Sophos: Issues Detected

Dan78910 wrote:

Hi guys,

I recently ran a scan of my MacBook Air using Sophos' Anti-Virus, and the below issues were identified

Sophos is the issue. Uninstall the application.

I won't completely disagree with macjack but .... If you have a working Sophos Home Edition version 9.4.1 and it is not a performance issue for you, then... this advise above is perhaps too strong an opinion.

Since the files that Sophos is complaining about are temporary files, I would say first restart and then check about if those file even exist.

Sophos, the company, makes reasonable products... The Sophos Anti-Virus Home Edition is not perfect but it is a far cry from a completely worthless app.

Those are false positives caused by the software's inability to actually detect them as normal and not malware. The best advice I can offer is to uninstall Sophos because you don't need it. OS X has built-in malware protection which is updated when you upgrade to the latest version of OS X. Third-party AV software can slow down your computer s well as make errors leading you to think you are infected when you aren't. They are also a waste of money.

Most of the problems you may run into results from not being a careful browser and picking up adware.

Remove Browser Pop-up Problems

Malwarebytes Anti-Malware 1.0.1.7

Adblock Plus 1.8.9, GlimmerBlocker, or AdBlock

Remove adware that displays pop-up ads and graphics on your Mac

How to remove the FlashMall adware from OS X

Stop pop-up ads and adware in Safari - Apple Support

Grain of Salt and Layers of Protection

Risk assessment is not easy and advise is what you get here. Professionals may differ particularly if they know what you are trying to protect and from whom....

If performance is not an issue and it can be with Sophos Anti-Virus, then layers of protection are a good idea. Sophos Antivirus HAS indeed been as issue now and then. I do not experience issues at this point and find the non-real time scanning of my file system at intervals to be valuable. I also turn off Sophos Anti-Virus real time scanning unless I am looking for suspicion behavior.

Full disclosure. I have at times sold SophosUTMs and do administer Sophos based UTMs and firewalls - perhaps even running one now for my own shop. I find it valuable but also not necessarily what I recommend to others. It is not a small company and it is very well rated by independent rates of security software.

Again, the flagged files are temporary files - clearly - they may or may not be an issue. YMMV

Dan,

If you have other system behaviors that are making you worry or wonder, the quickest and totally safe thing to do is restart your computer.

Those files will very likely disappear on restart. If you are a terminal user then you can check that these files disappear on reboot.

It is normal for temporary files to exist in the directory in the way that the files you have noted exist. So that by itself should not be a concern. Kappy may be correct that Sophos is giving you a "false positive", Sophos is just a tool that warns when something is questionable. When it is absolutely a known malware signature it will tell you that also. The fact that it detects the file as corrupt, well perhaps it is just a corrupt file. Files do get corrupt. Perhaps it is absolutely n as Kappy has indicated. Personally, I wouldn't bet on it myself without doing more work at the professional level to see. But I am very security focused. If your situation doesn't warrant that, then just restart and be a little more alert ( but don't worry ) for unusual behavior is good enough most of the time.

There are real monsters out there and nobody, but nobody is safe if someone/some-organization of hackers targets your devices.

Minimally: get and keep backups. Preferably keep some backups disconnected.

Even better: Disable or plug-in block Oracle Java and Adobe Flash Player, or remove those packages entirely. Disable opening "safe" downloads in Safari. Shut off remote image loads in Mail. Don't trust links in messages you've received, even if you think you know the sender.

Some considerations to factor into the discussion....

• Anti-virus tools are themselves ripe targets for attacks and more than a few of them have had spectacular breaches, and have opened up more than a few security holes. here's an AVG bug from last month. And here are the results of a researcher looking at Sophos security.
• The Symantec Vice President indicated that AV was probably ~45% effective; and was "dead", to use his word.
• False positives. Such as this case.
• The approaches used by AV including signatures are trivially bypassed with obfuscating compilers. Some of the recent macro malware attacks that had been caught learned to avoid AV scans by delaying their processing until document close, when the AV tools had stopped watching.
• The AV tools have themselves caused crashes and hangs.
• Phishing is on the rise, very effective, and AV does little or nothing for these attacks. Grab somebody's AppleID or other credentials via spoofed site, and it's off to the races...

To establish layers of protection where that's required, folks will want to establish perimeters within their networks, establish and maintain backup and recovery strategies and particular strategies locating the data off the local network and disconnected from the systems involved (to avoid deletion by an attacker), and will want to establish outbound firewall blocks and the related alerts (most folks are not running a mail server, so why would there be mail server ports active? block and flag those at the firewall), and distributed monitoring — what's called endpoint security — to scan for network and system anomalies and for exfiltration; for weird network traffic and for somebody copying your data off your network.

Unfortunately, adding additional layers of highly-privileged and deeply-integrated software onto a single box doesn't gain an advantage.

Remember too that OS X already has anti-virus and anti-malware tools, based on — for better and for worse — Gatekeeper and Xprotect. Keeping those enabled to App Store and Developer ID applications isn't a panacea, but does reduce the exposure to more than a little dreck.

AV? It's been a knee-jerk automatically good always have it blanket recommendation. But does it really work? Not very well, unfortunately. Increasingly, if at all. The malware is getting better at avoiding the scans, too. And it can cause stability problems, false positives, and some can reportedly upload and sell your data and your web browsing history.

I wish this mess were better, but add-on AV doesn't look like a net benefit to me. Others might make a different decision here, of course. But in any case, keep your backups current, and plan as if you expect to get breached.

I agree with virtually all of what MrHoffman says...

I also trust Apple more than most companies to create a safe ecosystem. But I am in the "trust but verify" camp. On my sensitive machines and portables, in particular, I run Little Snitch.app which actively tells me and helps me understand, to any level I choose, what is connecting to my computer and what my computer's many pieces of software want to connect to .... but this is too much for most people to handle. I will let Sophos, Inc. and there products defend themselves.... Even MrHoffman's link does that reasonable well and I am not 100% happy with Sophos or any company most of the time... A few have earned my trust by great tech support for those times when I need a second set of eyes.... Everyone needs a second set of eye when questions arise. This forum is not the absolute truth or a security design forum.

per MrHoffman - I too recommend either uninstalling Flash and Java plugins in browser.... but that is a bit off topic.

I'll go back to my secure output now ..... I hope we having confused the original questioner....