Positives in installation of Eclipse app on macOS Ventura 13 (ARM)

Hi!

Bitdefender Virus Scanner, v3.17.276** (available on the app store) running a deep scan with full disk access in macOS Ventura 13, found a number of threats on my disks, including decade old spam messages I had passed on to a spam report service, so had never opened and some other threats that I unceremoniously deleted manually (not deletable by VS it claimed) as it wasn't in anything I needed. This message is also in my time machine backup, which is not deletable in this version of macOS, so it'll remain there.

What remains somewhat of a puzzle is that VS also claims Trojan.GenericKD.70767813 is in org.eclipse.wst.command.env.doc.user_1.5.400.v201903222115.jar and Trojan.GenericKD.70767800 in org.eclipse.wst.wsdl.ui.doc.user_1.0.850.v201903222115.jar. Both found inside "~/.p2/pool" where the developer app Eclipse v2023-09 (4.29) keeps installed bundles I believe.

It's somewhat disconcerting I cannot find any info anywhere what exactly Trojan.GenericKD.70767813 and Trojan.GenericKD.70767800 are in this case. I do understand it's a broad family/type of malware and is likely the result of a heuristic detection of suspicious characteristics (assuming that's what VS does). Perhaps BitDefender keeps a database of findings it turns up, that I've missed? These two specific specimens doesn't turn up when searching unfortunately.

Anyway, these are now in Quarantine, but if I ask the VirusTotal service to evaluate with direct access to the jar URL of these two it suggest 0 of 91 security vendors flagged either of these URLs as malicious:

https://www.virustotal.com/gui/url/ab33565a6ec9f3b28741d00d63651bf5c7641c1dd659877417f3af8e5faf6af2?nocache=1

https://www.virustotal.com/gui/url/2932410fcc5f01e7ccd7ee43228261824f3891d6ec0639634c506f37c92a3a3e?nocache=1

I should also mention I before BitDefender I scanned also With Intego Virusbarrier and while it found other positives, like in printer driver installation software, it found none of these VS found. I've also been running MalwareBytes, currently 4.21.9, and it has never found anything anywhere.

I guess either BitDefender is so much better at finding threats or its heuretics results in more false postitives. To me, the other files VS found appeared far more credible as being actual possible threats than those Intego found.

But the pair described above inside my developer software, do remain puzzling. Are they infected? Have other threats been installed since a year when these were installed? If so, why wouldn't any of the 91 vendors at Virustotal agree with VS? Of course, it could be my copy has been infected in transit or during installation as Virustotal analyzed the source URL, not files on my disk.

Any advice for this type of situation? Thanks and hello!

** didn't find a specific sub-forum for Virus Scanner

Find more posts tagged with

Comments

Flexx

https://community.bitdefender.com/en/discussion/98326/positives-in-installation-of-eclipse-app-on-macos-ventura-13-arm

1) Trojan.GenericKD.****** is a generic detection name used by Bitdefender antivirus software to identify a potential Trojan horse-type malware. It's not a specific virus, but rather a broad classification that encompasses various Trojan-like threats.

2) Regarding Detection Availability:

It's important to note that not all malware detections are visible on VirusTotal. This is due to several key factors:

Database Updates: VirusTotal might have a delayed database update process compared to real-time updates in built-in antivirus products. This means it could be working with older threat information.
Detection Methods: VirusTotal primarily relies on signature-based and heuristic-based detection, while many modern antivirus products incorporate advanced cloud-based detection and behavior blocking capabilities. These techniques can identify emerging threats that haven't yet been added to traditional signature databases.
Vendor-Specific Detections: Some antivirus vendors might have unique detection algorithms or threat intelligence that aren't shared with VirusTotal, leading to discrepancies in results.

3) If no other antimalware vendor is detecting a file on VirusTotal, it indicates only two things: either the sample is a false positive, or the sample is malicious but does not meet the criteria for creating a detection by other antimalware. Every vendor has a different category to classify a file as malicious. The file that may be malicious to one antimalware may not be to another, and vice versa.

Therefore, it's always advisable to prioritize the results of your built-in antivirus solution, as it often benefits from more comprehensive and up-to-date protection mechanisms.

If you believe that a website or file has been incorrectly blocked by Bitdefender, you can share the details with our malware researchers by filling out the form at the link provided below: https://www.bitdefender.com/consumer/support/answer/29358/

If the website or file is indeed incorrectly blocked, the detection will be removed within a maximum of 72 hours. However, if the detection still persists after 72 hours, please consider the website or file as malicious, as determined by our malware researchers, and the detection will remain.

Regards

MiBiT

I have now replaced the jars in question with the download versions in the links above and rescanned with deep scan. No threats detected. It's possible that somehow the specific jars were infected, and the originals isn't. I'm not sure how that could have happened. I'm also not sure what to make of the results Virus Scanner gave me or BitDefender in general. I'm assuming that Virus Scanner is giving me the full detectability of BitDefender.

When you got a false positive, to me it makes no sense to assume it is false. I need to know, ar at least be able to replace or delete the possible culprit without remorse.