Mailing List Archive: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND

[clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND

dstinnet at vcu

Jan 9, 2020, 9:28 AM

Post #1 of 6 (244 views)

This definition is detecting many files that appear to be safe.
Has anyone else seen this?
I have had no luck in getting ClamAV to address false positives in the past.

Files and paths I have seen so far but it seems to increase:
/Library/Application Support/Adobe/Adobe Desktop
Common/ExchangePlugin/ExchangePluginDylib.dylib
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
/Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iTunesLibraryService.xpc/Contents/MacOS/com.apple.iTunesLibraryService
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
/Applications/Publisher
Lite.app/Contents/Frameworks/iMedia.framework/Versions/A/iMedia
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
/Applications/TeX/TeXShop.app/Contents/MacOS/TeXShop
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
/Applications/Citrix Workspace.app/Contents/Resources/Templates/Citrix
Viewer.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
/Applications/Citrix
Workspace.app/Contents/Resources/Templates/DockApplication.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
Osx.Adware.TotalAdviseSearch-7489207-0 FOUN
/Library/Application Support/Citrix Receiver/Citrix Workspace
Updater.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
usr/local/libexec/ReceiverHelper.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND

--

Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933

Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.

Re: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND [ In reply to ]

azidouemba at sourcefire

Jan 9, 2020, 9:41 AM

Post #2 of 6 (244 views)

Confirming that those are false positives, thanks for reporting. The
offending signature has been dropped. This should be reflected in the next
signature update.

- Alain

On Thu, Jan 9, 2020 at 12:29 PM Douglas Stinnette <dstinnet@vcu.edu> wrote:

> This definition is detecting many files that appear to be safe.
> Has anyone else seen this?
> I have had no luck in getting ClamAV to address false positives in the
> past.
>
> Files and paths I have seen so far but it seems to increase:
> /Library/Application Support/Adobe/Adobe Desktop
> Common/ExchangePlugin/ExchangePluginDylib.dylib
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iTunesLibraryService.xpc/Contents/MacOS/com.apple.iTunesLibraryService
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> /Applications/Publisher
> Lite.app/Contents/Frameworks/iMedia.framework/Versions/A/iMedia
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> /Applications/TeX/TeXShop.app/Contents/MacOS/TeXShop
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> /Applications/Citrix Workspace.app/Contents/Resources/Templates/Citrix
> Viewer.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> /Applications/Citrix
> Workspace.app/Contents/Resources/Templates/DockApplication.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUN
> /Library/Application Support/Citrix Receiver/Citrix Workspace
> Updater.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
> usr/local/libexec/ReceiverHelper.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>
> --
>
>
> Douglas Stinnette
>
> VCU Technology Services
>
> Endpoint Security Specialist
>
> Virginia Commonwealth University
>
> 827-0933
>
>
>
> Don't be a phishing victim - VCU and other reputable organizations will
> never use email to request that you reply with your password, Social
> Security number or confidential personal information. For more details
> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

Re: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND [ In reply to ]

dstinnet at vcu

Jan 9, 2020, 10:03 AM

Post #3 of 6 (244 views)

Hi Alain,

That is nice to know. I am still trying to learn what files are detected
across our systems.
/Users/smstiffler/Library/Application Support/
zoom.us/zoom.us.app/Contents/Frameworks/annoter.bundle/Contents/MacOS/annoter
Osx.Adware.TotalAdviseSearch-7489207-0 FOUND

Could you let me know the name of the next update?
Any suggestions on how I can restore the files locally?

Thanks,
Doug

On Thu, Jan 9, 2020 at 12:41 PM Alain Zidouemba <azidouemba@sourcefire.com>
wrote:

