tmrd 0 Posted September 26, 2014 Share Posted September 26, 2014 (edited) I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again. Here is the image: hxxp://i.imgur.com/k01XHxM.png "a variant of OSX/Adware.Spigot.A Application Should I worry? Edited September 26, 2014 by tmrd Link to comment Share on other sites More sharing options...
SweX 871 Posted September 26, 2014 Share Posted September 26, 2014 Hello, The detection is correct. It's the bundled adware that is detected. A Google search for "utorrent bundle adware" shows some interesting results. Link to comment Share on other sites More sharing options...
tmrd 0 Posted September 26, 2014 Author Share Posted September 26, 2014 (edited) Hello, The detection is correct. It's the bundled adware that is detected. A Google search for "utorrent bundle adware" shows some interesting results. Thank you for the answer. I did. When I install Utorrent on my Windows, I decline the bundled things but there isn't any option on the mac to decline, so I think they don't do it on the Mac OS. So there isn't any sign of any kind of adware (including browsers and pc itself.) So it's a normal thing and isn't something related to trojans or keyloggers? I won't format my mac then. Edited September 26, 2014 by tmrd Link to comment Share on other sites More sharing options...
SweX 871 Posted September 26, 2014 Share Posted September 26, 2014 (edited) Hey, Yes the program (utorrent) itself is not infected in anyway. And it's not utorrent itself that is detected. I don't use utorrent, but according to this thread what you are offered in terms of bundled adware may differ between each download. But they mention that there should be a way to decline one or even several offers during install, also see the latest post in the thread for screenshots:hxxp://forum.utorrent.com/topic/92403-adware-spigot/ No you don't need to format your Mac, and ESET took care of the adware and quarantined it right? Well not sure about normal, but some (to not say many) freewares does bundled things as a way to make money, can also have the opposite effect and scare users away, but No it's not keyloggers or trojans that are bundled in this case but adware, what the adware actual do on a computer differs between the variants that exists, but there is a thin line between adware, PUAs, and spyware. What they have incommon is that we don't want them to sneak in via for example softwares we install as they are unwanted and can be very stubborn, annoying, and hard to get rid of. Adware (advertising-supported software) is any software application that plays, displays, or downloads advertising content to a user’s computer. Typical features are pop-up windows or banners, changes to home page and search engine settings in the web browser, and so forth. Some adware is installed with the computer-user’s permission: for example, during the installation of a legitimate application with which the adware is bundled. This is the case with various dubious toolbars. Nowadays, it is difficult to strictly distinguish between adware, spyware and other potentially unwanted applications (PUAs). Edited September 26, 2014 by SweX Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted September 27, 2014 Most Valued Members Share Posted September 27, 2014 (edited) I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again. Interesting how it gives an alert after a day and not immediately - the realtime protection doesn't detect anything and what I think is happening is the scheduled startup scan is detecting it instead as it scans through. I can download the dmg without warning, open it without warning... It's only when I set a custom scan on the dmg or leave it on the Mac to let the scheduled scan run that it either comes up with this window, or just logs with 2 infected files and nothing actually done. Also find it strange that it can't be moved to quarantine either... Edited October 29, 2014 by planet Link to comment Share on other sites More sharing options...
tmrd 0 Posted September 27, 2014 Author Share Posted September 27, 2014 I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again. Interesting how it gives an alert after a day and not immediately - the realtime protection doesn't detect anything and what I think is happening is the scheduled startup scan is detecting it instead as it scans through. I can download the dmg without warning, open it without warning... It's only when I set a custom scan on the dmg or leave it on the Mac to let the scheduled scan run that it either comes up with this window, or just logs with 2 infected files and nothing actually done. Also find it strange that it can't be moved to quarantine either... scan.jpg The same thing happened to me, too. You are right, it's kinda interesting. Link to comment Share on other sites More sharing options...
SweX 871 Posted September 27, 2014 Share Posted September 27, 2014 (edited) Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. @planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ? Let's hope we can figure this out Edit: is the eicar test file detected as it should for you guys on the web? hxxp://www.amtso.org/feature-settings-check.html Edited September 27, 2014 by SweX Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted September 27, 2014 Most Valued Members Share Posted September 27, 2014 @planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ? Edit: to make sure the real-time scanner works is the eicar test file detected as it should? hxxp://www.amtso.org/feature-settings-check.html You can select 'Delete' and it is able to successfully delete it, but it's still strange why the real-time scanner doesn't do anything... For the AMTSO feature settings check, every single one of them is working with Cyber Security Pro. Link to comment Share on other sites More sharing options...
tmrd 0 Posted September 27, 2014 Author Share Posted September 27, 2014 Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. @planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ? Let's hope we can figure this out Edit: is the eicar test file detected as it should for you guys on the web? hxxp://www.amtso.org/feature-settings-check.html Systems are up, captain I was wondering, is there anybody who can help us from Eset Team regarding to this issue? Link to comment Share on other sites More sharing options...
