An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
Sophos, anyone using?
#32972 02/07/15 02:17 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
The days of Mac not getting virus are over, so I've been with Sophos for a few months. I think it's great, but it seems to have issues with Time Machine, anyone else using it?

Re: Sophos, anyone using?
kevs #32974 02/07/15 10:51 AM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
I don't leave Sophos installed as I have found it diminishes computer performance.

Periodically (and it's very rare), if I have reason to think I should check my drive, I will install Sophos, update its list of viruses and run a scan.

Once done, I use Sophos Uninstall to remove it.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Sophos, anyone using?
ryck #32976 02/07/15 02:55 PM
Joined: Aug 2009
Likes: 4
Offline

Joined: Aug 2009
Likes: 4
I second all 3 of ryck's points.

Re: Sophos, anyone using?
kevs #32979 02/07/15 05:30 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
To do what? Find Windows malware? That is about all it can do for you on a Mac.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Sophos, anyone using?
joemikeb #32983 02/07/15 07:17 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, it's finding trojan horses every few days now. One trojan horse opend up months after it landed in a hardrive, and brought down a website.

But it has some issue with Time Machine.

Re: Sophos, anyone using?
kevs #32985 02/07/15 07:55 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
I tried Sophos for a while but it slowed down the system. Viruses and malware are still not a problem on the Mac. I've never had any problem with them.

Re: Sophos, anyone using?
kevs #32986 02/07/15 08:46 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: kevs
Joe, it's finding trojan horses every few days now. One trojan horse opend up months after it landed in a hardrive, and brought down a website.

Did it find those trojans on your Mac or hard disk? Was the downed website yours? If not, you're fighting somebody else's dragons. shocked


alternaut moderator
Re: Sophos, anyone using?
kevs #32987 02/07/15 09:01 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
If it's finding trojans on your Mac "every few days", you're visiting a lot of websites that you really ought to stay away from. shocked


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
artie505 #32992 02/07/15 11:58 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Yes, my site, of course!

But its finding stuff frequently now. The era of Macs being impervious are over. Artie, I dont know where these come from, think from emails, who knows.

Re: Sophos, anyone using?
kevs #32993 02/08/15 12:20 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: kevs
Yes, my site, of course!

But its finding stuff frequently now. The era of Macs being impervious are over. Artie, I dont know where these come from, think from emails, who knows.

To the best of my knowledge, there has still never been an in-the-wild Mac virus (although I have read about proofs-of-concept, none of which have gone beyond the lab, and that there are trojans that perhaps slide in under a loose definition of virus).

Trojans don't come from e-mails, kevs; you only get them if you navigate to a malicious website that downloads them to your Mac without your doing anything...drive-bys, or if you navigate to a malicious site and click on something you shouldn't ought to click on. If you're getting stuff in e-mails, its from PC users who are sending it to you, probably without being aware of it.

Just to clarify: You say that Sophos is finding malware or some-such on "[your] site", but where is your site hosted? Is it on your own Mac or some remote server?

Can you tell us which specific items Sophos has flagged and where it's located them...maybe copy & paste a Sophos report into a post?

We can't do battle with demons without knowing precisely what kind of demons they are.

Last edited by artie505; 02/08/15 12:22 AM. Reason: Cleanup

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
artie505 #32994 02/08/15 12:31 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Artie, I did not post to have a debate here. My web hoster, and they run a site for hundred of people for 15 years in the design world, they know what they are doing recommended Sophos. My website was down, they fixed it. I see Sohpos alert to threats every 2 months. I did not post to say I have a threat why am I getting this? I don't even care to know. It's happening, and it's going to be happening more and more. My SS number was just compromised two days ago "probably", I'm with Anthem Blue, hear about that in the news?
Also in the news today is that Apple made more money that Exxon Mobile last quarter. It's not 1999.


Re: Sophos, anyone using?
kevs #32997 02/08/15 10:06 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Have you read joemike's post #32979?

Originally Posted By: joemikeb
To do what? Find Windows malware? That is about all it can do for you on a Mac.

If Windows malware that's found its way onto on your Mac is a problem for you in that you may inadvertently transmit it to others, it would definitely pay you to run some anti-virus app periodically, but if you think it will protect you from Mac related threats in the bargain, you're doing battle with windmills.

Seriously, if you've got evidence that Mac malware on your computer "brought down" your website that's hosted on a remote computer, please detail it for us and teach us something.

And if any of the "threats" that Sophos has found on your Mac have ever manifested themselves in any way, please detail that, too.

