Jump to content

Archived

This topic is now archived and is closed to further replies.

tmrd

Eset Cyber Security Pro Sees Utorrent As A Malicious App. Is That Normal?

Recommended Posts

I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again.

 

Here is the image: 

 

hxxp://i.imgur.com/k01XHxM.png

 

"a variant of OSX/Adware.Spigot.A Application

 

 

Should I worry?

Share this post


Link to post
Share on other sites

Hello,

 

The detection is correct. It's the bundled adware that is detected.

 

A Google search for "utorrent bundle adware" shows some interesting results. 

Share this post


Link to post
Share on other sites

Hello,

 

The detection is correct. It's the bundled adware that is detected.

 

A Google search for "utorrent bundle adware" shows some interesting results. 

 

Thank you for the answer. I did.

 

When I install Utorrent on my Windows, I decline the bundled things but there isn't any option on the mac to decline, so I think they don't do it on the Mac OS. So there isn't any sign of any kind of adware (including browsers and pc itself.)

 

So it's a normal thing and isn't something related to trojans or keyloggers? I won't format my mac then.

Share this post


Link to post
Share on other sites

Hey,

 

Yes the program (utorrent) itself is not infected in anyway. And it's not utorrent itself that is detected. 

 

I don't use utorrent, but according to this thread what you are offered in terms of bundled adware may differ between each download. But they mention that there should be a way to decline one or even several offers during install, also see the latest post in the thread for screenshots:hxxp://forum.utorrent.com/topic/92403-adware-spigot/

 

No you don't need to format your Mac, and ESET took care of the adware and quarantined it right?

 

Well not sure about normal, but some (to not say many) freewares does bundled things as a way to make money, can also have the opposite effect and scare users away, but No it's not keyloggers or trojans that are bundled in this case but adware, what the adware actual do on a computer differs between the variants that exists, but there is a thin line between adware, PUAs, and spyware. What they have incommon is that we don't want them to sneak in via for example softwares we install as they are unwanted and can be very stubborn, annoying, and hard to get rid of.

 

Adware (advertising-supported software) is any software application that plays, displays, or downloads advertising content to a user’s computer. Typical features are pop-up windows or banners, changes to home page and search engine settings in the web browser, and so forth. Some adware is installed with the computer-user’s permission: for example, during the installation of a legitimate application with which the adware is bundled. This is the case with various dubious toolbars. Nowadays, it is difficult to strictly distinguish between adware, spyware and other potentially unwanted applications (PUAs).

Share this post


Link to post
Share on other sites

I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again.

 

Interesting how it gives an alert after a day and not immediately - the realtime protection doesn't detect anything and what I think is happening is the scheduled startup scan is detecting it instead as it scans through.

 

I can download the dmg without warning, open it without warning... It's only when I set a custom scan on the dmg or leave it on the Mac to let the scheduled scan run that it either comes up with this window, or just logs with 2 infected files and nothing actually done.

 

Also find it strange that it can't be moved to quarantine either...

Share this post


Link to post
Share on other sites

 

I've downloaded Utorrent from its official website and installed it on my Mac, but after a day, Eset gave me a warning states that Utorrent.dmg is "dangerous", and I followed the standard procedure and deleted it. To make a test, I downloaded Utorrent from its official website and Eset deleted it again.

 

Interesting how it gives an alert after a day and not immediately - the realtime protection doesn't detect anything and what I think is happening is the scheduled startup scan is detecting it instead as it scans through.

 

I can download the dmg without warning, open it without warning... It's only when I set a custom scan on the dmg or leave it on the Mac to let the scheduled scan run that it either comes up with this window, or just logs with 2 infected files and nothing actually done.

 

Also find it strange that it can't be moved to quarantine either...

 

attachicon.gifscan.jpg

 

 

The same thing happened to me, too. You are right, it's kinda interesting.

Share this post


Link to post
Share on other sites

Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry  :blink:

 

But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. 

 

@planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ?

 

Let's hope we can figure this out  :)

 

Edit: is the eicar test file detected as it should for you guys on the web?

 

hxxp://www.amtso.org/feature-settings-check.html

Share this post


Link to post
Share on other sites

@planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ?

 

 

Edit: to make sure the real-time scanner works is the eicar test file detected as it should?

 

hxxp://www.amtso.org/feature-settings-check.html

 

You can select 'Delete' and it is able to successfully delete it, but it's still strange why the real-time scanner doesn't do anything...

 

For the AMTSO feature settings check, every single one of them is working with Cyber Security Pro.

Share this post


Link to post
Share on other sites

Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry  :blink:

 

But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. 

 

@planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ?

 

Let's hope we can figure this out  :)

 

Edit: is the eicar test file detected as it should for you guys on the web?

 

hxxp://www.amtso.org/feature-settings-check.html

 

Systems are up, captain :)

 

I was wondering, is there anybody who can help us from Eset Team regarding to this issue?