> Confirming that those are false positives, thanks for reporting. The
> offending signature has been dropped. This should be reflected in the next
> signature update.
>
> - Alain
>
> On Thu, Jan 9, 2020 at 12:29 PM Douglas Stinnette <dstinnet@vcu.edu>
> wrote:
>
>> This definition is detecting many files that appear to be safe.
>> Has anyone else seen this?
>> I have had no luck in getting ClamAV to address false positives in the
>> past.
>>
>> Files and paths I have seen so far but it seems to increase:
>> /Library/Application Support/Adobe/Adobe Desktop
>> Common/ExchangePlugin/ExchangePluginDylib.dylib
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iTunesLibraryService.xpc/Contents/MacOS/com.apple.iTunesLibraryService
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> /Applications/Publisher
>> Lite.app/Contents/Frameworks/iMedia.framework/Versions/A/iMedia
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> /Applications/TeX/TeXShop.app/Contents/MacOS/TeXShop
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> /Applications/Citrix Workspace.app/Contents/Resources/Templates/Citrix
>> Viewer.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> /Applications/Citrix
>> Workspace.app/Contents/Resources/Templates/DockApplication.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUN
>> /Library/Application Support/Citrix Receiver/Citrix Workspace
>> Updater.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>> usr/local/libexec/ReceiverHelper.app/Contents/Frameworks/ICAServices.framework/Versions/A/ICAServices
>> Osx.Adware.TotalAdviseSearch-7489207-0 FOUND
>>
>> --
>>
>>
>> Douglas Stinnette
>>
>> VCU Technology Services
>>
>> Endpoint Security Specialist
>>
>> Virginia Commonwealth University
>>
>> 827-0933
>>
>>
>>
>> Don't be a phishing victim - VCU and other reputable organizations will
>> never use email to request that you reply with your password, Social
>> Security number or confidential personal information. For more details
>> visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.
>>
>> _______________________________________________
>>
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--

Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933

Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.

Re: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND [ In reply to ]

clamav-users at lists

Jan 9, 2020, 1:56 PM

Post #4 of 6 (244 views)

On Jan 9, 2020, at 10:03, Douglas Stinnette <dstinnet@vcu.edu> wrote:
> Could you let me know the name of the next update?

Should be daily - 25690 released about twelve hours from now.

> Any suggestions on how I can restore the files locally?

If you are using the basic ClamAV and those files were deleted, you'll have to re-install all the applications impacted. If you are using the commercial product ClamXAV, then the reports showing Scan results will allow you to restore those files.

> Thanks,
> Doug

Re: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND [ In reply to ]

clamav-users at lists

Jan 10, 2020, 2:09 AM

Post #5 of 6 (240 views)

daily 25690 was released five minutes ago and included the following entry:

> Dropped Detection Signatures:
>
> * Osx.Adware.TotalAdviseSearch-7489207-0

-Al-
ClamXAV User
=============================
On Jan 9, 2020, at 10:03, Douglas Stinnette <dstinnet@vcu.edu <mailto:dstinnet@vcu.edu>> wrote:
> Could you let me know the name of the next update?

Should be daily - 25690 released about twelve hours from now.

> Any suggestions on how I can restore the files locally?

If you are using the basic ClamAV and those files were deleted, you'll have to re-install all the applications impacted. If you are using the commercial product ClamXAV, then the reports showing Scan results will allow you to restore those files.

> Thanks,
> Doug

Re: [clamav-users] Osx.Adware.TotalAdviseSearch-7489207-0 FOUND [ In reply to ]

dstinnet at vcu

Jan 10, 2020, 11:30 AM

Post #6 of 6 (235 views)

AI,

Thank you for letting me know when it was released.
Doug

On Fri, Jan 10, 2020 at 5:09 AM Al Varnell via clamav-users <
clamav-users@lists.clamav.net> wrote:

> daily 25690 was released five minutes ago and included the following entry:
>
> Dropped Detection Signatures:
>
> * Osx.Adware.TotalAdviseSearch-7489207-0
>
>
> -Al-
> ClamXAV User
> =============================
> On Jan 9, 2020, at 10:03, Douglas Stinnette <dstinnet@vcu.edu> wrote:
>
> Could you let me know the name of the next update?
>
>
> Should be daily - 25690 released about twelve hours from now.
>
> Any suggestions on how I can restore the files locally?
>
>
> If you are using the basic ClamAV and those files were deleted, you'll
> have to re-install all the applications impacted. If you are using the
> commercial product ClamXAV, then the reports showing Scan results will
> allow you to restore those files.
>
> Thanks,
> Doug
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

--

Douglas Stinnette

VCU Technology Services

Endpoint Security Specialist

Virginia Commonwealth University

827-0933

Don't be a phishing victim - VCU and other reputable organizations will
never use email to request that you reply with your password, Social
Security number or confidential personal information. For more details
visit http://go.vcu.edu/phishing or http://phishing.vcu.edu.