Skip navigation

Dr Web Flashback Virus checker accurate?

16384 Views 100 Replies Latest reply: Apr 22, 2012 12:44 AM by Ramón Tech RSS
  • etresoft Level 7 Level 7 (23,915 points)
    Currently Being Moderated
    Apr 10, 2012 2:23 PM (in response to fane_j)

     

    fane_j wrote:

     

    etresoft wrote:

     

    The environment.plist file is never required.

    BBEdit and others require it. Hence, your statement is incorrect.

     

    Just because they did use it doesn't mean they should have used it.

     

    Moreover, if Apple provides this facility, and explains how it should be used, I don't understand why a developer shouldn't use it.

    Apple provides many facilities, one of which is the DYLD_INSERT_LIBRARIES, that are only for development or testing. There are many ways to do the same thing, some of those ways are just bad. They may be easy and it may be correct to use them in development until you get time to do it properly. You shouldn't deliver using those hacks. If BBedit did that, that's just wrong.

     

     

     

    There are other, much better ways to accomplish the same thing.

    Such as?

     

    Don't use environment variables. They are designed for command-line environments. If you still want to use them, you can set them from the software itself using values from resource files. If you need to make any of those modifiable by the end user, provide a set of preferences for setting that. Again, environment.plist is the wrong answer.

     

    An Aqua user interface application should never rely on environment variables.

    And if it needs, or it is used, to run shell scripts, Perl, Phython, etc, what should it rely on?

    Shell scripts are different. There are numerous ways to set environment variables in shell scripts. That is what they were designed for. environment.plist injects environment variables into the GUI user interface. It's just a hack, that's all.

    It is poor practice to ship code using that file.

    You are certainly entitled to your opinion. I see no reason or argument why anyone should agree with it.

     

    That's fine. Whether you believe me or not, there are a number of ways to construct software on MacOS X that are big red flags that the authors of that software are doing it wrong or were doing it wrong the last time they checked it in 2004. I don't have BBEdit but I do have TextWranger. I have no .MacOSX/environment.plist file. I have a great number of highly unusual system modifications. If you have something so unusual that I don't have, you don't want it.

  • MadMacs0 Level 4 Level 4 (3,345 points)
    Currently Being Moderated
    Apr 10, 2012 2:43 PM (in response to etresoft)

    etresoft wrote:

     

     

    MadMacs0 wrote:

     

    I still cannot comment on your Tip, so either I don't know how or I don't have permission.

     

     

    It must be a permissions issue. There must be some level of points you need to add a comment. Can you see the comments I made?

    Yes, I saw three of your comments when I was there and I clicked all over the screen but nothing let me in. I assume it looks something like the "Reply" button in the lower right?

     

    I suspect it's a point thing which seems to be of great importance to the host for some reason.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 10, 2012 4:24 PM (in response to etresoft)

    etresoft wrote:

     

    Apple provides many facilities, one of which is the DYLD_INSERT_LIBRARIES, that are only for development or testing.

    Environment.plist is not for testing.

    You shouldn't deliver using those hacks.

    If environment.plist is a hack, then it is a hack designed by Apple, made by Apple, supported by Apple, and indicated to developers by Apple (see the two developer library docs I referred above). You'll forgive me if, between Apple's recommandation and yours, I go with Apple's.

    Don't use environment variables. […] Again, environment.plist is the wrong answer.

    Please explain that to Apple. They've been providing and supporting the wrong answer for, what is it now? Over 10 years? Since v10.0 or thereabouts?

    I have no .MacOSX/environment.plist file. I have a great number of highly unusual system modifications. If you have something so unusual that I don't have, you don't want it.

    With great respect, I'm not about to consider that your configuration is the proper measure for all Mac OS X users. Between Apple and BareBones (who've been developing Mac software for over twenty years now) on one side, and you on the other side, with regret, I'll have to choose the former.

