Antivirus and copy conflict

[kevs1]

I got Sophos because my web hoster recommeded I get an antiviris. I've been using Sophos (who they recommended), and it was going ok, but now is conflicting with scheduled copies of Super Duper, which I've been using for years. SD says Sophos puts an error message on the offending email, and hence SD wont finish the copy.

I've contacted Sophos and there is nothing they can do.

So I have to now manually delete the bad email to get copies to work. Real tedious.

SD (and others) have said bail on silly antivirus. I would like to! The only reason I got on board again is because of this incident from 2 years ago or so. Any advice? Thanks.









From a couple of years ago:

Our systems have alerted us that on 12/25/2013 malicious IP addresses in Russia & - an IP address in Belarus) logged into the FTP account and uploaded malicious files.


We've removed the files from the account. The FTP password for the account has been changed to:

As a precuation, your wordpress passwords have been disabled. You can reset your wordpress passworsd by going to and clicking on 'Lost your password?'


This means that either the FTP password was easy to guess and was brute forced, or a computer that had the FTP password stored, or used the FTP account in the past, was hacked and infected with malware/trojan/viruses/keyloggers. There are a lot of known viruses and trojans in the wild that are specifically designed to steal FTP passwords stored in FTP accounts, even if they haven't been used in years.


Please scan all home, office, laptop and other computers that may have accessed that FTP account in the past or had the FTP password stored on them.

 

[bobr1952]

Well I would have to agree with that advice and bail on Sophos. Safe computing is really not all that hard without an antivirus program bogging you down

 

[kevs1]

Well I would have to agree with that advice and bail on Sophos. Safe computing is really not all that hard without an antivirus program bogging you down

Thanks, that did not help too much.

 

[maflynn]

Another vote for dumping Sophos. Just because your ISP recommended it, doesn't mean you have to use it.
There are no viruses in the wild for OS X and with good computing habits you can minimize your risk of malware.

I've been rocking with no antivirus software on my Mac since the beginning of time. Most antivirus software, slows down your computer and causes problems for no good reason. In fact many of these apps are actually worse then some of the malware that is out there.

 

[aristobrat]

SD (and others) have said bail on silly antivirus. I would like to! The only reason I got on board again is because of this incident from 2 years ago or so. Any advice? Thanks.

This means that either the FTP password was easy to guess and was brute forced, or a computer that had the FTP password stored, or used the FTP account in the past, was hacked and infected with malware/trojan/viruses/keyloggers.

If Sophos didn't find your Mac infected with malware/trojan/viruses/keyloggers (per the suggestion above) two years ago when this happened, then it's likely the password was brute-forced "guessed", or stolen from a different machine.

The only Mac folks I know that have Macs with antivirus are folks with work machines where it's mandated by their company (based on their interoperation of Sarbanes-Oxley, HIPPA, PCI-DSS, etc requirements).

If you want to keep running it, maybe see if there's a way to disable real-time protection, and run it manually once a week or something.

 

[kevs1]

Thanks Guys, Sophos was not in the picture when that happened. That why the isp said to get it!

They had to save my ass, and almost made it a requirement for them doing that again in the future.. So I posted that email to make it clear what happened. So I don't know...

But why is it marking these spam attachments as errors? Which then screws up the super duper clones.

 

[Gjwilly]

Dump Sophos and see if it resolves the problem.
Then try a different AV and see if it's any better. Avast and Avira both have free versions for Mac.
Your ISP should be placated and the problem will be gone.

 

[kevs1]

Ok G thanks, Hmmmm worth trying. I just went through so much to get Sophos working ok on both machines, but will look into that. I know Avast, I think it's a free plug in for Wordpress right? But they have a free home edition for Mac desktops/ laptops? Who do you recommend between the two. Do you think they wont mark those attachment spams as "errors" which is what causes super duper to abort the clone? How does Sophos rank to them? My ISP really likes Sophos for some reason.

