Intego VirusBarrier found Malware (False Positive?)

Bert Leithold shared this question 3 weeks ago
Answered

I've been running TuneSpan 1.3.1 successfully for a long time on macOS 10.12 -- it's one of my most-often-used apps. I also use Intego VirusBarrier (10.9.14 (857)).

Today, I upgraded to macOS 10.13 (High Sierra) and coincidentally Intego updated it's products yesterday, along with a new set of malware definitions came down this morning. I have VirusBarrier set to perform an automatic quick scan of files always upon completion.

Today for the first time, VirusBarrier found "Malware: OSX/AMC.fs) in the Paddle-MS framework (whatever that is). The specific path to the infected file is: Macintosh SSD / Applications / TuneSpan.app / Contents / Frameworks / Paddle-MAS.framework / Versions / A / Paddle-MAS

I changed nothing with TuneSpan in months since obtaining it from the macOS App Store, so I suspect either High Sierra is causing a problem and/or today's Intego VirusBarrier update may be indicating a false positive. I've just reported this to Intego and provided the flagged Paddle-MS file within the package for their analysis, but wanted to post here in case someone else runs into this. I'll post back here when I have a conclusion from Intego.

Comments (4)

photo
1

Thanks so much for getting in touch to report this. And thank you for reporting it to Intego as well.

This is totally new to me! I really hope there is nothing malicious in the Paddle framework that's in TuneSpan.

Paddle (https://paddle.com) is the framework that I use for the opt-in analytics. It is from a reputable company and I've never heard of any issues about it involving malware.

I'll look into this further. And please let me know what you hear back from Intego.

After a quick search it looks like "OSX/AMC.fs" is categorized as Adware: http://www.avgthreatlabs.com/en-us/virus-and-malware-information/info/osx-amc/

"OSX/AMC is an Adware software that delivers advertisement content to end-user and may be considered privacy-invasive. This set of malware includes toolbars, multi-offer installers, intrusive and fraudulent applications, free versions of commercial products which displays advertising, and any software that is funded by advertising. Also some forms of hacker or risk tools might be classified as potentially harmful as they can be misused by an attacker (e.g. password revealers)."

I'm thinking and hoping this is a false positive for Paddle. No part of the Paddle functionality has ever behaved like this and there's no way I would write any code to do that kind of stuff myself in TuneSpan.

photo
1

No, thank YOU for a great app and always being responsive. Yes, I suspect this is also a false positive -- especially being we've had the same code running for more than a year and it just now popped-up as being a problem. Too much of a coincidence to my initial way of thinking! ;)

I did get confirmation that the detail I provided has been passed on to the Intego Malware Team for analysis and resolution. I have an open support ticket with them, so when I hear more, I'll post here.

photo
1

This morning I received an automatic virus definition from overnight, interestingly a "-2" of yesterday's version. Just re-ran a virus scan on my entire Mac and all external devices, and Paddle-MAS is no longer being flagged. As we both suspected, it appears this was a false positive with Intego's Virus Definitions -- a first I've ever run into after years of using their tool. Anyone that uses Intego VirusBarrier, just update your definitions today, and you should be good to go once again without any additional concern.

Thanks again for a great app and your continued responsiveness. I've become completely reliant upon TuneSpan managing my ever-growing spanned 8.5TB of 33K songs, movies and TV shows on an external Drobo, so really appreciate how well thought-out and bullet-proof TuneSpan has proven to be.

photo
1

Thanks so much for getting back with this info. That's a relief :-)

Even if it's a false positive it'd be frustrating to have more users run into this. I'm very glad that it's been fixed in a definitions update.