The days of Mac not getting virus are over, so I've been with Sophos for a few months. I think it's great, but it seems to have issues with Time Machine, anyone else using it?

I don't leave Sophos installed as I have found it diminishes computer performance.

Periodically (and it's very rare), if I have reason to think I should check my drive, I will install Sophos, update its list of viruses and run a scan.

Once done, I use Sophos Uninstall to remove it.

I second all 3 of ryck's points.

To do what? Find Windows malware? That is about all it can do for you on a Mac.

Joe, it's finding trojan horses every few days now. One trojan horse opend up months after it landed in a hardrive, and brought down a website.

But it has some issue with Time Machine.

I tried Sophos for a while but it slowed down the system. Viruses and malware are still not a problem on the Mac. I've never had any problem with them.

Did it find those trojans on your Mac or hard disk? Was the downed website yours? If not, you're fighting somebody else's dragons.

If it's finding trojans on your Mac "every few days", you're visiting a lot of websites that you really ought to stay away from.

Yes, my site, of course!

But its finding stuff frequently now. The era of Macs being impervious are over. Artie, I dont know where these come from, think from emails, who knows.

To the best of my knowledge, there has still never been an in-the-wild Mac virus (although I have read about proofs-of-concept, none of which have gone beyond the lab, and that there are trojans that perhaps slide in under a loose definition of virus).

Trojans don't come from e-mails, kevs; you only get them if you navigate to a malicious website that downloads them to your Mac without your doing anything...drive-bys, or if you navigate to a malicious site and click on something you shouldn't ought to click on. If you're getting stuff in e-mails, its from PC users who are sending it to you, probably without being aware of it.

Just to clarify: You say that Sophos is finding malware or some-such on "[your] site", but where is your site hosted? Is it on your own Mac or some remote server?

Can you tell us which specific items Sophos has flagged and where it's located them...maybe copy & paste a Sophos report into a post?

We can't do battle with demons without knowing precisely what kind of demons they are.

Artie, I did not post to have a debate here. My web hoster, and they run a site for hundred of people for 15 years in the design world, they know what they are doing recommended Sophos. My website was down, they fixed it. I see Sohpos alert to threats every 2 months. I did not post to say I have a threat why am I getting this? I don't even care to know. It's happening, and it's going to be happening more and more. My SS number was just compromised two days ago "probably", I'm with Anthem Blue, hear about that in the news?
Also in the news today is that Apple made more money that Exxon Mobile last quarter. It's not 1999.

Have you read joemike's post #32979?


If Windows malware that's found its way onto on your Mac is a problem for you in that you may inadvertently transmit it to others, it would definitely pay you to run some anti-virus app periodically, but if you think it will protect you from Mac related threats in the bargain, you're doing battle with windmills.

Seriously, if you've got evidence that Mac malware on your computer "brought down" your website that's hosted on a remote computer, please detail it for us and teach us something.

And if any of the "threats" that Sophos has found on your Mac have ever manifested themselves in any way, please detail that, too.

WE'RE HERE TO LEARN FROM YOUR PROBLEMS, AS WELL AS HELP YOU WITH THEM.

Artie, thanks, I just emailed Dave at SD, and he agrees with you, so I'm going to email my web hoster who recommended Sophos, and see if I can get some info on this.

There is a scenario in which an UNinfected Mac computer could act as a vector to infect a web host. If the Mac received a virus infected file from an outside source and in turn posted the infected file to a server that could potentially infect the server. In the same way an anopheles mosquito can bite someone who has malaria and subsequently pass the malarial infection along to the next person the mosquito bites. Neither the Mac nor the mosquito are ever "infected" or "effected" but they do pass the infection along.

