ESET detection is causing corruption of macOS app support files

[Chas4 8]

ESET is flagging things used in WINE by the application CrossOver (have already reported it to ESET in the past on the false positives).

 

Also seems a 1 byte .bin file (ESET already has the file and has for a few week when I reported the email it came from) that is masked as a .pdf by Amazon phishing attack manually trying to add to Quarantine causes a hang in the Quarantine GUI.

[Chas4 8]

Computer reboot and the Quarantine GUI is still hung

 

[Marcos 5,085]

 

1 hour ago, Chas4 said:

ESET is flagging things used in WINE by the application CrossOver.

I've tried googling for the application to no avail. Please provide more info, such as the official app website with a download link.

Quote

Also seems a 1 byte .bin file (ESET already has the file and has for a few week when I reported the email it came from) that is masked as a .pdf by Amazon phishing attack manually trying to add to Quarantine causes a hang in the Quarantine GUI.

While it sound weird that a 1-byte file pretending to be pdf could freeze the whole system when scanned by ESET, we'd like to look into it. Please provide me with the file in an archive encrypted with the password "infected".

[Chas4 8]

37 minutes ago, Marcos said:

 

I've tried googling for the application to no avail. Please provide more info, such as the official app website with a download link.

While it sound weird that a 1-byte file pretending to be pdf could freeze the whole system when scanned by ESET, we'd like to look into it. Please provide me with the file in an archive encrypted with the password "infected".

https://www.codeweavers.com/crossover#mac I report that one years ago and they also document the false positives some have (they have a free trial)

 

macOS is not frozen the GUI for Quarantine is broken now (ESET should have the file, sent it about a week ago via a sample report from the fake Amazon email), I sent the email to ESET as an attachment 10/11/23, the subject is

[Important Notice] Your Account is locked - Case: #2501720848

 

@Marcos A computer restart did not fix it, is there a way to manually remove the 1 byte file out of the ESET Quarantine since the ESET Quarantine GUI is hung?

[Robertos 17]

You could delete content of the folder:

'/Library/Application Support/ESET/Security/cache/quarantine/'

you will need admin right to do it. After deleting restart of ESET services is required, restart of macOS will do it for you.

But be aware, all items moved to quarantine by the product will be lost. You must be sure that there is not anything important for you.

You did not mention version of the product, try to upgrade it by 7.4.1200.0 and try Quarantine action with this version. If it fail again, please, open support ticket for this. We need more information to replicate and fix it.

[Chas4 8]

2 hours ago, Robertos said:

You could delete content of the folder:

'/Library/Application Support/ESET/Security/cache/quarantine/'

you will need admin right to do it. After deleting restart of ESET services is required, restart of macOS will do it for you.

But be aware, all items moved to quarantine by the product will be lost. You must be sure that there is not anything important for you.

You did not mention version of the product, try to upgrade it by 7.4.1200.0 and try Quarantine action with this version. If it fail again, please, open support ticket for this. We need more information to replicate and fix it.

Can't do that as there are false positives that need to be restored.

7.4.1200.0  was already mention in another forum, this looks to be a bug as the GUI for Quarantine is broken now due to a 1 byte file.  ESET has the file already

 

[itman 1,665]

1 hour ago, Chas4 said:

Can't do that as there are false positives that need to be restored.

Just delete the 1 byte file in the quarantine directory.

[Chas4 8]

7 minutes ago, itman said:

Just delete the 1 byte file in the quarantine directory.

Would be nice if I had access to the folder it is in (I think it is just the ESET app users that can access that folder), the GUI is broken due to the bug with the 1 byte file

[itman 1,665]

4 hours ago, Chas4 said:

Would be nice if I had access to the folder

You should be able to access files in the directory via Mac Safe mode: https://support.apple.com/guide/mac-help/start-up-your-mac-in-safe-mode-mh21245/mac .

[Robertos 17]

You can use command line binary quar in application bundle for quarantine data manipulation. Here is command for printing it help:

 

/Applications/<ESET-Product-Name>.app/Contents/MacOS/quar --help

 

It will list available commands, one is listing to identify files in quarantine. Then, you could restore or delete problematic file using quar binary.

 

FYI:

Quarantine folder is not normally accessible to make it secure, but if you have admin privileges you can set correct POSIX rights to parent folders to be ale to access quarantine data. Anyway, manipulation by quar binary is better way.

[Chas4 8]

@Robertos tried but got no luck

/Applications/<ESET-Cyber-Security>.app/Contents/MacOS/quar --help

zsh: no such file or directory: ESET-Cyber-Security

[Chas4 8]

ESET log collector on macOS has a strange bug where it crashes collecting logs or in the advanced logging options

[Robertos 17]

Chas4 you must replace <ESET-Cyber-Security> in the path with real name of ESET application you are using. See your application folder for real path.

[Robertos 17]

I can see from private message you send me that you quarantine is full of detected trojan infections. You should delete it to clean quarantine but you said you can not do it because there are files that are not infection and you want to restore it? You cannot restore that files because product GUI is not working and not show quarantine content. Do I understand it correctly?

 

I've send you how you can list commands for command line manipulation of quarantine. You are able to do everything with quarantine from command line what you need, like in GUI. In case of GUI is not working it is only one way how to restore file from quarantine.