 

[IHelpId10t5]

I got Sophos because my web hoster recommeded I get an antiviris. I've been using Sophos (who they recommended), and it was going ok, but now is conflicting with scheduled copies of Super Duper, which I've been using for years. SD says Sophos puts an error message on the offending email, and hence SD wont finish the copy.

I've contacted Sophos and there is nothing they can do.

So I have to now manually delete the bad email to get copies to work. Real tedious.

SD (and others) have said bail on silly antivirus. I would like to! The only reason I got on board again is because of this incident from 2 years ago or so. Any advice? Thanks.

From a couple of years ago:

Our systems have alerted us that on 12/25/2013 malicious IP addresses in Russia & - an IP address in Belarus) logged into the FTP account and uploaded malicious files.


We've removed the files from the account. The FTP password for the account has been changed to:

As a precuation, your wordpress passwords have been disabled. You can reset your wordpress passworsd by going to and clicking on 'Lost your password?'


This means that either the FTP password was easy to guess and was brute forced, or a computer that had the FTP password stored, or used the FTP account in the past, was hacked and infected with malware/trojan/viruses/keyloggers. There are a lot of known viruses and trojans in the wild that are specifically designed to steal FTP passwords stored in FTP accounts, even if they haven't been used in years.


Please scan all home, office, laptop and other computers that may have accessed that FTP account in the past or had the FTP password stored on them.

1) Remove Sophos and any other 3rd part security products from all of your Macs. Anti-virus on a Mac currently has no benefit whatsoever, yet has potentially many downsides including introducing vulnerabilities and/or conflicts with the OS and other applications.

2) Disable FTP everywhere you have been using it. FTP sends credentials in the clear over the wire unencrypted and should have been abandoned a decade ago.

3) Abandon Wordpress and move to Drupal for a much more modern and less vulnerable CMS solution that doesn't require weekly patching.

 

[superscape]

1) Remove Sophos and any other 3rd part security products from all of your Macs. Anti-virus on a Mac currently has no benefit whatsoever, yet has potentially many downsides including introducing vulnerabilities and/or conflicts with the OS and other applications.

2) Disable FTP everywhere you have been using it. FTP sends credentials in the clear over the wire unencrypted and should have been abandoned a decade ago.

3) Abandon Wordpress and move to Drupal for a much more modern and less vulnerable CMS solution that doesn't require weekly patching.

I certainly agree with 1) and 2). I don't know enough about Wordpress vs Drupal to comment on 3).

I would add one further thing though, and that's to dump the web hoster. Anyone advising you to install antivirus on a Mac should make you raise a Spock-like quizzical eyebrow and wonder whether they know what they're talking about.

 

[Gjwilly]

If you interact with other PC users then running antivirus on your Mac is simply being a good citizen.
You could catch and clean an infection before passing it onto others.

 

[superscape]

If you interact with other PC users then running antivirus on your Mac is simply being a good citizen.
You could catch and clean an infection before passing it onto others.

True. But anyone running a PC without antivirus is, frankly, nuts.

 

[GGJstudios]

I got Sophos because my web hoster recommeded I get an antiviris. I've been using Sophos (who they recommended), and it was going ok, but now is conflicting with scheduled copies of Super Duper, which I've been using for years. SD says Sophos puts an error message on the offending email, and hence SD wont finish the copy.

I recommend avoiding Sophos, as it can actually increase a Mac's vulnerability, as described here and here.

Macs are not immune to malware, but no true viruses exist in the wild that can run on Mac OS X, and there never have been any since it was released over 12 years ago. The only malware in the wild that can affect Mac OS X is a handful of trojans, which can be easily avoided by practicing safe computing (see below). 3rd party antivirus apps are not necessary to keep a Mac malware-free, as long as a user practices safe computing, as described in the following link.

​

Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.

Also, if you want to make a bootable clone, I recommend Carbon Copy Cloner. Unlike SuperDuper, it also clones the OS X Recovery partition.

 

[kevs1]

my isp -- they are specialized for photographers and very sharp guys. And they don't get anything from me being with Sophos. That's why I dug out the email to show you what happened. They say a there was a trojan that would have been prevented by an AV, no?

