Jump to content

ESET detection is causing corruption of macOS app support files


Chas4

Recommended Posts

7 hours ago, sesk said:

ur not on sonoma, are u? if the log collector crash, your system is probably not as clean as it should be?!

Nope can't get macOS 14 on this one (can via a 3rd party tool).  And the log collector crash is an older bug I have seen in in previous versions of the ESET log collector also (even ESET support has seen it crash when collecting logs while in a remote session)

Link to comment
Share on other sites

  • 2 weeks later...
  • ESET Staff

Your quarantine issue is not fixed in 7.4.1600.0 yet. 

 

As I wrote you in private message: 

I advice you to restore file you are need and were moved to quarantine by reinstalling those application, or from valid backup and then delete quarantine content by deleting quarantine folder. macOS restart after quarantine folder deletion is required.

 

If the product is still detecting you files and you are sure that it is false positive detections you could setup performance exclusion on those files but it lowers your security. It is on you own risk!!!, you must be sure that files you are excluding are safe. 

Link to comment
Share on other sites

  • ESET Staff

Chas4, we apologies for long time of processing files you were reported to ESET. Thank you for your reports.

 

Now, we made some improvements in false positive detections. Product should not detect file for latest installation of WINE or CrossOver as infections. It should be applied to already released builds, so 7.4.1600.0 should not detect it as well.

Link to comment
Share on other sites

33 minutes ago, Robertos said:

Chas4, we apologies for long time of processing files you were reported to ESET. Thank you for your reports.

 

Now, we made some improvements in false positive detections. Product should not detect file for latest installation of WINE or CrossOver as infections. It should be applied to already released builds, so 7.4.1600.0 should not detect it as well.

Won't be able to check till the quarantine GUI bug is fixed or if I can manually remove the file

Link to comment
Share on other sites

  • ESET Staff

We are working on quarantine fix, but next planned release for ECS is in Q2/2024. May be there will be not-planned hot fix release, but as you know it is not planned so I can not tell when it will be released or whether it will be.

 

If in the quarantine are files required by WINE or CrossOver is not better choice for you to make new clean installation of latest  versions of those product and manually delete quarantine in ECS?

Link to comment
Share on other sites

2 hours ago, Robertos said:

We are working on quarantine fix, but next planned release for ECS is in Q2/2024. May be there will be not-planned hot fix release, but as you know it is not planned so I can not tell when it will be released or whether it will be.

 

If in the quarantine are files required by WINE or CrossOver is not better choice for you to make new clean installation of latest  versions of those product and manually delete quarantine in ECS?

Is there a way to manually figure out what the 1 file is so I can manually remove the file to get the GUI working again?

It is just Crossover which has a polished version of WINE (https://www.codeweavers.com/crossover#mac) and a GUI and scripts, and CPU level translations that make it easier to install Windows programs on macOS without Windows, and it is frameworks used by the apps that have had false positives for years.

Link to comment
Share on other sites

Until the work around I can't get a path to the false positive on the WINE file that I noticed.

Or if you can figure out what the cryptic name for the 1 byte file is I can manually remove that from the quarantine (the file I got from a phishing email with that attached).

 

Side note

https://www.virustotal.com/gui/file/14c6bb9271eb740d5244759e52badbc309ab294299434b71bf132985a37cbbc3/detection

That .doc file I sent to ESET 10 days ago, it is part of a IRS phishing email (it is 424 KB in size so it would be more than just a url in the email)

Link to comment
Share on other sites

  • ESET Staff

Chas4, if you delete these files from your quarantine:

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NDF

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NQF

quarantine in the product will start to work again.

Link to comment
Share on other sites

31 minutes ago, Robertos said:

Chas4, if you delete these files from your quarantine:

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NDF

/Library/Application Support/ESET/Security/cache/quarantine/root/356A192B7913B04C54574D18C28D46E6395428AB.NQF

quarantine in the product will start to work again.

@Robertos I did delete 356A192B7913B04C54574D18C28D46E6395428AB still no go, is it the same name for both of them?

Link to comment
Share on other sites

  • ESET Staff
1 hour ago, Chas4 said:

@Robertos I did delete 356A192B7913B04C54574D18C28D46E6395428AB still no go, is it the same name for both of them?

