ESET detection is causing corruption of macOS app support files

Chas4 · October 22, 2023

7 hours ago, sesk said:

ur not on sonoma, are u? if the log collector crash, your system is probably not as clean as it should be?!

Nope can't get macOS 14 on this one (can via a 3rd party tool). And the log collector crash is an older bug I have seen in in previous versions of the ESET log collector also (even ESET support has seen it crash when collecting logs while in a remote session)

Chas4 · October 30, 2023

GUI still broken after ESET update

Update release notes link in ESET hxxp://repository.eset.com/v1/com/eset/apps/home/eav/mac/v7/7.4.1600.0/eset_cybersecurity_mlp_10.pkg.changelog.html

Robertos · October 30, 2023

Your quarantine issue is not fixed in 7.4.1600.0 yet.

As I wrote you in private message:

I advice you to restore file you are need and were moved to quarantine by reinstalling those application, or from valid backup and then delete quarantine content by deleting quarantine folder. macOS restart after quarantine folder deletion is required.

If the product is still detecting you files and you are sure that it is false positive detections you could setup performance exclusion on those files but it lowers your security. It is on you own risk!!!, you must be sure that files you are excluding are safe.

Robertos · November 3, 2023

Chas4, we apologies for long time of processing files you were reported to ESET. Thank you for your reports.

Now, we made some improvements in false positive detections. Product should not detect file for latest installation of WINE or CrossOver as infections. It should be applied to already released builds, so 7.4.1600.0 should not detect it as well.

Chas4 · November 3, 2023

33 minutes ago, Robertos said:

Chas4, we apologies for long time of processing files you were reported to ESET. Thank you for your reports.

Now, we made some improvements in false positive detections. Product should not detect file for latest installation of WINE or CrossOver as infections. It should be applied to already released builds, so 7.4.1600.0 should not detect it as well.

Won't be able to check till the quarantine GUI bug is fixed or if I can manually remove the file

Robertos · November 4, 2023

We are working on quarantine fix, but next planned release for ECS is in Q2/2024. May be there will be not-planned hot fix release, but as you know it is not planned so I can not tell when it will be released or whether it will be.

If in the quarantine are files required by WINE or CrossOver is not better choice for you to make new clean installation of latest versions of those product and manually delete quarantine in ECS?

Chas4 · November 4, 2023

2 hours ago, Robertos said:

We are working on quarantine fix, but next planned release for ECS is in Q2/2024. May be there will be not-planned hot fix release, but as you know it is not planned so I can not tell when it will be released or whether it will be.

If in the quarantine are files required by WINE or CrossOver is not better choice for you to make new clean installation of latest versions of those product and manually delete quarantine in ECS?

Is there a way to manually figure out what the 1 file is so I can manually remove the file to get the GUI working again?

It is just Crossover which has a polished version of WINE (https://www.codeweavers.com/crossover#mac) and a GUI and scripts, and CPU level translations that make it easier to install Windows programs on macOS without Windows, and it is frameworks used by the apps that have had false positives for years.

Robertos · November 5, 2023

We do not know it yet. I will inform you if find any useable workaround.

Chas4 · November 5, 2023

Until the work around I can't get a path to the false positive on the WINE file that I noticed.

Or if you can figure out what the cryptic name for the 1 byte file is I can manually remove that from the quarantine (the file I got from a phishing email with that attached).

Side note

https://www.virustotal.com/gui/file/14c6bb9271eb740d5244759e52badbc309ab294299434b71bf132985a37cbbc3/detection

That .doc file I sent to ESET 10 days ago, it is part of a IRS phishing email (it is 424 KB in size so it would be more than just a url in the email)

Robertos · November 8, 2023

Chas4, if you delete these files from your quarantine:

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NDF

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NQF

quarantine in the product will start to work again.

Chas4 · November 8, 2023

31 minutes ago, Robertos said:

Chas4, if you delete these files from your quarantine:

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NDF

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NQF

quarantine in the product will start to work again.

@Robertos I did delete 356A192B7913B04C54574D18C28D46E6395428AB still no go, is it the same name for both of them?