Where did the Trojan come from? Did I incidentally open something? Did an intern in my office put it in? I have no idea.

But was a lot of havoc...

I agree maybe it will never happen again, but you see the letter. I happened and would not have happened probably if an AV was there at that time, right? And it "could" happen again... maybe... right?

 

[maflynn]

Where did the Trojan come from? Did I incidentally open something? Did an intern in my office put it in? I have no idea.

A trojan is an application that masquerades as one thing but does something else, unlike a virus, it has no abilities to propagate on its own. It relies on the person to install and use the app.

This is why I mentioned that safe computing habits work just as well, in many cases. If you're installing apps from unknown locations, blindly clicking on apps then you may find yourself infected.

 

[imanidiot]

Second the recommendation of Carbon Copy Cloner.

 

[GGJstudios]

This is why I mentioned that safe computing habits work just as well, in many cases. If you're installing apps from unknown locations, blindly clicking on apps then you may find yourself infected.

... even if you have an AV installed. I completely agree that safe computing habits are essential.

No antivirus app has a 100% detection rate, so even if you have one installed, you could carelessly install a Trojan that may go undetected by your AV app. Practicing safe computing with no antivirus app installed protects better than having an antivirus app, but not practicing safe computing.

 

[kevs1]

Ok so this was a one time total fluke?? and everyone disagrees with my isp and would not install a AV? Don't even bother testing Avast etc.

FTP, I not clear on that.. I use an FTP client to upload to my website, but what is the FTP you are referring to?

I've used Super Duper for 10 years. The customer service is real good, why would I want to switch to CCC? Don't understand the recovery partition issue, that is command R reboot correct? Isn't that part of the OS?

 

[jerwin]

I've run into a similar problem.

I use bootcamp. I back up my windows partition with winclone. Now, a WinNT partition isn't writable from MacOSX,,,

Every so often, my mac antivirus program detects a virus that my bootcamp installation has picked up. It then removes the offending file (which usually has a two hundred character pathname because it's been deposited in a cache subdirectory.)

Now, the Bootcamp partition isn't writable, which means that I have to go back to windows to delete the offending file, and it usually ends up being stashed away in some hidden subdirectory...

Aughh. Such a nasty cycle.

 

[kiwipeso1]

I got Sophos because my web hoster recommeded I get an antiviris. I've been using Sophos (who they recommended), and it was going ok, but now is conflicting with scheduled copies of Super Duper, which I've been using for years. SD says Sophos puts an error message on the offending email, and hence SD wont finish the copy.

I've contacted Sophos and there is nothing they can do.

So I have to now manually delete the bad email to get copies to work. Real tedious.

SD (and others) have said bail on silly antivirus. I would like to! The only reason I got on board again is because of this incident from 2 years ago or so. Any advice? Thanks.









From a couple of years ago:

Our systems have alerted us that on 12/25/2013 malicious IP addresses in Russia & - an IP address in Belarus) logged into the FTP account and uploaded malicious files.


We've removed the files from the account. The FTP password for the account has been changed to:

As a precuation, your wordpress passwords have been disabled. You can reset your wordpress passworsd by going to and clicking on 'Lost your password?'


This means that either the FTP password was easy to guess and was brute forced, or a computer that had the FTP password stored, or used the FTP account in the past, was hacked and infected with malware/trojan/viruses/keyloggers. There are a lot of known viruses and trojans in the wild that are specifically designed to steal FTP passwords stored in FTP accounts, even if they haven't been used in years.


Please scan all home, office, laptop and other computers that may have accessed that FTP account in the past or had the FTP password stored on them.

I'd suggest that Sophos isn't the most accurate AV for mac, use Avira if you want flawless accuracy.
Then after a full scan with Avira, install 1password (get it from the mac app store if you have multiple macs).
Then generate long passphrases for your critical passwords, and store them in 1password.
(If you have multiple macs, or iOS devices and macs, then just setup 1password team account.)