Did you restart macOS? It is required after such change. 

Link to comment
Share on other sites

1 hour ago, Robertos said:

Did you restart macOS? It is required after such change. 

Not yet

@Robertos it did not work after the restart  (strange forum bug has bold stuck)

Edited by Chas4
Link to comment
Share on other sites

  • ESET Staff

Two ESET developers replicated your issue with content of your quarantine.

Removing '356A192B7913B04C54574D18C28D46E6395428AB.*' from root quarantine fixed the issue and quarantine started to work for both developers.

 

Let me summarize what you should do, more deeply:

  1. upgrade product to ECS 7.4.1600.0, the latest version of v7, we tested it with this build
  2. go in Terminal to you quarantine folder
    cd /Library/Application Support/ESET/Security/cache/quarantine
     
  3. check owners and POSIX right of your quarantine subfolders and files. Check it for files in subfolders too. Correct settings is for
    folder is:   rwxrwx---  eset-ecsm-scand  eset-ecsm-daemons
    file is:  rw------- eset-ecsm-scand  eset-ecsm-daemons

     
  4. if you settings are different correct it by these commands for:
    files:
        sudo chown eset-ecsm-scand:eset-ecsm-daemons *.* 
         sudo chmod 600 *.*

    subfolders:
        sudo chown eset-ecsm-scand:eset-ecsm-daemons <replace_by_subfolder_name>
       sudo chmod 770 <replace_by_subfolder_name>
     
  5. in quarantine folder fro root user delete problematic files
    cd root
    rm -Rf 356A192B7913B04C54574D18C28D46E6395428AB.*

     
  6. verify that problematic files are removed
    ls -la | grep 356A192B7913B04C54574D18C28D46E6395428AB

    must return nothing

     
  7. restart macOS
     
  8. you quarantine in GUI or terminal should be working
Link to comment
Share on other sites

20 minutes ago, Robertos said:

Two ESET developers replicated your issue with content of your quarantine.

Removing '356A192B7913B04C54574D18C28D46E6395428AB.*' from root quarantine fixed the issue and quarantine started to work for both developers.

 

Let me summarize what you should do, more deeply:

  1. upgrade product to ECS 7.4.1600.0, the latest version of v7, we tested it with this build
  2. go in Terminal to you quarantine folder
    cd /Library/Application Support/ESET/Security/cache/quarantine
     
  3. check owners and POSIX right of your quarantine subfolders and files. Check it for files in subfolders too. Correct settings is for
    folder is:   rwxrwx---  eset-ecsm-scand  eset-ecsm-daemons
    file is:  rw------- eset-ecsm-scand  eset-ecsm-daemons

     
  4. if you settings are different correct it by these commands for:
    files:
        sudo chown eset-ecsm-scand:eset-ecsm-daemons *.* 
         sudo chmod 600 *.*

    subfolders:
        sudo chown eset-ecsm-scand:eset-ecsm-daemons <replace_by_subfolder_name>
       sudo chmod 770 <replace_by_subfolder_name>
     
  5. in quarantine folder fro root user delete problematic files
    cd root
    rm -Rf 356A192B7913B04C54574D18C28D46E6395428AB.*

     
  6. verify that problematic files are removed
    ls -la | grep 356A192B7913B04C54574D18C28D46E6395428AB

    must return nothing

     
  7. restart macOS
     
  8. you quarantine in GUI or terminal should be working

Already updated to 7.4.1600.0, when it came out as mentioned above

I manually removed the file listed from quarantine via Finder (temp added my user account to the folder permissions to do so, then removed when I was done).

@Robertos

 Do you want to continue this in the private message?

Link to comment
Share on other sites

  • ESET Staff

If you did everything correctly and it still not working you should wait for release of build with fixed quarantine issue.

May be you could try one more hint: problematic file is in quarantine subfolder 'root'  

  1. You could move this folder outside of quarantine subfolder to another disc location, e.g. to you ~/Documents/. Move means thet root folder is deleted in original location.
  2. Next restart macoS.
  3. Then try  quarantine in GUI again, it should work.

This allows you to restore all files except the ones that were in root subfolder. You can return root subfolder back after we release build with quarantine fix and then you will could restore rest of you files.

Link to comment
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...