Just got a bran-new work-issued macbookpro loaded with Symantec endpoint protection (not by choice), it's less than 2 weeks old. Created backup using the time machine software, and endpoint kicks in every time I plugged the drive in when i get to work, and started to scan the drive. I usually stops the scanning process.
This morning I plugged the drive in and went to get some coffee, when i came back endpoint identified a virus Bloodhound.PDF.20 on a file under ./DocumentRevisions-V100 in the backup folder. So I have a few questions:
1. /.DocumentRevisions-V100 require root access therefore endpoint can't scan into on my computer (not the external drive), that means it's likely the virus also resides on my computer as well? If so, how can get rid of it. I can't cd into further folders under .DocumentRevisions-V100 even with sudo command. Haven't tried sudo su yet.
- Is it possible to get endpoint to scan the .DocumentRevisions-V100 folder with root privilege?
I am going to reformat my external drive and start a new time machine session. At this point, my concern is my own computer and whether it has an virus or not.
Any suggestion is appreciated.
ps. Yes I've considered to rm -rf /.DocumentRevisions-V100 but it's heavily advised against after some googling
Best Answer
When you delete a file, all the revisions go away, so you will want to first attack the file with the problem by deleting it.
If you can't delete it, move it to an external USB drive and then delete it.
At that point, you can let the scanner see if backup copies are still affected - but you are correct - you never want to use
rmon backed up files. Delete them using the Time Machine interface to delete one file in all backups or one instance of one file or one backup instance. You can also usetmutil deleteto remove snapshots from the backup drive.