An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#28166 - 02/13/14 05:54 PM Virus? W32.Suspect.Trojan.FakeAV
slolerner Offline


Registered: 08/25/09
Loc: New York City
My bad. I opened an attachment I thought was proper and Sophos went off. It seemed to have isolated the problem, I sent an email of the event log when it happened to Sophos and have not heard back. Since then I've had slow internet, Sophos could not connect to the internet and update, and now the Sophos icon in the toolbar is not present even tho it is set in prefs to be there. Ran Sophos over and over, everything seemed ok. Now I am running ClamX and it is finding W32.Suspect.Trojan.FakeAV in a mailbox. Tried reinstalling Sophos and still no tollbar logo. ???

This is happening on my 13" Mac running 10.6.8
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top
#28168 - 02/14/14 07:43 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: slolerner]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Ah yes another WINDOWS virus that will not and cannot infect a Mac. Unrelated to a virus detection, Sophos was really slowing my Macs down after I upgraded them to Mavericks so I deleted Sophos. I tried BitDefender from the Apple store but it refuses to run on one of my Macs but not the others(????) so I am working with their tech support on the problem.

In the meantime I installed ClamXAV on the problem machine at it soldiers on without a hitch.
_________________________
joemikeb • moderator

Top
#28169 - 02/14/14 01:03 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: joemikeb]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Macs don't get viruses, I couldn't agree more. So, yes, I did uninstall Sophos and use ClamX, just couldn't tell anyone because by that time I was completely thrown off the internet and when I finally went to bed, I had no email as well. ClamX is very good, it found some emails that had something else that sophos did not catch, but ClamX just doesn't update often enough, I thought. I don't know if the updates from Sophos were the first thing that went, because I remember it couldn't connect to their server when I first called the cable company and blamed them. Then I kept rebooting the router, falling on and off both ethernet and airport.
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top
#28170 - 02/14/14 02:17 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: joemikeb]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
Unrelated to a virus detection, Sophos was really slowing my Macs down....

I found the same thing. So I will install Sophos when I want to do a check of my entire drive (which I arrange to do overnight) and then, once Sophos is done, I uninstall it. ClamXav is always on.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#28171 - 02/14/14 02:54 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: slolerner]
alternaut Offline

Moderator

Registered: 08/04/09
Quote:
- Macs don't get viruses, I couldn't agree more.
- ... but ClamX just doesn't update often enough, I thought.

The following comments have been given before by me and others, but I'm repeating them here because they are worth repeating.

Macs do in fact get viruses, albeit no Windows versions (unless you run Windows on your Mac), and in general the number of Mac viruses is very low compared to the number of Windows viruses. However, Macs can and do pass on Windows malware to their Windows-running connections via email, which is the main reason to run AV software on Macs.

ClamXav updates its signature files (= malware recognition files; there are several different ones, see the 'updates' link below) every time you load it, usually on startup, or daily as set in its prefs, although it may not always see daily updates depending on circumstances. The AV utility's engine is the part that finds and removes malware, and is updated less frequently, like most of its competition. In general, all AV software tends to be behind the times regarding new threats, because you have to have the threat before you can defend against it. That is where user smarts are important to avoid problems, although that can be hard to impossible, what with 'drive-by' infections caught on subverted web sites.

Obviously, if your AV utility gets in the way of your work, it's entirely up to you to disable or remove it.
_________________________
alternaut moderator

Top
#28176 - 02/15/14 12:08 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: slolerner]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
There's actually a naming scheme to viruses that helps you identify them. With the standard naming system, the first part tells you what platform the virus infects, the second part tells you how it operates, and the last bit identifies the malware specifically.

If the name starts with W32, that means it's Windows (32-bit). OSX means it can infect Mac OS X, Android means Android smartphone, and so on.

Trojan means an app that the user has to run, usually masquerading as something else; worm means self-spreading through network or disk sharing, and so forth.

So W32.Trojan.FakeAV is a Windows Trojan malware that pretends to be an antivirus program, but actually isn't.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#28177 - 02/15/14 01:12 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: tacit]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Quote:
Macs don't get viruses, I couldn't agree more.

I was being sarcastic, sorry, you'd have to know me. I have had and seen others with Mac viruses, all worms. Anyway, so I think what Clamx found was windows viruses in my email that never effected me. It looks like the problem is my cable box, which I suspected in the first place. It's just that Sophos found the W32.Suspect.Trojan.FakeAV right after my internet connection slowed down. The Trojan was in several places but confined to emails.

I still only get a solid browser connection with Safari. I completely uninstalled Firefox because just having it on the computer seems to have been causing problems. Installed and uninstalled and the slowness kept coming back, even when using Safari??? even without Ghostery, although having Ghostery makes it worse. I have to figure out the correct settings for Ghostery so it isn't part of the problem. When I see all the beacons it stops, almost a hundred, I really want it.

Will swap out the cable box Tues; still thought it was the virus causing the problem all week. Even hit the reset button on the router and set it up again because cable told me I was getting the speed I supposed to get; they sent me to a website that tested it. But the link light on it used to flash and now it is on all the time??? Like I said, Safari is not a problem now and neither is mail.