In the case of the website, it would be reasonable to assume both the source of the malware and the host server are running Microsoft Windows. This leads me to a few questions…

1. In the extremely unlikely event your Mac is infected, why isn't Sophos identifying and removing the infection on your Mac? If it can't do that then what good is it other than protecting someone else's computer?
2. Assuming your Mac is not infected then the infected files are coming to you already infected. Where are you getting those infected files? You may need to seriously reconsider where your material is coming from.
3. Why isn't the website host server well enough protected so that it detects and rejects infected files before the server is brought down?
4. If somehow your Mac is infected and Sophos cannot recognize or disinfect it you need different anti-virus software and I am confident Apple will be VERY interested in learning about the infection so they can identify any vulnerabilities in OS X and correct them.

Joe, the case happened before I put Sophos on. The web hoster recommended I do that. Why they did not spot it on the server is something I have never pondered, I just took the blame and was to happy to have it resolved.

There has been no problem since, but I have seen every month Sophos say it detects a threat, and I go into Quarantine manager and nuke it.

I posted because suddenly Time machine is not working with Sophos and in last two days Sophos is saying I have a threat, it shows the name of the threat, and then it vanishes before I can eliminate it. So that's how this discussion started, which is an interesting discussion I did not anticipate, ie. do I really need Sophos. I just emailed the hoster who recommended it, let's see what he says. Dave of Super Duper who told me 10 years ago to bail on anti virus, which I did wrote this today, after I emailed him about this:

"Well, I don't know what they found. Fact is, a Trojan can only be obtained by conscious installation. Your web site may have been vulnerable to something different, but - I really think antivirus is a waste of your time.

Sophos identifies WINDOWS threats on your Mac...and those threats can't affect your Mac at all. It may also identify phishing attempts in your email, but you're too smart to fall for that stuff."

Kevs, just looking in on this thread, it seems to me that you have gotten advice from your hosting service based on their false assumption that ALL computers are vulnerable to the large volume of Windows virus vectors in the wild. You'll see similar blanket recommendations from the banking industry as well.

Your website, if hosted on a Windows (or Linux) server, has vulnerabilities that your personal computer does not have (so far)....and your hosting service is responsible for managing THEIR exposure to that threat on THEIR server while serving YOUR website to the world.

Considering kevs's background, I was thinking more along the lines of an infected image, rather than a file, but I did see that possibility.

What I didn't see was the possibility that when he said that his website went down, he really meant his host server, and that left me thinking along a dead-end line of thought.

Your questions/observations are spot on, and under any circumstances, it looks like kevs maybe ought to consider looking for a new host for his website.

Yes and no...

I think kev's having already uploaded one malicious something or other that brought down an entire server is proof positive that he really needs anti-malware software, if only to protect others from him.

And I think that Sophos's identifying something or other on his Mac as a threat almost monthly cements the issue.

Kevs is picking up Windows malware from somewhere, and while some detective work on his part to try to ferret out the source(s) is certainly in order, a buffer layer definitely suits his needs.

I think this thread has now come full-circle and we ought to proceed from a restatement of kev's original post:

Thanks guys. It did not bring down a server, but just my site.
These hosters are really, really good. I've been with them 15 years or so. That said, I'm way less tech than you guys or them, thanks Artie and Mac. I think I'll stay with Sophos, I dont see it slowing my computer down as of yet. I just wish it worked with Time Machine as it once did. One new nugget of info from the hoster, and I do remember now at the time him mentioning that is was a user / pass that was compromised, and we made a much better:
From Hoster
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"

Good post, kevs; it finally pulls all the pieces together.

In view of it, then, I think you ought to check out Sophos Technical Support to either see if you can learn something helpful about your Time Machine issue or escalate it to a human being.

And even though Sophos will save you from passing on PC malware, like joemike said, you need to pay some serious attention to the websites you visit, because (to the best of my knowledge, anyhow) a trojan such as the one that ultimately brought your website down can be picked up only by visiting a malicious website. ("Malicious" is in absolutely no way limited to x-rated; there are all sorts of how-to and other commonly searched-for websites that are also infected.)

Edit: I'll also suggest that you install Little Snitch on your Macs.


It requires much initial and some ongoing thought and configuration, but, in theory, anyhow, it would have alerted you to the trojan's phoning home and enabled you to stop it in its tracks...for good.

