ClamXAV Detected Trojan.OSX.RustAgent – Is This a False Positive?

[Davo2]

Hello all,

I'm looking to understand more about Mac malware. I recently scanned my 27-inch iMac (Late 2015, 3.2 GHz Quad-Core Intel Core i5, 32GB RAM, running macOS Ventura 13.6) with ClamXAV, and it flagged the following:

/Users/Shared/suspiciousfile.dylib: Trojan.OSX.RustAgent FOUND

It was quarantined immediately, and I haven't noticed any symptoms. Could this be a false positive? Are there trusted tools to confirm or refute ClamXAV’s result?

Thanks in advance for any insight.

 

[Grumpus]

You could submit the file to virustotal. One or two false positives is a common result. Any more than that and it's probably malware.

 

[Davo2]

You could submit the file to virustotal. One or two false positives is a common result. Any more than that and it's probably malware.

Thank you. Sadly, I've already deleted the file and emptied my Bin!

 

[bogdanw]

A dylib file should not have been in /Users/Shared/, that in itself is suspicious.

Scan with these free apps from the App Store
Intego VirusBarrier Scanner https://apps.apple.com/app/id1200445649
Bitdefender Virus Scanner https://apps.apple.com/app/id500154009

 

[Davo2]

A dylib file should not have been in /Users/Shared/, that in itself is suspicious.

Scan with these free apps from the App Store
Intego VirusBarrier Scanner https://apps.apple.com/app/id1200445649
Bitdefender Virus Scanner https://apps.apple.com/app/id500154009

Thank you for your guidance! Here's the result of the first scans I have done:-

 

[Davo2]

Final verdict from Bitdefender! 😄

I confess that I was surprised that infections were found.

Do other folk reading here scan their Macs for malware?

 

[Grumpus]

I have used Intego VirusBarrier to do on-demand scans when I'm playing around with old, long-unsupported versions of macOS. On my daily drivers, I use KnockKnock and BlockBlock from Objective-See along with Firefox plus uBlock Origin.

 

[bogdanw]

I confess that I was surprised that infections were found.

Bitdefender finds Windows malware too, even if poses no threat to macOS. It scans Safari/the browser's cache as well and some generic variants may be JavaScript files.

 

[uacd]

Wow! Any ideas where it might have come from?

Kinda interesting because Ventura is not too old, strange that macOS built-in security didn’t see that one coming

 

[Davo2]

Wow! Any ideas where it might have come from?

No, I'm afraid not. This was the reference provided by ClamXAV:-

9F75A35370146C2C8A7ECF554C45345D59FAE50F-blob /Users/***********/Library/Group Containers

Kinda interesting because Ventura is not too old, strange that macOS built-in security didn’t see that one coming

Whenever I look on the Apple Support Communities Forums the gurus advising there appear to recommend removing any AV software from a user's computer. However, from the diagram below, it appears that way over half of the users of Apple computers who run EtreCheck are using anti-virus software.

Maybe Apple is not as efficient in catching malware as people are lead to believe! 😅

 

[bogdanw]

EtreCheck’s statistics are not representative, for two main reasons:
- the app is mostly used by people who recently switched from Windows to macOS and because they used an antivirus on Windows they think they need one on macOS.
- EtreCheck scares user into installing an antivirus with the message “Antivirus software None!”

Here is how to get a similar “infection”. I just browsed the most famous torrents website , did’t download anything, and Bitdefender deleted “generic trojans” from Orion and Safari’s cache.

They are definitely not trojans, just scripts marked by antivirus software as potentially malicious.
You can perform the same disinfection by simply deleting the browser’s cache. I do that at least once a day.

 

[Davo2]

EtreCheck’s statistics are not representative, for two main reasons:
- the app is mostly used by people who recently switched from Windows to macOS and because they used an antivirus on Windows they think they need one on macOS.
- EtreCheck scares user into installing an antivirus with the message “Antivirus software None!”

I'm not sure that's right! I think is should say .......... "Antivirus software: Apple"

Here is how to get a similar “infection”. I just browsed the most famous torrents website , did’t download anything, and Bitdefender deleted “generic trojans” from Orion and Safari’s cache.
View attachment 2509633
They are definitely not trojans, just scripts marked by antivirus software as potentially malicious.
You can perform the same disinfection by simply deleting the browser’s cache. I do that at least once a day.

So SHOULD people run AV software on a Mac - or NOT do so?

 

[Davo2]

Wow! Any ideas where it might have come from?

Kinda interesting because Ventura is not too old, strange that macOS built-in security didn’t see that one coming

You might find this thread interesting reading:-

Sign In - Apple

discussions.apple.com

It's about detecting Rootkits! 😉

 

[mrkapqa]

You might find this thread interesting reading:-

Sign In - Apple

discussions.apple.com

It's about detecting Rootkits! 😉

this url leads to error - page not found.

 

[Asinrutee]

Final verdict from Bitdefender! 😄

I confess that I was surprised that infections were found.

Do other folk reading here scan their Macs for malware?

Yes I use the free version of malwarebytes