Robertos · November 8, 2023

1 hour ago, Chas4 said:

@Robertos I did delete 356A192B7913B04C54574D18C28D46E6395428AB still no go, is it the same name for both of them?

Did you restart macOS? It is required after such change.

Chas4 · November 8, 2023

1 hour ago, Robertos said:

Did you restart macOS? It is required after such change.

~~Not yet~~

@R obertos it did not work after the restart (strange forum bug has bold stuck)

Edited November 8, 2023 by Chas4

Robertos · November 8, 2023

Two ESET developers replicated your issue with content of your quarantine.

Removing '356A192B7913B04C54574D18C28D46E6395428AB.*' from root quarantine fixed the issue and quarantine started to work for both developers.

Let me summarize what you should do, more deeply:

upgrade product to ECS 7.4.1600.0, the latest version of v7, we tested it with this build
go in Terminal to you quarantine folder
cd /Library/Application Support/ESET/Security/cache/quarantine
check owners and POSIX right of your quarantine subfolders and files. Check it for files in subfolders too. Correct settings is for
folder is: rwxrwx--- eset-ecsm-scand eset-ecsm-daemons
file is: rw------- eset-ecsm-scand eset-ecsm-daemons
if you settings are different correct it by these commands for:
files:
  sudo chown eset-ecsm-scand:eset-ecsm-daemons *.*
     sudo chmod 600 *.*

subfolders:
   sudo chown eset-ecsm-scand:eset-ecsm-daemons <replace_by_subfolder_name>
sudo chmod 770 <replace_by_subfolder_name>
in quarantine folder fro root user delete problematic files
cd root
rm -Rf 356A192B7913B04C54574D18C28D46E6395428AB.*
verify that problematic files are removed
ls -la | grep 356A192B7913B04C54574D18C28D46E6395428AB

must return nothing
restart macOS
you quarantine in GUI or terminal should be working

Chas4 · November 8, 2023

20 minutes ago, Robertos said:

Two ESET developers replicated your issue with content of your quarantine.

Removing '356A192B7913B04C54574D18C28D46E6395428AB.*' from root quarantine fixed the issue and quarantine started to work for both developers.

Let me summarize what you should do, more deeply:

upgrade product to ECS 7.4.1600.0, the latest version of v7, we tested it with this build

go in Terminal to you quarantine folder
cd /Library/Application Support/ESET/Security/cache/quarantine

check owners and POSIX right of your quarantine subfolders and files. Check it for files in subfolders too. Correct settings is for
folder is: rwxrwx---  eset-ecsm-scand eset-ecsm-daemons
file is:  rw------- eset-ecsm-scand eset-ecsm-daemons

if you settings are different correct it by these commands for:
files:
  sudo chown eset-ecsm-scand:eset-ecsm-daemons *.*
     sudo chmod 600 *.*

subfolders:
   sudo chown eset-ecsm-scand:eset-ecsm-daemons <replace_by_subfolder_name>
sudo chmod 770 <replace_by_subfolder_name>

in quarantine folder fro root user delete problematic files
cd root
rm -Rf 356A192B7913B04C54574D18C28D46E6395428AB.*

verify that problematic files are removed
ls -la | grep 356A192B7913B04C54574D18C28D46E6395428AB

must return nothing

restart macOS

you quarantine in GUI or terminal should be working

Already updated to 7.4.1600.0, when it came out as mentioned above

I manually removed the file listed from quarantine via Finder (temp added my user account to the folder permissions to do so, then removed when I was done).

@Robertos

Do you want to continue this in the private message?

Robertos · November 11, 2023

If you did everything correctly and it still not working you should wait for release of build with fixed quarantine issue.

May be you could try one more hint: problematic file is in quarantine subfolder 'root'

You could move this folder outside of quarantine subfolder to another disc location, e.g. to you ~/Documents/. Move means thet root folder is deleted in original location.
Next restart macoS.
Then try quarantine in GUI again, it should work.

This allows you to restore all files except the ones that were in root subfolder. You can return root subfolder back after we release build with quarantine fix and then you will could restore rest of you files.

Chas4 · November 27, 2023

A fix looks to be coming in a future version.

Sign In

ESET detection is causing corruption of macOS app support files

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics