11-12-2010 02:29 PM
in this this post
i asked if sophos detects old mac viruses
well it appears to find some
i found nvir in a couple of old apps on my boot drive
unfortunately the only repair option offered is discard and get new, not so easy with ancient apps
fortunately after a heck of a lot of googling i found replacements
nevertheless i also set about repairing the files manually
i inspected the the resource forks with rezilla
one file had a code 256 resource of 422 bytes a leftover from an incomplete repair with virusbarrier
the other had the full virus, although an inspection of the code 0 and nvir 2 resources showed it had naver been activated
i removed the bad guys and saved the files
i then ran sophos on the replacement files and inspected them with rezilla as well
they were virus free
then i compared the repaired files with the replacemeents
they were identical
it would be nice if sophos offered a file repair function or at least a library of how to nfo for self repair
getting replacements for ancient files is getting harder every day
i also scanned the infected files with clamav [latest] and virusbarrier 5 [outdated]
both files came up clean
clamav has never flagged a classic mac virus
vb5 does, but apparently only when it considers the villain complete or active
11-12-2010 02:44 PM
Personally, I think your best bet for automatic cleanup of old files is to make them available to a classic OS running in an emulator, such as Basilisk II or Mini vMac, with Disinfectant and GateKeeper installed. Disinfectant should have no problems with the cleanup, once you know the virus is there.
This would be a pretty esoteric thing to add to a KB article; I wouldn't want to step most users through safely using rezilla or setting up a safe emulation environment for cleaning.
By the way, Disinfectant also contains analysis of all the old viruses, which for most of them makes them trivial to clean up after detection. I wouldn't want to attempt any cleanup while not in a classic environment however, as you never know what damage you might do to your resource forks.
11-17-2010 01:43 PM
found another file with nvir
this time i tried disinfectant in sheepshaver [per your suggestion]
worked like a charm!
[of course i double checked the results with rescompare and a manual cleanup with resedit - just call me mac monk]
11-17-2010 12:37 PM
proxy trojan Mac/Cowhand-A was detected in a 2003 application that I occasinally use. Suspecting a false positive I have contacted the developer, he received the same report from two other users of SAV.