Thanks for the explanation of virus defs, Tacit.
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top
#28180 - 02/16/14 11:21 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: alternaut]
jaybass Offline


Registered: 08/04/09
Loc: toronto Canada
OS 10..6.8 8Gb ram, CLAMXav 2.6.2. 0.98.1 engine. Virus Barrier 10.7.8 I had just backed up my HD with Super Duper and Virus barrier found some malware which I had had deleted via VB's quarantine. I decided to browse the forum. I see there was some discussion re CLAMXav so I decided to check my mail and then my home folder using Clamx. About halfway through the folder, a Virus barrier window appeared showing malware. Question, why did VB show malware whilst Clamx was still running? Also, why would there be malware after VB had supposedly deleted all malware after backup completion? jaybass

Top
#28181 - 02/16/14 11:40 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: jaybass]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
Different antivirus scanners have different success rates, and operate in different ways. Some antivirus scanners scan every file as it's downloaded or saved--these slow your computer down a LOT. Some scan files only when accessed.

It sounds like VB scans when files are accessed. ClamX accessed the files in your mail downloads folder, so that triggered VB to scan them.

Given the relative scarcity of Mac malware, running two antivirus programs seems like overkill. It will have a significant impact on your computer's performance.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#28182 - 02/16/14 02:37 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: tacit]
jaybass Offline


Registered: 08/04/09
Loc: toronto Canada
I've always thought Clamx scans only when accessed. I don't remember clamx telling me anything unless I actually scanned a file. I believe VB scans in the background. The only software that slowed my computer down was sophos which I had to delete. BTW, my mail came up clean. It was the home folder that was the trouble. I will bear your remarks in mind. I think I will delete Clamx and see any difference in speed. Thanks tacit.

Top
#28183 - 02/16/14 06:22 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: jaybass]
alternaut Offline

Moderator

Registered: 08/04/09
Without telling it what to scan and when, ClamXav by itself doesn't scan anything, let alone automatically. The prefs provide an option to schedule items (files, folders) to be scanned. The only auto-scan you can set in the General prefs pane is that of email messages and mailboxes, provided the latter are of the mbox type. You will still have to tell ClamXav where to find your email folder for these scans to actually be carried out. The prefs also let you check for and install updates automatically upon launch.

The ClamXav Sentry function (to be activated separately) allows you to select folders to be scanned when changes (read: additions) to them occur. You may want to consider activating Sentry for your downloads folder, and any other folder that receives files from (uncontrolled) sources other than your computer. To ensure that Sentry always runs it has to be added to your Login Items. Scanning your Downloads folder will take CPU cycles during downloads, and should this prove too intrusive, you may choose to temporarily suspend scanning or to scan at other times.
_________________________
alternaut moderator

Top
#28184 - 02/16/14 06:54 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: alternaut]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
The ClamXAV version sold through the App Store does not have a sentry function, separate or otherwise, but it does support automatic scans on a user specified schedule and automatic update of signature files.


Edited by joemikeb (02/16/14 06:56 PM)
Edit Reason: re-phrase answer
_________________________
joemikeb • moderator

Top
#28185 - 02/16/14 10:26 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: joemikeb]
slolerner Offline


Registered: 08/25/09
Loc: New York City
I am using ClamX Sentry to monitor my Downloads folder, an Installer folder where I usually specify installers be placed, my Desktop (where I drag photos from an email or a website) and my Email. That covers all the entrances. I don't notice any speed problems.

Top
#28186 - 02/17/14 07:07 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: joemikeb]
alternaut Offline

Moderator

Registered: 08/04/09
Quote:
The ClamXAV version sold through the App Store does not have a sentry function.

Good point. I didn't specifically mention it because the link I provided did already do so, but it doesn't hurt to repeat it. The fact that software available through the App Store may lack certain (and in this case critical) functionality is a definite problem. Because of it I always check the web site of the developer or publisher for a 'full' version.
_________________________
alternaut moderator

Top
#28187 - 02/17/14 07:43 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: slolerner]
alternaut Offline

Moderator

Registered: 08/04/09
My ClamXav Sentry configuration is similar to yours, but because my Mac is getting old in the tooth (I've been putting off upgrading) I see a definite performance hit due to ClamXav activity during heavy download sessions.
And yes, I figured you were being sarcastic above, but didn't want to run the risk that other viewers might not recognize that. shocked
_________________________
alternaut moderator

Top
#28214 - 02/24/14 06:40 PM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: alternaut]
slolerner Offline


Registered: 08/25/09
Loc: New York City
It was the cable box. Had to do a few reboots of the cable box and the router, but all's well. I re-installed Firefox and Ghostery but am very particular in what I am blocking, only beacons, trackers, and analytics. Well, not exactly true, am blocking everything with a social media name too cool . The only problem I have is that Ghostery will not allow redirects and then I can't get back where I was.


Edited by slolerner (02/24/14 06:40 PM)
Edit Reason: spellcheck

Top
#28275 - 03/02/14 07:41 AM Re: Virus? W32.Suspect.Trojan.FakeAV [Re: slolerner]
slolerner Offline


Registered: 08/25/09
Loc: New York City
Actually, switching the cable box helped for a little while, and then it stopped working. Same answer from the cable company, disconnect the router and run their speed test and the speed was correct, it's the router. Buy one of our routers.

I finally insisted on speaking to someone who troubleshoots their routers. I have to emphasize 'insist.' That person told me the Wireless G was a perfectly good modem, had me switch to a different channel than has been suggested before, and poof! No problems for good. Too many wireless routers on the same cable system in my part of the building.
_________________________
Mid 2010 MacBook Pro 13"
2.4GHz, 750GB SATA HD, 8 GB RAM, OS 10.7.5
1 HDX1500 2TB Ext.HD, 2 HDX1500 1TB Ext.HD
HP Laserjet 6MP printing postscript via 10/100 Intel print server
Netgear WN2500RP Range Extender (Ira rocks!)
Linksys WRT1900AC Wireless Router
Brother MFC-9340CDW Color Laser
iPad Air

Top

Moderator:  alternaut, dianne, MacManiac