)