To date I have ran into around 20 macs with "malware" of some category on them. ZERO viruses. 30% have been scareware like macdefender, 65% have been MacKeeper (which I classify as Malware), and the remaining 5% have been actual "mess up your computer" DNS changers.

I have yet to encounter a password stealer, backdoor installer, root kit, virus, or anything else.


Interestingly enough, I had been in quite a dry spell until last week. Gal brought in a mbp with macdefender, mackeeper, AND a DNS changer on it..... oy vey.

Just to clarify, a trojan, by definition, tricks or somehow induces a user to install it. They are named after the story of the Greek Trojan Horse used to gain entrance into the city of Troy during the Trojan wars.


Amen to that but with at least three caveats.

1. Stealing userids and passwords can be done by all sorts of malware and is not limited to trojans.
2. Just because someone hacked into your website account does not mean your computer was the source of the userid/password
3. It does not necessarily mean the malefactors even had your account userid and password. There are any number of sites on the internet offering instructions on how to hack into virtually any computer system. Some of those are sponsored by major universities in the United States and around the world. (How are you going to develop new security strategies if you don't know the weaknesses in the existing strategies.)

There is such a thing as "drive by" malware infection but that does not fit the definition of a trojan. To install a trojan, you have to do more than visit the website. You have to download and install it. Trojans typically use social engineering to entice users to install them. Among the ploys that have been used you will find things like…

• The FBI (Google, Microsoft, Kaspersky, etc.) has detected a virus on your computer. Download and run this application to remove the virus or you will be banned from the internet.
• The really juicy images on this XXXX rated site can be seen better if you download and install this viewer.
• Download this $300 software package for the bargain price of $30.
• Download this software to test and speed up your computer. (Actually that one is quasi-legitimate it only acts like a trojan, degrades system performance, and is very difficult to remove).
• and so forth.

The difficulty with trojans is there is really no way to differentiate between a trojan and a normal application, which makes them particularly insidious. Often the only way to know that you have contracted a trojan is by careful observation of changes in system behavior. Not even Little Snitch would have detected DNS Changer because it did not call home although Little Snitch might have complained about the IP address of some of the sites the user was unwittingly visiting. One trojan that was successful on the Mac was the infamous DNS Changer which redirected internet inquiries to a malicious DNS server that could then redirect queries to fake web sites, capture all sorts of data, and in fact do pretty much anything the creators thought might be profitable. Apple quickly released a patch to prevent DNS Changer from working and in subsequent releases of OS X, especially Yosemite, added all sorts of protections against malicious changes of much of the system information and configuration.

My personal quick advice on that is "If you went looking for it and downloaded it, it's probably legitimate. But if it's being pushy like a used car salesman and throwing itself at you even though you never said you wanted it, you probably don't want it."

To date, I have yet to see Mac malware that grabs server credentials.

What I do see (all the frikkin' time) is brute-force attacks against servers, looking for passwords for FTP, or WordPress, or Joomla, or other CMS packages. I run security software on my Web servers and I see about 1-2 of these brute-force attacks per day on most of my sites.

What that means is if you use a weak password, you will, sooner or later, get hacked. It is my belief, based on the patterns of attacks I see on my own servers, and the incidence of malware I see in the wold, that more servers are compromised by brute-force hack attacks than by password-stealing Trojans.

The upshot of all that is Sophos might not have saved you. It's possible your site was hacked simply by means of a brute-force attack. Even passwords that "look" secure (like by scrambling words by filling in numbers in place of letters) aren't necessarily secure...and the little built-in secure password test of many major apps like WordPress isn't actually worth crap. These things may give a high security rating to insecure passwords and vice versa.

So what do you do? Use long passwords. Use long passwords made up of letters, numbers, and punctuation. Use long passwords made up of multiple words and also letters, numbers, and punctuation.