WE'RE HERE TO LEARN FROM YOUR PROBLEMS, AS WELL AS HELP YOU WITH THEM.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
artie505 #33000 02/08/15 03:40 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Artie, thanks, I just emailed Dave at SD, and he agrees with you, so I'm going to email my web hoster who recommended Sophos, and see if I can get some info on this.

Re: Sophos, anyone using?
artie505 #33004 02/08/15 08:27 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
There is a scenario in which an UNinfected Mac computer could act as a vector to infect a web host. If the Mac received a virus infected file from an outside source and in turn posted the infected file to a server that could potentially infect the server. In the same way an anopheles mosquito can bite someone who has malaria and subsequently pass the malarial infection along to the next person the mosquito bites. Neither the Mac nor the mosquito are ever "infected" or "effected" but they do pass the infection along.

In the case of the website, it would be reasonable to assume both the source of the malware and the host server are running Microsoft Windows. This leads me to a few questions…
  1. In the extremely unlikely event your Mac is infected, why isn't Sophos identifying and removing the infection on your Mac? If it can't do that then what good is it other than protecting someone else's computer?
  2. Assuming your Mac is not infected then the infected files are coming to you already infected. Where are you getting those infected files? You may need to seriously reconsider where your material is coming from.
  3. Why isn't the website host server well enough protected so that it detects and rejects infected files before the server is brought down?
  4. If somehow your Mac is infected and Sophos cannot recognize or disinfect it you need different anti-virus software and I am confident Apple will be VERY interested in learning about the infection so they can identify any vulnerabilities in OS X and correct them.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Sophos, anyone using?
joemikeb #33009 02/09/15 12:11 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Joe, the case happened before I put Sophos on. The web hoster recommended I do that. Why they did not spot it on the server is something I have never pondered, I just took the blame and was to happy to have it resolved.

There has been no problem since, but I have seen every month Sophos say it detects a threat, and I go into Quarantine manager and nuke it.

I posted because suddenly Time machine is not working with Sophos and in last two days Sophos is saying I have a threat, it shows the name of the threat, and then it vanishes before I can eliminate it. So that's how this discussion started, which is an interesting discussion I did not anticipate, ie. do I really need Sophos. I just emailed the hoster who recommended it, let's see what he says. Dave of Super Duper who told me 10 years ago to bail on anti virus, which I did wrote this today, after I emailed him about this:

"Well, I don't know what they found. Fact is, a Trojan can only be obtained by conscious installation. Your web site may have been vulnerable to something different, but - I really think antivirus is a waste of your time.

Sophos identifies WINDOWS threats on your Mac...and those threats can't affect your Mac at all. It may also identify phishing attempts in your email, but you're too smart to fall for that stuff."

Re: Sophos, anyone using?
kevs #33010 02/09/15 01:55 AM
Joined: Aug 2009
Likes: 5
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 5
Kevs, just looking in on this thread, it seems to me that you have gotten advice from your hosting service based on their false assumption that ALL computers are vulnerable to the large volume of Windows virus vectors in the wild. You'll see similar blanket recommendations from the banking industry as well.

Your website, if hosted on a Windows (or Linux) server, has vulnerabilities that your personal computer does not have (so far)....and your hosting service is responsible for managing THEIR exposure to that threat on THEIR server while serving YOUR website to the world.


Freedom is never free....thank a Service member today.
Re: Sophos, anyone using?
joemikeb #33012 02/09/15 08:31 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: joemikeb
There is a scenario in which an UNinfected Mac computer could act as a vector to infect a web host.

Considering kevs's background, I was thinking more along the lines of an infected image, rather than a file, but I did see that possibility.

What I didn't see was the possibility that when he said that his website went down, he really meant his host server, and that left me thinking along a dead-end line of thought.

Your questions/observations are spot on, and under any circumstances, it looks like kevs maybe ought to consider looking for a new host for his website.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
MacManiac #33013 02/09/15 08:56 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: MacManiac
Kevs, just looking in on this thread, it seems to me that you have gotten advice from your hosting service based on their false assumption that ALL computers are vulnerable to the large volume of Windows virus vectors in the wild. You'll see similar blanket recommen dations from the banking industry as well.

Your website, if hosted on a Windows (or Linux) server, has vulnerabilities that your personal computer does not have (so far)....and your hosting service is responsible for managing THEIR exposure to that threat on THEIR server while serving YOUR website to the world.

Yes and no...

I think kev's having already uploaded one malicious something or other that brought down an entire server is proof positive that he really needs anti-malware software, if only to protect others from him.

And I think that Sophos's identifying something or other on his Mac as a threat almost monthly cements the issue.

