Closed glensc closed 1 year ago
The install script downloads this binary:
md5sum:
51157156ed6dc11dbdc1837f583dc7ed sentry-cli-Darwin-universal
What tool is identifying it as such?
I guess it's false positive then.
This is how much I got from our IT department:
Mosyles own database, macOS XProtect database and ClamAV database.
I tested with clamav and it didn't report it
$ docker run --rm -it -v `pwd`/clamav:/var/lib/clamav -v `pwd`/scandir:/scandir clamav/clamav clamscan /scandir
Loading: 20s, ETA: 0s [========================>] 8.64M/8.64M sigs
Compiling: 5s, ETA: 0s [========================>] 41/41 tasks
/scandir/sentry-cli-Darwin-universal: OK
----------- SCAN SUMMARY -----------
Known viruses: 8644373
Engine version: 0.105.1
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 44.30 MB
Data read: 20.82 MB (ratio 2.13:1)
Time: 28.934 sec (0 m 28 s)
Start Date: 2022:11:24 11:49:43
End Date: 2022:11:24 11:50:12
$ docker run --rm -it -v `pwd`/clamav:/var/lib/clamav -v `pwd`/scandir:/scandir clamav/clamav
Starting Freshclamd
Starting ClamAV
Socket for clamd not found yet, retrying (0/1800) ...ClamAV update process started at Thu Nov 24 11:50:46 2022
daily.cvd database is up-to-date (version: 26730, sigs: 2012424, f-level: 90, builder: raynman)
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode.cvd database is up-to-date (version: 333, sigs: 92, f-level: 63, builder: awillia2)
Socket for clamd not found yet, retrying (6/1800) ...
We are getting this as well from Mosyle, and it started poping up recently. Could the anyone from Sentry confirm if this is false positive?
We are not aware of any issues related to security. All checksums are available directly inside installed npm
package as checksums.txt
file inside root and/or inside our registry https://github.com/getsentry/sentry-release-registry/blob/master/apps/sentry-cli/1.74.3.json
@siyunlai what specific binary is it not happy about? Also can you give us some more details, or some logs about the report itself?
The checksum is correct. However, Mosyle quarantines the threat MacOS_Hacktool_Twenbc under .npm/sentry-cli/######-sentry-cli-Darwin-universal. It's the same log as what @glensc has shown above.
This popped up the other day on all of our engineers' MBPs.
Dropping this for reference since it's another Rust application this being detected in the same way: https://github.com/kbknapp/cargo-outdated/issues/335 Guessing it's detecting something in some dependency that may be shared?
I administrate Mosyle for our team so can give some info that could help -- their "Detection & Removal 2" endpoint security application is described this way in help content:
It was one of the first solutions in the market to adopt Apple’s new Endpoint Security Framework to constantly monitor a wide range of security events on macOS. Leveraging this framework, Detection and Removal 2 can perform deeper analysis and validations to immediately identify and neutralize new malware introduced on the device through diverse methods.
Mosyle’s AI-based behavioral analysis leverages a large combination of different characteristics and the context of where each was identified to achieve high precision in identifying potentially undesired files and applications and avoid false-positives. However, false positives can happen.
... leverage a special database of known malware and Potentially Unwanted Applications (PUA). This comprehensive database contains:
- The native macOS database used by XProtect and MRT leveraged programmatically and locally on each device (Mosyle doesn’t maintain or distribute copies of the macOS database of definitions);
- A wide list representing malwares and threats known by the security community, curated by Mosyle’s Security Research team and distributed by Mosyle;
- A complete list of Mosyle’s proprietary definitions identified as part of Mosyle’s Security Research efforts specialized on macOS threats.
I tested the most recent v1 and v2 with ClamAV which was mentioned in the issue linked above, and with the freshest db/signatures it's not reported.
…/Cellar/clamav/1.0.0 ❯ ./bin/freshclam ClamAV update process started at Tue Dec 6 13:53:20 2022
daily database available for download (remote version: 26742)
Time: 2.4s, ETA: 0.0s [========================>] 57.55MiB/57.55MiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-ba6f89a4a83074b29aae3280a5e5c601.tmp-daily.cvd' ...
Database test passed.
daily.cvd updated (version: 26742, sigs: 2013568, f-level: 90, builder: raynman)
main database available for download (remote version: 62)
Time: 7.1s, ETA: 0.0s [========================>] 162.58MiB/162.58MiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-12445f304db62b79e8a9d79041d2be0f.tmp-main.cvd' ...
Database test passed.
main.cvd updated (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
bytecode database available for download (remote version: 333)
Time: 0.1s, ETA: 0.0s [========================>] 286.79KiB/286.79KiB
Testing database: '/usr/local/var/lib/clamav/tmp.6c3c2cc7a8/clamav-6e0a5397e10137894714ecf44680f8fa.tmp-bytecode.cvd' ...
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
…/Cellar/clamav/1.0.0 ❯ ./bin/clamscan ~/tmp/cli 13:56:07
Loading: 16s, ETA: 0s [========================>] 8.65M/8.65M sigs
Compiling: 4s, ETA: 0s [========================>] 41/41 tasks
/Users/kamilogorek/tmp/cli/sentry-cli-Darwin-universal2: OK
/Users/kamilogorek/tmp/cli/sentry-cli-Darwin-universal1: OK
----------- SCAN SUMMARY -----------
Known viruses: 8645515
Engine version: 1.0.0
Scanned directories: 1
Scanned files: 2
Infected files: 0
Data scanned: 97.32 MB
Data read: 45.74 MB (ratio 2.13:1)
Time: 25.854 sec (0 m 25 s)
Start Date: 2022:12:06 13:56:08
End Date: 2022:12:06 13:56:34
~/tmp/cli ❯ ./sentry-cli-Darwin-universal1 --version
sentry-cli 1.74.6
~/tmp/cli ❯ ./sentry-cli-Darwin-universal2 --version
sentry-cli 2.10.0