In the day of rainbow tables and distributed brute-force attacks, 8-character or shorter passwords pretty much suck no matter how tricky they look. A password like "How?Now!Purple{{Cow" is far better than a password like "aCv1gh"--the latter will be cracked in no time.

Don't use FTP. It's inherently insecure by design. For one thing, passwords are sent in the clear, so if you're on Wifi, anyone near you can grab your credentials. Use SFTP or something else (like WebDAV).

Update your CMS, if you use one, RELIGIOUSLY. Every time WordPress releases a security update, for instance, hackers go to work reverse-engineering the update looking for the vulnerability that was fixed. This gives you, typically, about a 24-hour margin between the time when the update is released and the time hackers start exploiting it. Update early and update often. If it's been 48 hours since a security update was released, and you haven't installed it yet, assume you have been compromised and act accordingly.

Every major CMS has security hardening plugins and/or auto-updating plugins available. Use them. If you use WordPress, turn on auto updates and install the free WordFence security plugin. If you use more than one WordPress site, install the free InfiniteWP software that lets you manage all of them with one button click and also emails you whenever any of your plugins or your WordPress install itself is out of date. If you use something other than WordPress, find the equivalent tools for it.

This will do far more to protect you than installing Sophos on your computer will.

Thanks all. What does little snitch do that Sophos does not? Is it worth $35?

I visit a crazy porn site and then little snitch comes up and blocks, me saying there is malware coming from this site do not go?

I called Sophos and the guy there just directed me to the Mac for Sophos forum. There is a post about Time Machine, but no one knows anything on the forum.

PS I created a great 14 digit password years ago with all the good combos. Not easy to memorize but I did. Turns out, I read an article the other week, that says if you just create a 21 word password, all lower case, something like

going to the market is good

that is even a much stronger password than a 14 digit with all the upper lower sybols etc! That said the one I made according to many site could not be cracked in a billion years.

I assume it'd be even stronger without the spaces. I seem to recall that Tacit or one of the moderators mentioned that some time ago but with a bit more background. It's good that you bring it up again.

I wonder if anyone remembers the original conversation/link.

A lot of legitimate sites do end up getting hacked and spreading malware. Not just porn sites, though they're frequent targets because they have large user bases, but any site that has server vulnerabilities.

You can see Google's diagnostic report on a site by surfing to this URL:

http://google.com/safebrowsing/diagnostic?site=example.com/

and replacing "example.com" in the URL with the site you want to check.

Ryck, there is a Stanford study link, I can dig it out if you want.

Tacit, you recommend little snitch? Worth $35, for each machine?

Also how does it work, I go to a website and even without downloading anything I'm at risk? Don't understand.

I personally haven't used Little Snitch, so I can't comment on it.

As far as how it works, basically it goes something like this:

Hackers create malware. Common malware that's distributed via hacked Web sites includes information stealing Trojans like Kuluoz or computer-encrypting malware like Kryptik. They'll upload it to a server they control hosted in paces like Russia or China.

The next step is they hack into a legitimate Web site. They might use automated tools to look for insecure WordPress installs, do brute-force password guessing attempts on popular sites, or even tailor an attack to a specific site if it gets a lot of traffic. In one high-profile case, hackers found a flaw in the servers of a Web hosting company called iPower Web that gave them access to more than 200,000 Web sites all in one go.

Once they're in, they'll put hostile code in the Web site's pages. This hostile code will look for and attempt to exploit vulnerabilities in your Web browser. If you're using an unpatched, outdated Web browser--older versions of Internet Explorer, say--or a browser running an outdated plugin like an old version of Adobe Flash, the malicious code will download the malware, silently and without you doing anything.

The important key here is if you're running an insecure browser, you will be infected without you doing anything but visiting the site. You do not need to click on or download anything. The malware will be sent to your computer silently and without your intervention or awareness.

I'm not aware of any Mac malware that spreads this way currently making the rounds. It's very common on Windows, however. That's why if you use Windows, it's important to update your computer and all your browser plugins religiously. Adobe just patched two security holes in Flash that were being actively exploited in this way.

