search

alfredapp / google-drive-workflow

Alfred Workflow for Google Drive
BSD 3-Clause "New" or "Revised" License
170 stars 8 forks source link

Google Drive Workflow is recognised as Maleware by Malwarebytes #36

Closed chrisspiegl closed 2 years ago

chrisspiegl commented 2 years ago

I am using the Workflow and it's working great.

Today, I ran a Maleware check with Malewarebytes (free version) and noticed that the workflows launch agent is recognised as a maleware by the program.

It does not seem to be all that serious and is only recognised as "OSX Generic Suspicion" but I thought to mention it here non the less.

Here is a screenshot of what Malewarebytes shows as a result:

Capture 2022-05-12 at 09 12 01

Maybe something about the workflow can be changed so that it does not trigger the scanner and possibly confuse people?

Cheers, Chris

vitorgalvao commented 2 years ago

but I thought to mention it here non the less.

Thank you.

Maybe something about the workflow can be changed so that it does not trigger the scanner

Probably not. The launchd agent is super simple (it just calls an External Trigger in the Workflow) and removing it would require users to remember to rebuild their caches manually. I’d wager they’re just checking ~/Library/LaunchAgents and triggering on everything they don’t know about.

They have a forum to report false positives. Would you mind posting there? I don’t use Malwarebytes and they want the scanner logs together with the report. I’m available to answer questions they may have.

chrisspiegl commented 2 years ago

I'll try and submit it sometime next week. Thanks for the update.

vitorgalvao commented 2 years ago

Thank you. I’ll be closing as solved, then. If you wish to add a link back here afterwards it’s appreciated, but no worries if not. Thank you again! Have a great weekend.

chrisspiegl commented 2 years ago

Hello @vitorgalvao, as requested I did report this on the Forum.

They responded and gave a suggestion about how this could be prevented pretty easily by simply moving the Apple Script into a text file with a shell shebang.

Forum Thread here

vitorgalvao commented 2 years ago

moving the Apple Script into a text file

This wouldn’t work because the launchd agent wouldn’t know where to look for the script. The location of a Workflow on a file system depends on the user’s sync settings. Alfred expects to be called via osascript because it provides a way of interaction otherwise not possible. It is the solution designed for the problem.

Thank you for trying.

chrisspiegl commented 2 years ago

Thanks for the update @vitorgalvao, I am just trying to figure this out.

Interestingly — not sure why — the 1Password Workflow does not get recognised by Malwarebytes despite almost looking the same in code.

Maybe there will be a different approach in the future which could change the behaviour to one that is not marked as suspicious by Malwarebytes.

But for anyone landing here from finding this as suspicious:

  1. Open Malwarebytes
  2. Open Detection History
  3. Allow List
  4. Add Button
  5. Find the following two file:
    • ~/Library/Launchagents/com.alfredapp.googledrive.plist
  6. Add it to the Allow List