Sophos finding threat seemingly having to do with 1Password. [confirmed this is a Sophos issue]
I'll pasted a screen shot - if I can figure out how.
Comments
-
sorry. thought I could drag a drop my screen shot. How do I get it up here?
0 -
Hi @Randomizer,
Thanks for being concerned about what Sophos is finding. We definitely want to take a look at that.
127.0.0.1 still does need to be whitelisted in Sophos AV Web Protection preferences for 1Password 4 filling to work, as documented in this guide:
Sophos has acknowledged it as a defect (in their software):
This has been logged as a defect, so we are aware of it and are investigating further.
About posting images here …
After you've uploaded an image to your favorite third-party hosting site (Dropbox, CloudApp, etc.) it's easy to reference it in a post here by first clicking the "Image" icon in the reply box toolbar:
… then pasting the URL into the dialog box that appears:
… like what I just did to add those two images in this post. :)
0 -
Thank you. I had already whitelisted 127.0.0.1. Thanks for the info on posting screen shot. I had initially thought I might be able to do that directly. I suppose I would need to have the image fully shared within dropbox, correct?
0 -
You can share images from Dropbox that are private. You just get a URL for the specific one to insert into the image feature here. Readers will only be able to get that one image.
0 -
You can also email us at support at agilebits dot com and attach screenshots.
Be sure to include a link to this discussion so that we can connect the conversation.
0 -
here is the image. http://cl.ly/image/0M0k0b1D1y18
0 -
please confirm you can see this and advise as to what this would be.
0 -
Thanks for posting that. Is it possible to get the tail end of that "Path and Filename"? This will help determine whether it is an actual 1Password file in question or whether it is something that is in the "Container" that OS X creates.
0 -
From the log: 2014-03-07 04:45:03 -0500 Threat: 'Troj/BredoZp-QY' detected in /Users/Rik/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip
0 -
Thanks, @Randomizer. That's perfectly helpful! :)
It turns out this file Sophos detected is actually located under your Mail library, outside the 1Password helper "Container". Specifically:
/Users/Rik/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip
If you run this command in a Terminal window:
ls -dl ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail… you'll see output similar to this:
lrwxr-xr-x 1 user group 16 Oct 6 21:07 /Users/user/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail -> ../../../../Mail
That's a symbolic link to your Mail library here:
/Users/Rik/Library/Mail
And under that folder is the file Sophos detected:
V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip
In other words, when the /Users/Rik/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail symbolic link is replaced with the /Users/Rik/Library/Mail folder it references, you wind up with true pathname.
If the file still exists, try running this command in a Terminal window:
ls -l ~/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2You'll see output listing the dubious Instructions Secured E-mail.zip file in there.
Note: This is an issue with Sophos misreporting the file's actual location when it "follows" the symbolic link inside the 1Password container to the folder outside of it. It is definitely not a 1Password issue, except as an innocent victim.
If the 1Password container didn't exist Sophos could simply misreport a different one. For example, run this in Terminal:
ls -dl ~/Library/Containers/com.apple.AddressBook/Data/Library/Mail… and you'll see a symlink like the one in the 1Password container:
lrwxr-xr-x 1 user group 16 Mar 1 10:54 /Users/user/Library/Containers/com.apple.AddressBook/Data/Library/Mail -> ../../../../Mail
Then this would appear in the Sophos report:
/Users/Rik/Library/Containers/com.apple.AddressBook/Data/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip
… and give the false impression of being a threat in the Address Book (Contacts) content.
I hope that clarifies and resolves this matter for you. Let us know if there's anything more we can help you with. Thanks!
0