The key feature of LS is that it is a sort of "reverse firewall", it monitors traffic leaving your computer. So in the event that something is running on your computer that you don't WANT to be communicating with someone else, (legit apps sending metadata or personal information, malware on your computer connecting to a malware server to download instructions or additional malware etc) it will pop up a warning.

It's not foolproof. There are a very small subset of apps that are known to work around it, but they are very small and specific exceptions to the rule. BBEdit told me there was an update available, and I was quite certain I had not granted it permission in LS to call out. I checked my settings, and it was NOT in my exceptions list. Some googling around found that they use a specific deliberate technique in newer versions to bypass little snitch to verify your license key and check for updates. (they are most likely doing their communications through some other authorized app, such as using applescript to ask safari to download page source, without opening a window, etc, stealthily "sneaking out" on safari's exception)

If you download and install free software frequently, it may be a good investment. "Free" software often comes with a hidden price, most commonly in the form of them uploading metadata about you to someone that is paying them for the data. I personally don't like ANY of my software connecting out without my express permission.

Thanks Tacit,
Virtual, did not understand all of that. LS helps prevent my stuff from going out? over my head a bit. You use LS? seems a bit pricey...? Sophos is free!

Yes, LS is for OUTGOING traffic, NOT incoming. It's usually best known for not allowing your software to "phone home".

Malware made to steal users’ data is dead in the water without a way to get the loot out of infected computers. That exit is watched by Little Snitch, which dutifully reports to you every attempt to leave your ‘house’ with data collected there. It does so by telling you the URL of the website requesting permission to leave with your data. You then have the option to deny that request, or to allow it once or in perpetuity. (All decisions can be revisited and changed in LS’s master list.)

The problem for the average user is to distinguish the 'good' URLs necessary for website functionality from those which are not not (including potentially 'bad' URLs). In case of URLs merely consisting of IP addresses there isn't even a name to tip you off. LS can provide more info, but this is often about as cryptic for the average user. If you deny a particular connection, the website may no longer work. The ones that don’t matter can be denied. However, testing many such connections to see just one website can become a pain, even if you only have to do it once. Given the increasing number of websites making multiple requests for data exit permission, answering LS’s queries may be tedious enough for most users to simply allow all such requests, or to quit the exercise altogether and turn LS off.

So yes, LS is very effective, but requires considerable user input and vigilance. And as to pricing of services, you get what you pay for…

Thanks very much for the offer but it's not necessary.

Still don't get LS things, need real laymans explanation... It protects me from myself? It does not protect me from bad sites?

Little Snitch is like a doorman telling you who wants to leave the premises with information from your computer. It’s up to you to make the call who can and who can’t. The protection LS offers is not automatic, but subject to your choices.

put another way, firewalls protect your computer and data from OTHER PEOPLE'S computers, from attacks launched from the internet.

little snitch protects your data from applications YOU HAVE INSTALLED on your computer. prevents them from doing things with your data like sending it off to somewhere on the internet.

Virtual, that helps a bit thanks. Sounds like a bit overkill for $30, if it was free or $5, ok..

Sorry for taking so long to respond.

It seems to me that "trojan" is a misnomer in the present context.

The Trojan Horse was a drive-by...a one-step affliction, while what's called a trojan is a two-step affliction: First you've got to visit the website hosting it, and then you've got to do something stupid.

All the Trojans had to do was visit the Greek's website, i.e. drag the horse into their city, and their fate was sealed.

I've always found it mind-boggling that they were so incredibly stupid!

It wasn't too unusual back in those days for an army that was stymied but not annihilated to leave their victors a trophy of some sort. Back when war was occasionally a somewhat more chivalrous business.

wow I guess it was quite a big affair... https://en.wikipedia.org/wiki/Trojan_Horse

of course you still have to do it right

https://www.youtube.com/watch?v=tS_JBDRk8o0

Maybe the world was different back then, but I learned at a very early age that anything that's got an inside may have something inside it.