Viruses and OSX Time Machine

Argh! I did a full scan of my Mac and discovered a virus on the Time Machine volume. I wrote about this a few years ago, and the tweaks to my mail/anti-virus/Time Machine work flow have served me well. But I guess a virus slipped through the cracks somehow, and it’s kind of a pain to eradicate an infected file within the Time Machine software — First problem is the viruses are normally attachments, which are stored within the ~/Library folder, which is normally hidden. Second issue is the Time Machine interface, which (as far as I know) precludes using Spaces and app switching. And finally, the mail attachments are buried deep within the directory tree with somewhat meaningless path names. But it finally occurred to me to copy the offending path from the antivirus log file then go into Time Machine and paste it into the search bar. After that, it’s just a matter of scrolling back in time until you find the most recent backup with the infected file. If the file is from a really old TM backup, just take a look at the backup date/time in the path from the antivirus log to home in on it within Time Machine.

I’m using the free Sophos antivirus software. To open the log (after doing a virus scan), go to the menu and select Scan -> View Scan Log. The infected file(s) should be listed at the end of the log. For infections that are only on the Time Machine volume, the path will look like this:

/Volumes/TimeMachine/Backups.backupdb/(MACHINE NAME)/(BACKUP DATETIME)/Macintosh HD/Users/(USERNAME)/...

(Assuming you didn’t rename either the TimeMachine or ‘Macintosh HD’ volume names.) Copy the elements of the path following your username. Then start the Time Machine app. Go to the search bar (top right of the TM Finder window) and enter ‘~/’ and paste in the path you copied from the antivirus log. Scroll back to a backup in which that file exists. (You can zoom in on the correct time frame based on the date/time shown in the full path from the antivirus log.) Once you find any copy of the file in Time Machine, select the “Delete all copies of Such-and-Such file” from the action menu.

About Jim Vanderveen

I'm a bit of a Renaissance man, with far too many hobbies for my free time! But more important than any hobby is my family. My proudest accomplishment has been raising some great kids! And somehow convincing my wife to put up with me since 1988. ;)
This entry was posted in Mac OS X and tagged , , . Bookmark the permalink.
Add Comment Register



Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>