 

[GGJstudios]

Ok so this was a one time total fluke?? and everyone disagrees with my isp and would not install a AV? Don't even bother testing Avast etc.

Your ISP is "programmed" to tell everyone they need antivirus software. On Windows systems, where actual viruses exist in the wild, such antivirus apps are needed for protection. However, no true viruses exist in the wild that can affect OS X. There are OS X Trojans, but they can be successfully avoided without the need for antivirus apps. You may elect to run antivirus apps on OS X, but if you practice safe computing, such apps are not necessary to keep your Mac malware-free.

I've used Super Duper for 10 years. The customer service is real good, why would I want to switch to CCC? Don't understand the recovery partition issue, that is command R reboot correct? Isn't that part of the OS?

The Recovery Partition is an important tool to aid in certain troubleshooting, system restoration, etc. It is a separate partition from the one where OS X and your data resides. When cloning your drive, CCC will also clone the Recovery Partition. SuperDuper! will not.

 

[kevs1]

Thanks GG, the recovery partition. With SD, if it' s not there on a clone, can one get it later manually from Apple?

 

[960design]

Drop antivirus, as we ( researchers ) can push code through the pathways opened up by the antivirus software. Previous versions of windows were in such sad shape it was better have a little protection than none at all, which is why antivirus was recommended. Windows10 has done a much better job and I would not recommend 3rd party antivirus solutions for it either.

The best guess is old version of WP not updated and script attacked. Very easily done. Set WP to update automatically and you are good to go. As an aside for drupal, it had the worst / best attack a couple of years ago that would get your IP banned via google search due to the 'hidden' injected code. Different versions of CMS do not matter as much as keeping it up to date.

The second and often seen, but rarely reported, is the ISP was hacked and script code was injected into all hosted sites. This is much easier than hacking a thousand individual sites and more lucrative. The ISP doesn't want this to go public and will fork over the $10K to 'release' the attack. They then patch their error and report to all hosted sites, politely and not so directly blaming each of them for the breach. They ask you to increase your security, blah, blah, blah all to keep the lawyers happy.

So full circle, drop the antivirus on Win10 or OSX. Occasionally run something like Malwarebytes ( https://www.malwarebytes.org/antimalware/mac/ ) to clean up any zero day browser attacks that you unfortunately searched into.

Remember, don't click on any unrequested links in email, always visit the site you want by typing it in the browser directly.
Always be very wary of requested links in email ( password resets, ect ) as you could just get the coincidental hit.
[doublepost=1462734245][/doublepost]

I'd suggest that Sophos isn't the most accurate AV for mac, use Avira if you want flawless accuracy.
Then after a full scan with Avira, install 1password (get it from the mac app store if you have multiple macs).
Then generate long passphrases for your critical passwords, and store them in 1password.
(If you have multiple macs, or iOS devices and macs, then just setup 1password team account.)

Or better, use the 'save password' in safari. I cannot see the password entered if I man in the middle attack your system or directly watch you through a VPN tunnel if the password is saved in the browser.

 

[kevs1]

Thanks 960, I'll probably take your advice as that seems to be the consensus, though you are the first to say don't bother with AV for even Windows! I'm on Mac.

Others have said that whatever happened, it was not my fault, it was not anything a AV would have prevented anyway. It was just a weak password right? And it had nothing to do with my local machine, so asking to to then get Sophos was lame, correct? And the "trojan" then mentioned, would not have been a Trojan I introduced into the picutre, tight, but a Trojan on their sever correct? And what does the trojan have to do with the password being hacked<

Malwarebytes, you recommend putting on both my machines and running manually once a month? or is there an auto function? Do you find having it necessary? You use it regularly?

I do have an insert password add on in Firefox.

 

[GGJstudios]

Thanks GG, the recovery partition. With SD, if it' s not there on a clone, can one get it later manually from Apple?

It is much better and faster to clone it with CCC, but it can be re-created, if needed.

http://www.macworld.co.uk/how-to/ma...os-x-el-capitan-yosemite-backup-free-3636717/