Reply to freevito - freevito

Thanx for your response, Mark. For the record, I never had any concern that those files would affect my Mac. My principal concern regarding such malware is that I do not spread it to correspondents who are Windows users.

As for my "e-mail attachments folder", I don't have such a thing as far as I know. In my Mozilla mail client, all attachments are embedded (along with their transmitting messages' text) in a single file that contains the entire contents of any given folder. For example, my "Inbox" is a single file that contains every message, every message header, and every attachment that shows up in my Inbox directory. I can open the Inbox file in TextEdit and read it as plain text. All the HTML stuff shows up as HTML code, images, digital signatures, and encrypted messages show up as nonsense, and the attached worm files show up as big blocks of garbage right under their respective headers. I never open them anyway; I use Mozilla's View:Message Source to view the contents of any suspect message.

Thanks for your explanation of how the files got into the tmp folder. I'm not sure why they weren't deleted either, but I think I might have some corruption in the system installation on that particular volume. I've been noticing several other anomalies there recently, including some very bizarre behavior when I attempt to perform a bootable backup of that volume using SynchronizeProX — a process that works reliably on other volumes. It certainly is unrelated to ClamXav, as those anomalies were in evidence well before I installed the ClamXav+Clamav package.

Thanks too for your efforts in bypassing the infinite loop problem. While it's clear that OS X's limited access to root makes it very difficult for anything hostile to be installed there, malware authors are increasingly relying on "social engineering" to accomplish their nefarious purposes. Consequently, it's not entirely inconceivable that something could sneak in on the back of what might otherwise appear to be a legitimate install authorized by an admin password. In any case, it seems like a good idea to be checking inside root for any infections.

Thanks again!

Reply to This

Tuesday, March 29 2005 @ 11:12 AM PST

The original review by freevito... - freevito

...is no longer here because it's not fair to leave my original one-star review in place after discovering that ClamXav was not the culprit. So I'll post a new review based on what I learned after digging into the problem further.

Reply to This

Monday, May 09 2005 @ 10:29 AM PDT

Reply to freevito - dozx

"it's not entirely inconceivable that something could sneak in on the back of what might otherwise appear to be a legitimate install authorized by an admin password. In any case, it seems like a good idea to be checking inside root for any infections."

I'm very sorry but IF it didn't come from Apple or a VERY VERY well known software company ON a CD I bought from a store - Then you deserve to have a visus installed because you shouldn't be granting things admin privs to install... There is almost 0% reason for any app to need it.

IF you did need to allow Clam to do a full scan of the entire OS you can always run it via command line using SUDO.

BEST SAFE INSTALL RULE
IF IT ASKS FOR YOUR PASSWORD TO INSTALL AND IT'S NOT FROM APPLE DON'T ENTER YOUR PASSWORD.

Reply to This

Thursday, July 07 2005 @ 01:22 PM PDT