Kevs is picking up Windows malware from somewhere, and while some detective work on his part to try to ferret out the source(s) is certainly in order, a buffer layer definitely suits his needs.

I think this thread has now come full-circle and we ought to proceed from a restatement of kev's original post:

Originally Posted By: More like paraphrase
I must run anti-virus software, and Sophos, which I've been running, may not be the best choice.

Has anybody got a better suggestion?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
artie505 #33026 02/09/15 05:18 PM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks guys. It did not bring down a server, but just my site.
These hosters are really, really good. I've been with them 15 years or so. That said, I'm way less tech than you guys or them, thanks Artie and Mac. I think I'll stay with Sophos, I dont see it slowing my computer down as of yet. I just wish it worked with Time Machine as it once did. One new nugget of info from the hoster, and I do remember now at the time him mentioning that is was a user / pass that was compromised, and we made a much better:
From Hoster
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"

Re: Sophos, anyone using?
kevs #33042 02/10/15 01:22 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Good post, kevs; it finally pulls all the pieces together.

In view of it, then, I think you ought to check out Sophos Technical Support to either see if you can learn something helpful about your Time Machine issue or escalate it to a human being.

And even though Sophos will save you from passing on PC malware, like joemike said, you need to pay some serious attention to the websites you visit, because (to the best of my knowledge, anyhow) a trojan such as the one that ultimately brought your website down can be picked up only by visiting a malicious website. ("Malicious" is in absolutely no way limited to x-rated; there are all sorts of how-to and other commonly searched-for websites that are also infected.)

Edit: I'll also suggest that you install Little Snitch on your Macs.

Originally Posted By: MacUpdate/Little Snitch
Little Snitch gives you control over your private outgoing data.

Track background activity
As soon as your computer connects to the Internet, applications often have permission to send any information wherever they need to. Little Snitch takes note of this activity and allows you to decide for yourself what happens with this data.

Control your network
Choose to allow or deny connections, or define a rule how to handle similar, future connection attempts. Little Snitch runs inconspicuously in the background and it can even detect network-related activity of viruses, trojans, and other malware.

It requires much initial and some ongoing thought and configuration, but, in theory, anyhow, it would have alerted you to the trojan's phoning home and enabled you to stop it in its tracks...for good.

Last edited by artie505; 02/10/15 02:31 AM. Reason: Cleanup +

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Sophos, anyone using?
kevs #33045 02/10/15 03:02 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: kevs
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"


To date I have ran into around 20 macs with "malware" of some category on them. ZERO viruses. 30% have been scareware like macdefender, 65% have been MacKeeper (which I classify as Malware), and the remaining 5% have been actual "mess up your computer" DNS changers.

I have yet to encounter a password stealer, backdoor installer, root kit, virus, or anything else.


Interestingly enough, I had been in quite a dry spell until last week. Gal brought in a mbp with macdefender, mackeeper, AND a DNS changer on it..... oy vey.


I work for the Department of Redundancy Department
Re: Sophos, anyone using?
artie505 #33049 02/10/15 03:21 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Just to clarify, a trojan, by definition, tricks or somehow induces a user to install it. They are named after the story of the Greek Trojan Horse used to gain entrance into the city of Troy during the Trojan wars.

Originally Posted By: hoster
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"

Amen to that but with at least three caveats.
  1. Stealing userids and passwords can be done by all sorts of malware and is not limited to trojans.
  2. Just because someone hacked into your website account does not mean your computer was the source of the userid/password
  3. It does not necessarily mean the malefactors even had your account userid and password. There are any number of sites on the internet offering instructions on how to hack into virtually any computer system. Some of those are sponsored by major universities in the United States and around the world. (How are you going to develop new security strategies if you don't know the weaknesses in the existing strategies.)
Originally Posted By: artie505
a trojan such as the one that ultimately brought your website down can be picked up only by visiting a malicious website. ("Malicious" is in absolutely no way limited to x-rated; there are all sorts of how-to and other commonly searched-for websites that are also infected.)

