Removing malware from a computer running Mac OS X

  • Article ID: 118117
  • Rating:
  • 445 customers rated this article 4.2 out of 6
  • Updated: 08 May 2014

When malware is detected on your Mac computer you may see an alert similar to the screenshot below.

Once you have been alerted to the presence of malware you should open the Quarantine Manager (the part of Sophos Anti-Virus that lists what has been detected) and cleanup the malware.

To watch a short video explaining how to cleanup malware on Mac OS X see: How to clean your Mac if infected

If you require further instructions on removing malware from your Mac follow the instructions in this article.  There is also more information on scanning for and dealing with threats in our Sophos Anti-Virus for Mac OS X documentation.

For Home Edition (free) users:

  • If you are using the Free (Home Edition) of Sophos Anti-Virus the instructions below also apply, but you may want to go to our forum and read this Sophos FreeTalk community post.
  • For documentation of the Home Edition (there are some differences in versions of Sophos Anti-Virus for Mac OS X) click here.
  • If cleanup is unsuccessful you can search/post a message on our Sophos FreeTalk forum.
  • What the video of creating different types of scans:


Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Mac OS X v9.x,
Sophos Anti-Virus for Mac Home Edition v9.x

What To Do

Important: If malware is detected on your computer, and Sophos Anti-Virus informs you that it must be cleaned up manually, this means that you must create a custom scan. (Full details are given in the relevant section below.)

  1. Do one of the following:
    • Click on the “Open Quarantine Manager…” button, as shown in the Threat detected window above,
      OR
    • Select the Sophos (Shield) menu item, and from the drop-down click on “Open Quarantine Manager…”



  2. If your computer is currently in the “locked” state:
    1. Click the lock icon in the bottom left of the quarantine window
       

    2. When prompted enter the username and password of an administrator account for your computer. If you only have one account, this is the administrator account to use.
        

  3. In Quarantine Manager, click the 'Action Available' column heading. This sorts the list of threats according to the action available.
      

  4. Select all the threats for which the action available is listed as 'Clean up'.

  5. Click the 'Clean Up Threat' button at the bottom right-hand side. Any threats that are cleaned up are cleared from the list.

  6. Click the 'Action Available' column heading again. This will again sort the list of threats.

  7. If there are any threats for which the action available is listed as 'Restart', restart your Mac to complete the cleanup.

  8. Click the 'Action Available' column heading again. This will again sort the list of threats.

  9. If there are any threats for which the action available is listed as 'Scan local drives', from the Sophos (Shield) menu drop-down, select 'Scan local drives', then in the Scans window, click the 'Scan now' button.
      

  10. Click the Action Available column heading again. This will again sort the list of threats.

  11. If there are any threats for which the action available is 'Clean up', go back to step 4. If not, continue with step 12.

  12. If there are any threats for which the action available is 'Clean up manually', this indicates that you must create a custom scan.
    Before continuing with the next step, watch the video: How to create a custom scan to see a video demonstration on what you will need to do.

  13. For each item labeled 'Clean up manually', select the item in Quarantine Manager and make a note of the Path and Filename:


  14. In the Manual Cleanup window (i.e. custom scan)  add the path you noted in the previous step. 


    Note the following:
    • If you cannot find a file or folder in the path indicated, ensure the navigation dialog window is selected (click a folder in the window), and then press command-shift-. (that’s ⌘-⇧-period). All hidden files and folders will now be visible.


    • If a folder in the path which you need to navigate has a 'Do not enter' red circle on it, select that folder and click 'Open'. Otherwise, navigate to the folder containing the item detected and click the 'Open' button.

  15. In the Options tab, select 'Delete threat' from the drop down menu.


  16. Click Done.

  17. Click 'Scan Now' to run the scan.

  18. If any threats still exist as 'Clean up manually' after performing the custom scan with the Delete option, the files are probably contained on a backup volume or inside an archive. These are not deleted by Sophos, as they probably contain a lot of information you do not wish to delete as well as the detected file.

    Some common locations for such files are:

    • E-Mail attachments.
      If the file path presented includes /Library/Mail/V2/,
      1. From the Sophos Preferences window, temporarily disable on-access scanning.
      2. Open your Mail program, and delete the email with the malicious attachment whose name matches that in the file path. The most common emails have a subject line referring to an invoice, payment, or application.
      3. From the Sophos Preferences window, re-enable on-access scanning.

    • Java Web Cache.
      If the file path contains /Library/Caches/Java,
      1. From the Sophos Preferences window, temporarily disable on-access scanning.
      2. Go to the Finder, hold down the Option key, and from the Go menu select Library.
      3. If the Library option does not exist, select Home and then click on the Library folder.
      4. Open the Caches folder and put the containing Java folder in the trash.
      5. Empty the trash.
      6. From the Sophos Preferences window, re-enable on-access scanning.

    • Time Machine Archive.
      If the file path contains /Backups.backupdb/,
      1. Make a note of the complete file path. E.g., /Volumes/<Time Machine Volume Name>/Backups.backupdb/<Computer Name>/YYYY-MM-DD-NNNNNN/<User Name>/Library/Caches/Java/cache/6.0/8/123456-123456
      2. From the Sophos Preferences window,temporarily disable on-access scanning.
      3. In the Finder, navigate as close to this location as you can, starting from the <user name> portion. When the next level down no longer exists (or when you've found the file indicated), select 'Enter Time Machine' from the Time Machine menu item (a clock face with an arrow around the outside).
      4. Navigate to the date and time indicated by YYYY-MM-DD in the file path, and then follow the path to the detected file within Time Machine.
      5. Control or right-click the file, and select 'Delete All Backups of <detected filename>'.
      6. Click OK.
      7. From the Sophos Preferences window, re-enable on-access scanning.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments