Hi All;
A customer has reported that a product tested positive for "MacOS:Iservice-A [Wrm]". This was a fresh install. I'm wondering if anyone has any details on this worm. I'm pretty sure it is a false positive and will be analyzing the files but if there was details on the worm it would help.
Have a great weekend!
Pat
MacBook Pro (M2 Max, 2023)
Never fails.
First, there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac. This documents describe what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community and Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support.
There are no known viruses, i.e. self propagating, for Macs. There are, however, adware and malware which require the user to install although unwittingly most of the time thru sneaky links, etc.
Anti Virus developers try to group all types as viruses into their ad campaigns of fear. They do a poor job of the detecting and isolating the adware and malware. Since there are no viruses these apps use up a lot of system resources searching for what is non-existent and adversely affect system and app performance.
There is one app, Malwarebytes, which was developed by a long time contributor to these forums and a highly respected member of the computer security community, that is designed solely to seek out adware and known malware and remove it. The free version is more than adequate for most users.
Tell your customer to uninstall Avast according to the developer's instructions and stay away from all such apps in the future.
Add to your due diligence the following: Apple Platform Security - Apple Support, and in particular, Signed system volume security in iOS, iPadOS, and macOS - Apple Support.
And the replies you already received from this discussion (Avast reports "MacOS:Iservice-A [Wrm]" - Apple Community).
Advise your clients of the fact that "Avast" is junk. Rule 1 of Macs is don't install junk. No one knows more about Macs and how to protect them than the company that builds them and maintains the operating systems they run. Any company that claims systems security knowledge superior to Apple ought to be regarded with extreme suspicion, if not outright derision.
Your client is using a Tinkertoy... with apologies to Tinkertoy. Unlike "Avast" Tinkertoys are useful products with beneficial purposes.
"This" is an Avast scan on a virtual machine image file that reported "MacOS:Iservice-A [Wrm]". I have 6 validated samples of this malware now. All are from the last 6 months.
Pat_RE wrote:
I just have to confirm that this is a false positive.
But what is "this"?
What you describe is probably the #1 complaint we have about posts like this. Every single time. Never fails. Either the antivirus simply never tells them what file it was or they refuse to say.
If you want to talk percentages, there is a very high chance that the path of the file in question starts with /System.
I just have to confirm that this is a false positive. I used to work at Lookout writing heuristics that were used for identifying malware. Some companies tend to cast wide nets, at Lookout we had strict rules about how many false positives were permitted, it was a VERY low number, a fraction of a percent.
Point of Fact
Additionally, in macOS 11 Big Sur, macOS 12 Monterey and macOS 13 Ventura.
The Operating System resides in a Sealed and Read Only Volume that can not be opened by the User nor by Third Party Applications.
The only Entity that can open and modify or alter this Volume is Apple.
That would occur when a update or UpGrade is performed.
So even if the malware was installed and present on this computer, the only area affected would the the User Account on which it was installed
The Operating System itself would be isolated
I’m afraid you are at an impasse then. As far as I know, all of these consumer-level antivirus apps only spit out their own internal codes. It is extremely difficult to identify the actual file name involved. That is the only thing that matters.
There definitely is malware for the Mac, but it isn’t the kind of malware you think it is. It never just appears, like on Windows. The user of the computer has to make an effort to install it - on purpose. The explanation will always be that the user was tricked into installing, but that is only ever a half-truth. The user is actively trying to install something illegal or malicious. In the process, the malware presents a fake installer for something that appears to be a required upgrade for a legitimate requirement of whatever illicit payload the user is really trying to install.
But that is how Mac users get real malware installed. I’m sure it doesn’t apply in your case. Mac antivirus software will reliably block about half of malware installation attempts. Users typically go for years with both antivirus and malware happily installed side-by-side.
In your case, the antivirus is probably reporting some piece of system software or an important system database file. In rare cases, it is flagging some harmless Windows virus in an e-mail attachment. But most likely, it is some well-known system component released years ago. In turns out that Mac antivirus products are often years behind in operating system compatibility. They are far too busy tracking “zero-day” exploits to notice any of Apple’s global marketing campaigns or yearly developer updates. Those things catch them totally off-guard.
Perhaps your best bet is to contact Avast Support.
I'm not supporting their decision, but I take my role very seriously. If I discount their findings and it turns out to be a real issue, I haven't done my due diligence. I've also worked in an environment with absurd levels of administrivia ( the Canadian government ) where I wasn't allowed to use a real time OS due to the lack of antivirus scanning. That was for a transonic wind tunnel ( 200kph to Mach 4+ ), they wanted, wait for it... a windoze based system!!!
So their security guy gets a virus warning, from a scanner his overlords require him to use. That report goes to tech support at the company I work for. As our policy all the reports have to be fully analyzed, I have to make a report that show I made a concerted effort to establish the validity of the report.
As their security consultant, I think is is your responsibility to advise them that their policy of universal antivirus use, if there is such a policy, is an issue for them, their systems performance, and their systems security.
It sounds like you believe they are paying you to support their policies/decisions regardless of the negative impact of these policies/decisions.
As I said I have to analyze their report. Until I can say with certainty that it is a false positive I can't really say that Avast hasn't caused the problem. With proof that it was caused by a bad or vague heuristic I can say the problem is Avast.
With proof I will tell them that avast is prone to false positives and suggest they don't use it. That said I don't know if there is a company wide policy that requires AV software on all devices, if that is the case I suspect I'll be hearing from them often.
As a security engineer you must advise your client of the issue. The issue is they have installed an unnecessary third party app that uses system resources while providing no benefit, that may cause problems, and makes false reports.
The issue is that it is a customer, who is likely required to do malware scanning. As the senior software security engineer I have to analyze the report, even if I suspect it is a false positive.
An example of a customer that would require malware detection is government contractors who need to show due diligence for cyber security.
I know the company line is that there is no malware on Apple products, but I worked on the original analysis of pegasus/trident when I was at Lookout. So I am very confident that malware does exist for Mac Os. Yes it is harder to infect the Mac environment but I have to assume the worst.
BTW I agree about Avast, they are very prone to false positives.
Avast reports "MacOS:Iservice-A [Wrm]"