 

This command prints you help for command line utility quar

"/Applications/ESET Cyber Security.app/Contents/MacOS/quar" --help

 

1. You should list help to read quar command.
2. The you should list content of your quarantine.
3. Then you should identify files you want to restore
4. if you are sure that restored files are false positive, you should setup exclusion for this file to not detect it by real-time file protection again.
5. then you could restore it 
6. then you should delete rest infected files from quarantine
7. it is better to setup exclusion before you restore detected file otherwise protection will detect it and put into quarantine again

 

BTW: how do you know that detected files are false positive?

 

I advise you to run custom scan with 'In-Depth Scan' profile active on you whole disk. It seems that you iMac need it. It could take a time until it will finish because you have a lot of applications on your disk.

 

 

[Chas4 8]

I know they are false positives as I have reported them to ESET in the past, it is flagging some WINE files as suspicious and rather than asking me it just quarantine them

https://www.codeweavers.com/support/wiki/mac/mactutorial/bitdefender

The detected trojans are ones I reported to ESET from scam emails I got. (mail program bug is downloading files even when I tell it not to), I reported them via fwd the email to ESET's sample email address.

Can you send the last ESET logs to the devs I sent in the DM so they can find the bug in the ESET GUI?

I have run an In-Depth Scan already and do a few times a year.

Edited October 19, 2023 by Chas4

[Chas4 8]

Did an In-Depth Scan and it took and 42 minutes and 43 seconds which is impressive for this 10 year old Mac, and that is much faster than older versions of ESET Cyber Security which would take about 2 to 3+ hours

[Robertos 17]

Did in-depth scan found any infections? 

 

I've tested your 1byte PDF file you send me. In-depth scan did not detect it as infection now. I added file to quarantine manually, GUI shows quarantine correctly, I could restore it from quarantine to disk too. Why do you think that this file is the problem?

 

 

[Chas4 8]

4 hours ago, Robertos said:

Did in-depth scan found any infections? 

 

I've tested your 1byte PDF file you send me. In-depth scan did not detect it as infection now. I added file to quarantine manually, GUI shows quarantine correctly, I could restore it from quarantine to disk too. Why do you think that this file is the problem?

 

 

It found nothing, most of what is in quarantine are ones I reported to ESET. (others are from a version 6 bug ignoring network patch location exclusions, that is a 2+ year old bug in version 6) 

It is when I tried to move the file to the quarantine manually did the quarantine GUIs stop working and the spinning icon just shows

[Chas4 8]

@RobertosStrange forum bug will not let me fix a typo 10 minutes after I posted a comment

[Robertos 17]

As I wrote, mentioned file itself is not the problem. I assume that problem is in files you have in quarantine now.

All detected files stored in your quarantine are real infections, except of eicar, though several from them are not harmful on macOS. If you do not need these files we recommend to delete them.

If you need them and are not to able to restore it from non-infected backup you can try to rescan those files again. You

• should update modules to latest version,
• then you could restore file form quarantine and
• rescan it again by custom ondemanfd scan if real time protection doesn't detect it automatically.

If it was false positive new scanner module could not detect it again.

If it is still detected then it is infection and you should leave it in quarantine and check it again later in the future.

 

 

[Chas4 8]

7 hours ago, Robertos said:

As I wrote, mentioned file itself is not the problem. I assume that problem is in files you have in quarantine now.

All detected files stored in your quarantine are real infections, except of eicar, though several from them are not harmful on macOS. If you do not need these files we recommend to delete them.

If you need them and are not to able to restore it from non-infected backup you can try to rescan those files again. You

• should update modules to latest version,
• then you could restore file form quarantine and
• rescan it again by custom ondemanfd scan if real time protection doesn't detect it automatically.

If it was false positive new scanner module could not detect it again.

If it is still detected then it is infection and you should leave it in quarantine and check it again later in the future.

 

 

Nope there are false positives in the quarantine, and I can't remove them right now with the quarantine GUI not working, and modules and ESET are updated yet it is hung since that 1 byte file.  The detection is not new, reported to ESET a few years ago, and such a high false positive rate that Crossover has a repair bottles feature due to anti malware programs corrupting bottles by removing safe files.  Crossover is a polished version of WINE for running windows programs on macOS without a VM  The detection is about 5 years of false positives and I linked to the page Codeweavers has info about the false positives (HP uses WINE in their macOS software)

Also the bug in version 6 corrupts time machine back ups with it ignoring exclusions. 

95% of what is in the quarantine are ones I reported to ESET.

The bug in ESET only started when I manually added the 1 byte file, which I had sent to ESET about a week before via the Amazon phishing email it is attached to.

[Chas4 8]

Also should note that macOS 14 is using the Crossover files so that would also mean ESET might have false positives on WINE being used by macOS 14

[Marcos 5,085]

Unfortunately I could not find your Crossover samples. Please send me the detected files in an archive encrypted with the password "infected" or if too big to send via a pm upload it to a safe location and drop me a pm with a download link.

[Chas4 8]

2 hours ago, Marcos said:

Unfortunately I could not find your Crossover samples. Please send me the detected files in an archive encrypted with the password "infected" or if too big to send via a pm upload it to a safe location and drop me a pm with a download link.

ESET should have it already as it is set to send suspicious files automatically, there will be at least 1 with WINE in the file path, also Robertos has a copy of the quarantine folder.

[sesk 23]

ur not on sonoma, are u? if the log collector crash, your system is probably not as clean as it should be?!