Reply
Occasional Visitor
MicMac
Posts: 1
Registered: ‎03-22-2012
0
Accepted Solution

Mal/Phish-A recurring on Mac - Help on permanent removal

Does one know how to permanently remove recurring Mal/Phish-A on Mac? (Detected by Sophos on Mac OS X 10.6.8 when the Mac Mail app 4.5-1084 is launched, provided AirPort is ON.)

 

Accessing same Zimbra mail account through the web browser does not trigger an attack.

Launching Mail app with AirPort OFF does not trigger an attack.

Recurring attack when launching Mail app with AirPort ON.

Removing the Mail app and reinstalling is useless.

Removing the Mail app + All related folders in the Mail Library is useless.

Changing master password after removing Mail app + Library is useless.

Scanning disk through'n through is useless.

All of this done without reconnecting to external Time Machine disk, in order to avoid any contamination from past backups.

 

Running out of ideas. Suspecting remorphing, or source malware having promoted itself to some regular status and cannot be detected anymore. 

 

Please restrain yourself if you do not have a solid opinion: facts and verified infos are welcome.

 

Employee
Agile
Posts: 1,195
Registered: ‎11-02-2010
0

Re: Mal/Phish-A recurring on Mac - Help on permanent removal

Is Mail.app accessing Zimbra mail via IMAP?

What is the path to the Mal/Phish-A detection when it triggers?

 

From the fact that your network connection needs to be enabled to get the detection, I would guess that you are using IMAP instead of POP3, and that Mail.app is caching a known phish mail from your mail server.

 

The easiest way to stop this from triggering is to delete the offending phish email from the web interface prior to connecting to it with Mail.app.  Alternately, once you know what file is causing the detection by looking at the path in the quarantine manager, turn off on access scanning and open that file in TextEdit to see which email it is -- then re-enable on-access scanning and delete that email from the server.

-
Andrew
Threat Researcher
SophosLabs


For our other self-service and peer-to-peer online support systems:


Occasional Advisor
leinestein
Posts: 6
Registered: ‎01-06-2014
0

Re: Mal/Phish-A recurring on Mac - Help on permanent removal

Hi thanks for the help!

The thing is: I can delete the mail through the methods you suggested, but I get the same new phishing mails every day. Can I prevent this virus-containing mail from being saved to my Mac automatically? Otherwise everyday I have to login on webmail/gmail before opening mail on my computer, search for spam en delete it, which is a very annoying thing to do.

Moderator
ruckus
Posts: 585
Registered: ‎09-03-2013
0

Re: Mal/Phish-A recurring on Mac - Help on permanent removal

Is it a new mail or the same mail?

- - - - - - - - - - - -
Communities Moderator, SOPHOS
Knowledgebase  |  @SophosSupport  |  Video tutorials
If a post solves your question use the Accept as Solution button and award kudos.

When posting include your Mac OS X version and exact SAV for Mac version
Employee
Agile
Posts: 1,195
Registered: ‎11-02-2010
0

Re: Mal/Phish-A recurring on Mac - Help on permanent removal


leinestein wrote:

Hi thanks for the help!

The thing is: I can delete the mail through the methods you suggested, but I get the same new phishing mails every day. Can I prevent this virus-containing mail from being saved to my Mac automatically? Otherwise everyday I have to login on webmail/gmail before opening mail on my computer, search for spam en delete it, which is a very annoying thing to do.


Depends; the easiest thing to do is set up a mail filter on your webmail that automatically tosses it in the junk folder so that it doesn't get downloaded locally in the first place.  If the subject line stays the same, this should be fairly easy.  If the From stays the same and you don't actually do business with the faked sender, you could just filter everything from that From address.

 

If you're using Gmail, most phishing should already be filtered; if it isn't, please report it to them to improve their spam filtering.

-
Andrew
Threat Researcher
SophosLabs


For our other self-service and peer-to-peer online support systems: