Infected file: dyld_shared_cache_arm64e

Hello,

I ran my antivirus program and it detected the file dyld_shared_cache_arm64e and identified it as an infected file with the threat name: ELF:MiraiDownloader-O. It's a protected file and can't be quarantined by the antivirus software, nor can I delete it even by unlocking the file through the Information window or turning off FileVault.

I erased all content and settings but the antivirus program detected it again. Just upgraded to the latest version of macOS Ventura and found that I can't completely erase the SSD as this seems to be the only solution to removing the infected file. It seems the latest OS doesn't allow you to erase the SSD.

Any help would be appreciated.

Thanks.

Mac mini, 10.13

Posted on Nov 12, 2022 2:00 PM

Top-ranking reply

etresoft

Level 9

56,200 points

Posted on Nov 12, 2022 5:38 PM

es1899 wrote:

The file is located in two places: /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld, and also in /System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/dyld

I searched for ELF_MIRAI and a similar virus, ELF_MIRAI.E was reported several years ago. Couldn't find anything on ELF:MiraiDownloader-O.

This may be a false positive. but one can never be too safe these days.

Oh no. It is most definitely, absolutely certainly, a false positive.

Just look at the words "Cryptexes" in the path. Those are files on Apple's cryptographically signed, read-only boot partition.

The idea that 3rd party antivirus apps are scanning these read-only Apple volumes is just hilarious. People in the "security" industry work overtime to tell a story about Apple incompetence and risk. It's non-stop, 24/7. And people really do fall for it. Things like this show the charade for what it is. The people who are supposed to protect you from these "zero-day" threats literally have no clue how the operating system works - no clue whatsoever.

View in context

Infected file: dyld_shared_cache_arm64e

Similar questions