There is such a thing as "drive by" malware infection but that does not fit the definition of a trojan. To install a trojan, you have to do more than visit the website. You have to download and install it. Trojans typically use social engineering to entice users to install them. Among the ploys that have been used you will find things like…
  • The FBI (Google, Microsoft, Kaspersky, etc.) has detected a virus on your computer. Download and run this application to remove the virus or you will be banned from the internet.
  • The really juicy images on this XXXX rated site can be seen better if you download and install this viewer.
  • Download this $300 software package for the bargain price of $30.
  • Download this software to test and speed up your computer. (Actually that one is quasi-legitimate it only acts like a trojan, degrades system performance, and is very difficult to remove).
  • and so forth.
The difficulty with trojans is there is really no way to differentiate between a trojan and a normal application, which makes them particularly insidious. Often the only way to know that you have contracted a trojan is by careful observation of changes in system behavior. Not even Little Snitch would have detected DNS Changer because it did not call home although Little Snitch might have complained about the IP address of some of the sites the user was unwittingly visiting. One trojan that was successful on the Mac was the infamous DNS Changer which redirected internet inquiries to a malicious DNS server that could then redirect queries to fake web sites, capture all sorts of data, and in fact do pretty much anything the creators thought might be profitable. Apple quickly released a patch to prevent DNS Changer from working and in subsequent releases of OS X, especially Yosemite, added all sorts of protections against malicious changes of much of the system information and configuration.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Sophos, anyone using?
joemikeb #33055 02/10/15 08:03 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: joemikeb
The difficulty with trojans is there is really no way to differentiate between a trojan and a normal application, which makes them particularly insidious


My personal quick advice on that is "If you went looking for it and downloaded it, it's probably legitimate. But if it's being pushy like a used car salesman and throwing itself at you even though you never said you wanted it, you probably don't want it."


I work for the Department of Redundancy Department
Re: Sophos, anyone using?
kevs #33057 02/11/15 12:33 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
Originally Posted By: kevs

From Hoster
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"


To date, I have yet to see Mac malware that grabs server credentials.

What I do see (all the frikkin' time) is brute-force attacks against servers, looking for passwords for FTP, or WordPress, or Joomla, or other CMS packages. I run security software on my Web servers and I see about 1-2 of these brute-force attacks per day on most of my sites.

What that means is if you use a weak password, you will, sooner or later, get hacked. It is my belief, based on the patterns of attacks I see on my own servers, and the incidence of malware I see in the wold, that more servers are compromised by brute-force hack attacks than by password-stealing Trojans.

The upshot of all that is Sophos might not have saved you. It's possible your site was hacked simply by means of a brute-force attack. Even passwords that "look" secure (like by scrambling words by filling in numbers in place of letters) aren't necessarily secure...and the little built-in secure password test of many major apps like WordPress isn't actually worth crap. These things may give a high security rating to insecure passwords and vice versa.

So what do you do? Use long passwords. Use long passwords made up of letters, numbers, and punctuation. Use long passwords made up of multiple words and also letters, numbers, and punctuation.

In the day of rainbow tables and distributed brute-force attacks, 8-character or shorter passwords pretty much suck no matter how tricky they look. A password like "How?Now!Purple{{Cow" is far better than a password like "aCv1gh"--the latter will be cracked in no time.

Don't use FTP. It's inherently insecure by design. For one thing, passwords are sent in the clear, so if you're on Wifi, anyone near you can grab your credentials. Use SFTP or something else (like WebDAV).

Update your CMS, if you use one, RELIGIOUSLY. Every time WordPress releases a security update, for instance, hackers go to work reverse-engineering the update looking for the vulnerability that was fixed. This gives you, typically, about a 24-hour margin between the time when the update is released and the time hackers start exploiting it. Update early and update often. If it's been 48 hours since a security update was released, and you haven't installed it yet, assume you have been compromised and act accordingly.

Every major CMS has security hardening plugins and/or auto-updating plugins available. Use them. If you use WordPress, turn on auto updates and install the free WordFence security plugin. If you use more than one WordPress site, install the free InfiniteWP software that lets you manage all of them with one button click and also emails you whenever any of your plugins or your WordPress install itself is out of date. If you use something other than WordPress, find the equivalent tools for it.

This will do far more to protect you than installing Sophos on your computer will.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Sophos, anyone using?
tacit #33058 02/11/15 01:06 AM
Joined: Dec 2009
kevs Offline OP
OP Offline

Joined: Dec 2009
Thanks all. What does little snitch do that Sophos does not? Is it worth $35?

I visit a crazy porn site and then little snitch comes up and blocks, me saying there is malware coming from this site do not go?

I called Sophos and the guy there just directed me to the Mac for Sophos forum. There is a post about Time Machine, but no one knows anything on the forum.

Page 1 of 2 1 2

Moderated by  alternaut, dianne, dkmarsh 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.043s Queries: 65 (0.024s) Memory: 0.7216 MB (Peak: 0.9117 MB) Data Comp: Zlib Server Time: 2024-03-29 08:36:14 UTC
Valid HTML 5 and Valid CSS