  • etresoft Level 7 Level 7 (23,915 points)
    Currently Being Moderated
    Apr 11, 2012 5:50 AM (in response to fane_j)

    fane_j wrote:

     

    Environment.plist is not for testing.

     

    I never said it was. I said DYLD_INSERT_LIBRARIES is for testing. Environment.plist is for lazy programmers.

     

    If environment.plist is a hack, then it is a hack designed by Apple, made by Apple, supported by Apple, and indicated to developers by Apple (see the two developer library docs I referred above). You'll forgive me if, between Apple's recommandation and yours, I go with Apple's.

     

    There is a great deal in Apple's example code, documentation, and in the operating system itself that should not be used in production code. A competent, professional developer will know which ones those are.

     

    Please explain that to Apple. They've been providing and supporting the wrong answer for, what is it now? Over 10 years? Since v10.0 or thereabouts?

     

    I'm sorry, but if you don't get it then you just don't get it. I can't do any more to explain it. I don't even rely on environment variables when I'm writing pure command-line scripts on Linux. If I have 3rd party software that does require them, I set them up in my own, controlled environment using resource files and then kick off the third party tools in the properly setup environment. I would never stick a file in a user's home directory for that.

     

    With great respect, I'm not about to consider that your configuration is the proper measure for all Mac OS X users. Between Apple and BareBones (who've been developing Mac software for over twenty years now) on one side, and you on the other side, with regret, I'll have to choose the former.

     

    BBEdit only uses that file to run scripts from the GUI. I'm quite sure that it isn't required. People using BBEdit probably know how to deal with that file. If it gets blown away, they can easily restore it. (And, for the record, I've been developing Mac software for 25 years now).

  • billynicol Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 11, 2012 12:40 PM (in response to jo823)

    Does the following show infection of flashback or flashfake etc? I followed some instructions about Launchagents but don't know how to read them

     

    ls -la ~/Library/LaunchAgents

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

    William-Nicols-iMac:~ billynicol$ ls -la ~/Library/LaunchAgents

    total 64

    drwx------   9 billynicol  staff   306  9 Apr 22:26 .

    drwx------@ 59 billynicol  staff  2006  9 Apr 22:21 ..

    -rw-r--r--@  1 billynicol  staff  6148  9 Apr 22:26 .DS_Store

    -rw-r--r--   1 billynicol  staff   618 12 Oct 21:00 com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.2DF3B7F9-9CFE-47E0-BE4C-51 E3F211FE7E.plist

    -rw-r--r--   1 billynicol  staff   901 28 Feb  2011 com.apple.CSConfigDotMacCert-billynicol@me.com-SharedServices.Agent.plist

    -rw-r--r--   1 billynicol  staff   817 28 Feb  2011 com.apple.SafariBookmarksSyncer.plist

    -rw-r--r--   1 billynicol  staff   540 28 Feb 16:47 com.avast.install.plist

    -rw-r--r--   1 billynicol  staff   807  9 Jul  2011 com.google.keystone.agent.plist

    -rw-r--r--   1 billynicol  staff   776 16 Sep  2011 com.valvesoftware.steamclean.plist

    William-Nicols-iMac:~ billynicol$ 

    William-Nicols-iMac:~ billynicol$ grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

    William-Nicols-iMac:~ billynicol$

     

    and

     

    can I ask:

     

    I found the ".flserv" and "com.adobe.flp.plist" on my mac, but when I checked using instructions from http://brakertech.com/detect-mac-flashback/ through terminal it says system clear. I also checked through Kaperskyhttp://www.flashbackcheck.com/ and if I put my mac UUID in, it also says I am or have been infected. I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct?

     


  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 11, 2012 12:56 PM (in response to billynicol)

    The stuff in ~/Library/LaunchAgents looks OK.

     

    Check using this new Kaspersky tool.

     

    https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

  • MadMacs0 Level 4 Level 4 (3,345 points)
    Currently Being Moderated
    Apr 11, 2012 1:29 PM (in response to WZZZ)

    WZZZ wrote:

     

    The stuff in ~/Library/LaunchAgents looks OK.

