Sophos finding threat seemingly having to do with 1Password. [confirmed this is a Sophos issue]

Options
Randomizer
Randomizer
Community Member
edited March 2014 in Mac

I'll pasted a screen shot - if I can figure out how.

Comments

  • Randomizer
    Randomizer
    Community Member
    Options

    sorry. thought I could drag a drop my screen shot. How do I get it up here?

  • sjk
    sjk
    1Password Alumni
    Options

    Hi @Randomizer,

    Thanks for being concerned about what Sophos is finding. We definitely want to take a look at that.

    127.0.0.1 still does need to be whitelisted in Sophos AV Web Protection preferences for 1Password 4 filling to work, as documented in this guide:

    Configuring Sophos

    Sophos has acknowledged it as a defect (in their software):

    This has been logged as a defect, so we are aware of it and are investigating further.

    About posting images here …

    After you've uploaded an image to your favorite third-party hosting site (Dropbox, CloudApp, etc.) it's easy to reference it in a post here by first clicking the "Image" icon in the reply box toolbar:

    … then pasting the URL into the dialog box that appears:

    … like what I just did to add those two images in this post. :)

  • Randomizer
    Randomizer
    Community Member
    Options

    Thank you. I had already whitelisted 127.0.0.1. Thanks for the info on posting screen shot. I had initially thought I might be able to do that directly. I suppose I would need to have the image fully shared within dropbox, correct?

  • hawkmoth
    hawkmoth
    Community Member
    Options

    You can share images from Dropbox that are private. You just get a URL for the specific one to insert into the image feature here. Readers will only be able to get that one image.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    You can also email us at support at agilebits dot com and attach screenshots.

    Be sure to include a link to this discussion so that we can connect the conversation.

  • Randomizer
    Randomizer
    Community Member
    edited March 2014
    Options

    here is the image. http://cl.ly/image/0M0k0b1D1y18

  • Randomizer
    Randomizer
    Community Member
    edited March 2014
    Options

    please confirm you can see this and advise as to what this would be.

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Thanks for posting that. Is it possible to get the tail end of that "Path and Filename"? This will help determine whether it is an actual 1Password file in question or whether it is something that is in the "Container" that OS X creates.

  • Randomizer
    Randomizer
    Community Member
    Options

    From the log: 2014-03-07 04:45:03 -0500 Threat: 'Troj/BredoZp-QY' detected in /Users/Rik/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip

  • sjk
    sjk
    1Password Alumni
    edited March 2014
    Options

    Thanks, @Randomizer. That's perfectly helpful! :)

    It turns out this file Sophos detected is actually located under your Mail library, outside the 1Password helper "Container". Specifically:

    /Users/Rik/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip

    If you run this command in a Terminal window:

    ls -dl ~/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail

    … you'll see output similar to this:

    lrwxr-xr-x 1 user group 16 Oct 6 21:07 /Users/user/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail -> ../../../../Mail

    That's a symbolic link to your Mail library here:

    /Users/Rik/Library/Mail

    And under that folder is the file Sophos detected:

    V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip

    In other words, when the /Users/Rik/Library/Containers/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/Data/Library/Mail symbolic link is replaced with the /Users/Rik/Library/Mail folder it references, you wind up with true pathname.

    If the file still exists, try running this command in a Terminal window:

    ls -l ~/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2

    You'll see output listing the dubious Instructions Secured E-mail.zip file in there.

    Note: This is an issue with Sophos misreporting the file's actual location when it "follows" the symbolic link inside the 1Password container to the folder outside of it. It is definitely not a 1Password issue, except as an innocent victim.

    If the 1Password container didn't exist Sophos could simply misreport a different one. For example, run this in Terminal:

    ls -dl ~/Library/Containers/com.apple.AddressBook/Data/Library/Mail

    … and you'll see a symlink like the one in the 1Password container:

    lrwxr-xr-x 1 user group 16 Mar 1 10:54 /Users/user/Library/Containers/com.apple.AddressBook/Data/Library/Mail -> ../../../../Mail

    Then this would appear in the Sophos report:

    /Users/Rik/Library/Containers/com.apple.AddressBook/Data/Library/Mail/V2/POP-rik@embarqmail.com@pop.embarqmail.com/INBOX.mbox/0EE35847-CCE0-47A0-A781-5B45FF795EE0/Data/0/3/Attachments/30467/2/Instructions Secured E-mail.zip

    … and give the false impression of being a threat in the Address Book (Contacts) content.

    I hope that clarifies and resolves this matter for you. Let us know if there's anything more we can help you with. Thanks!

This discussion has been closed.