SweX 871 Posted September 28, 2014 Share Posted September 28, 2014 (edited) @planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ? Edit: to make sure the real-time scanner works is the eicar test file detected as it should? hxxp://www.amtso.org/feature-settings-check.html You can select 'Delete' and it is able to successfully delete it, but it's still strange why the real-time scanner doesn't do anything... For the AMTSO feature settings check, every single one of them is working with Cyber Security Pro. Alright that's good. Yep I don't understand why it's not detected by the real-time scanner. Great that ECSP reacted to each one of the tests then we know its working at least. P.S Just for fun I download the DMG from the official website, and checked it with live grid. risk level: risky number of users: medium time of discovery: 6 months ago As I can't execute the dmg, I did a context-menu scan and the adware was detected.... Scan Log Version of virus signature database: 10475 (20140927) Date: 2014-09-28 Scanned disks, folders and files: C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg » DMG » 4.hfs » HFS » uTorrent-Installer » FAT » file0000 - a variant of OSX/Adware.Spigot.A application C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg » DMG » 4.hfs » HFS » uTorrent-Installer » FAT » file0001 - a variant of OSX/Adware.Spigot.A application Number of scanned objects: 26 Number of threats found: 2 And on VT it's still only Dr.Web that flags it: https://www.virustotal.com/sv/file/de280859604b6141ac9afd1116b484ed4e51f52a220ac98de1f795645a195ac7/analysis/1411865955/ I also downloaded the latest Win version from the website to compare (released just 3 days ago), and did a scan....and it came out all clean! And clean on VT. I am surprised I expected to see some PUA or adware detections, what the heck Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. @planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ? Let's hope we can figure this out Edit: is the eicar test file detected as it should for you guys on the web? hxxp://www.amtso.org/feature-settings-check.html Systems are up, captain I was wondering, is there anybody who can help us from Eset Team regarding to this issue? Good good Yes sure there is, personally I don't have a clue why it's not detected by the real-time scanner at all, it sounds abnormal. That's one thing ESET could help us understand. Edited September 28, 2014 by SweX Link to comment Share on other sites More sharing options...
rugk 397 Posted September 28, 2014 Share Posted September 28, 2014 Mhh... as I see it is detected "a variant of OSX/Adware.Spigot.A application" it is a bit modified from the originally OSX/Adware.Spigot.A, so I would suggest you to submit this to ESET. The same with the Windows version. And another thing... a variant of OSX/Adware.Spigot.A application Shouldn't there be the "potentially unwanted application" at the end if it is such a thing? But - no - as I see it is "adware", so it may be "more bad" than a PUA. And if so it is also be detected when PUA detection is disabled, isn't it? Link to comment Share on other sites More sharing options...
SweX 871 Posted September 28, 2014 Share Posted September 28, 2014 (edited) Mhh... as I see it is detected "a variant of OSX/Adware.Spigot.A application" it is a bit modified from the originally OSX/Adware.Spigot.A, so I would suggest you to submit this to ESET. The same with the Windows version. And another thing... a variant of OSX/Adware.Spigot.A application Shouldn't there be the "potentially unwanted application" at the end if it is such a thing? But - no - as I see it is "adware", so it may be "more bad" than a PUA. And if so it is also be detected when PUA detection is disabled, isn't it? Yes that's correct, it is classified as Adware, so it will not be detected as a pup or pua. And keep in mind... "Nowadays, it is difficult to strictly distinguish between adware, spyware and other potentially unwanted applications (PUAs)." I scanned the latest release (Sep 24) of the windows version and it came through clean. And it's trusted (green) in live grid. Edited September 29, 2014 by SweX Link to comment Share on other sites More sharing options...
rugk 397 Posted September 29, 2014 Share Posted September 29, 2014 OK, if this installer contains/is PUA then I would submit it to ESET. Have you done this, SweX? Link to comment Share on other sites More sharing options...
Most Valued Members planet 232 Posted October 28, 2014 Most Valued Members Share Posted October 28, 2014 Just an update to say that as of version 6.0.14.0, with OS X Yosemite, and the most recent virus signature database, ESET Cyber Security (and Pro) now immediately detects and deletes the uTorrent download as soon as it has finished downloading, finding "Adware.Spigot.A application". Real-time file system protection; file; /Users/name/Downloads/uTorrent.dmg; /Adware.Spigot.A application; cleaned by deleting; Event occurred during an attempt to access the file by the application: /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock. Link to comment Share on other sites More sharing options...
SweX 871 Posted October 28, 2014 Share Posted October 28, 2014 Great, thanks for the update Planet Link to comment Share on other sites More sharing options...
Recommended Posts