     

    Check using this new Kaspersky tool.

     

    https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site

    Just had an instance of a user being locked out of his account using this tool Re: Non-Apple Software No Longer Works . I think it's recoverable, but proceed with caution.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 11, 2012 1:56 PM (in response to etresoft)

    etresoft wrote:

     

    Environment.plist is for lazy programmers.

    As I said, you're welcome to your opinion. AFAIC, any programmer who uses what Apple provides in the manner Apple recommends and for the purposes Apple designed it, is a good programmer.

    I've been developing Mac software for 25 years now).

    That's admirable, and deserves respect. Nevertheless, it doesn't give you the right to set yourself up as the final arbiter of a user's configuration ("If you have something so unusual that I don't have, you don't want it."). And, with the greatest respect, between you on one side, and Apple and Rich Siegel on the other, I'll go with them.

  • billynicol Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 11, 2012 2:05 PM (in response to jo823)

    Does anyone know or have an opinion please?

    I found the ".flserv" and "com.adobe.flp.plist" on my imac, but when I checked using instructions from http://brakertech.com/detect-mac-flashback/ through terminal it suggested my system is clear.

     

    I also checked through Kaperskyhttp://www.flashbackcheck.com/ and if I put my mac UUID in, it says I am or have been infected. I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct?  I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

     

    Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

  • etresoft Level 7 Level 7 (23,915 points)
    Currently Being Moderated
    Apr 11, 2012 2:17 PM (in response to billynicol)

    billynicol wrote:

     

    Does anyone know or have an opinion please?

    I found the ".flserv" and "com.adobe.flp.plist" on my imac, but when I checked using instructions from http://brakertech.com/detect-mac-flashback/ through terminal it suggested my system is clear.

    That suggests you shouldn't use that tool.

     

    I also checked through Kaperskyhttp://www.flashbackcheck.com/ and if I put my mac UUID in, it says I am or have been infected. I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct?  I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

     

    No way to tell at this point. There are a couple of different places that could have malware installed. Have you checked them all?

     

    Apple says it will release a removal tool soon. Until then, you can check the results of:

     

    cat ~/.MacOSX/environment.plist

     

    If you are tired of using these Terminal commands, you can try my removal script at: https://discussions.apple.com/docs/DOC-3271

    Just remember to accept default. Press "enter" if you aren't sure.

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 11, 2012 2:36 PM (in response to billynicol)

    billynicol wrote:

     

    I wonder if even although the files were there and created a 'bot' with my Mac, the actual malware in safari and firefox was not installed. Is this correct?

    No-one can give you that assurance. Over the past weeks, this malware has been developed very quickly (and, IMHO, by more that one person or one group), in different variants. As a result, I doubt that anyone can provide a definitive list of what it installs and where and in what phase.

    I have removed both .flserv and com.adobe.flp.plist now too so imagine I am safe.

    Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

    The stress being on "imagine". Yes, you may be OK. Or your credit card and bank account info may be right now on sale…

  • MadMacs0 Level 4 Level 4 (3,345 points)
    Currently Being Moderated
    Apr 11, 2012 2:40 PM (in response to billynicol)

    billynicol wrote:

     

    Nonoe of my credit card sites, bank, facebook etc have been weird so think I am OK.

    The only other symptom reported by users infected with the current variant (as well as some previous) was occasionally being suddenly redirected to an advertising site. If you start seeing that you might want to dig deeper.

  • jsd2 Level 5 Level 5 (6,200 points)
    Currently Being Moderated
    Apr 11, 2012 4:12 PM (in response to MadMacs0)

    F-Secure just released a free Flashback detection and removal tool:

    http://www.f-secure.com/weblog/archives/00002346.html

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 11, 2012 6:33 PM (in response to jo823)

    I'm still not ready to put an AV full time on my computer (except, that is, for ClamXav, which I have), but It's probably making a lot of us do some second guessing.

1 ... 3 4 5 6 7 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.