Share this post


Link to post
Share on other sites

 

@planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ?

 

 

Edit: to make sure the real-time scanner works is the eicar test file detected as it should?

 

hxxp://www.amtso.org/feature-settings-check.html

 

You can select 'Delete' and it is able to successfully delete it, but it's still strange why the real-time scanner doesn't do anything...

 

For the AMTSO feature settings check, every single one of them is working with Cyber Security Pro.

 

 

Alright that's good. Yep I don't understand why it's not detected by the real-time scanner.

 

Great that ECSP reacted to each one of the tests then we know its working at least.

 

P.S

 

Just for fun I download the DMG from the official website, and checked it with live grid. 

risk level: risky

number of users: medium

time of discovery: 6 months ago

 

As I can't execute the dmg, I did a context-menu scan and the adware was detected....

 

Scan Log

Version of virus signature database: 10475 (20140927)

Date: 2014-09-28  

Scanned disks, folders and files: C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg

C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg » DMG » 4.hfs » HFS » uTorrent-Installer » FAT » file0000 - a variant of OSX/Adware.Spigot.A application

C:\Documents and Settings\xxx\Skrivbord\uTorrent.dmg » DMG » 4.hfs » HFS » uTorrent-Installer » FAT » file0001 - a variant of OSX/Adware.Spigot.A application

Number of scanned objects: 26

Number of threats found: 2

 

And on VT it's still only Dr.Web that flags it:  https://www.virustotal.com/sv/file/de280859604b6141ac9afd1116b484ed4e51f52a220ac98de1f795645a195ac7/analysis/1411865955/

 

I also downloaded the latest Win version from the website to compare (released just 3 days ago), and did a scan....and it came out all clean! And clean on VT. I am surprised I expected to see some PUA or adware detections, what the heck  :ph34r:

 

 

Wow shame on me, I must be blind I totally missed the "after one day" part when I read it, sorry  :blink:

 

But yeah that is weird, why is it not detected by the real-time scanner at all, not on download, not on execution, but only after a couple of days. 

 

@planet In your screenshot can't you chose what to do with the file instead of "no action" if you click on it ?

 

Let's hope we can figure this out  :)

 

Edit: is the eicar test file detected as it should for you guys on the web?

 

hxxp://www.amtso.org/feature-settings-check.html

 

Systems are up, captain :)

 

I was wondering, is there anybody who can help us from Eset Team regarding to this issue?

 

Good good :D

 

Yes sure there is, personally I don't have a clue why it's not detected by the real-time scanner at all, it sounds abnormal. That's one thing ESET could help us understand.  :)

Share this post


Link to post
Share on other sites

Mhh...

 

as I see it is detected "a variant of OSX/Adware.Spigot.A application" it is a bit modified from the originally OSX/Adware.Spigot.A, so I would suggest you to submit this to ESET.

The same with the Windows version.

 

And another thing...

 

a variant of OSX/Adware.Spigot.A application

 

Shouldn't there be the "potentially unwanted application" at the end if it is such a thing?

But - no - as I see it is "adware", so it may be "more bad" than a PUA. And if so it is also be detected when PUA detection is disabled, isn't it?

Share this post


Link to post
Share on other sites

Mhh...

 

as I see it is detected "a variant of OSX/Adware.Spigot.A application" it is a bit modified from the originally OSX/Adware.Spigot.A, so I would suggest you to submit this to ESET.

The same with the Windows version.

 

And another thing...

 

a variant of OSX/Adware.Spigot.A application

 

Shouldn't there be the "potentially unwanted application" at the end if it is such a thing?

But - no - as I see it is "adware", so it may be "more bad" than a PUA. And if so it is also be detected when PUA detection is disabled, isn't it?

Yes that's correct, it is classified as Adware, so it will not be detected as a pup or pua.

 

And keep in mind...

"Nowadays, it is difficult to strictly distinguish between adware, spyware and other potentially unwanted applications (PUAs)."

 

I scanned the latest release (Sep 24) of the windows version and it came through clean. And it's trusted (green) in live grid.

Share this post


Link to post
Share on other sites

OK, if this installer contains/is PUA then I would submit it to ESET. Have you done this, SweX?

Share this post


Link to post
Share on other sites

Just an update to say that as of version 6.0.14.0, with OS X Yosemite, and the most recent virus signature database, ESET Cyber Security (and Pro) now immediately detects and deletes the uTorrent download as soon as it has finished downloading, finding "Adware.Spigot.A application".

Real-time file system protection; file; /Users/name/Downloads/uTorrent.dmg; /Adware.Spigot.A application; cleaned by deleting; Event occurred during an attempt to access the file by the application: /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock.

Share this post


Link to post
Share on other sites

Great, thanks for the update Planet  ;)

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...