sophos find a Troj/DocDI-EFK on com.agilebits.onepassword4.safariextensioncompanion ???
sacnning my mac sophos find this trojan "Troj/DocDI-EFK on com.agilebits.onepassword4.safariextensioncompanion" 
on an agilebits file. is this normal?
1Password Version: 6.3.3
Extension Version: 4.5.8
OS Version: 10.11.6
Sync Type: icloud
Referrer: forum-search:sophos find a Troj/DocDI-EFK on com.agilebits.onepassword4.safariextensioncompanion
Comments
-
Hi @Stef_1998,
Due to the way that Sophos is scanning your mac its encountering an alias that the system creates as part of sandboxing. As it scans it encounters ~/Library/Containers/com.agilebits.onepassword4.safariextensioncompanion/Data/Library/Mail before it reaches ~/Library/Mail the result of that is that it makes it look like the nefarious file is inside our container when in actuality it is in your ~/Library/Mail folder.
You'll still want to delete the file, but it isn't a 1Password specific problem.
Rudy
0 -
thx!
0 -
Hi @Stef_1998,
Other examples of the issue with Sophos scanning that Rudy mentioned are in an older discussion: here.
Also, back in April I referred to this in the Sophos Home for Mac | MacUpdate listing:
Similar for Sophos scans following symbolic links.
A week later, Sophos replied:
Sorry, I just noticed this. You can report it on the support forums. The link that sjk replied with has the question in the old Mac AV forum. I asked our forum support group to move it to the Sophos Home section so it can get attention from our Sophos Home engineers. I would also recommend posting your version of the problem as well. Sometimes they reach out with a PM and troubleshoot the problem personally with you. https://community.sophos.com/products/sophos-home/
I didn't follow up again, and that "old Mac AV forum" post is actually in "Sophos Home for Mac" now.
Just thought you might be interested in some addition background about this. Cheers! :)
0
