On 21 Jan 2020, at 18:11, Artemio González López via macports-users
wrote:
Bitdefender has flagged two files from the db48 MacPorts port
installed in my Mac, namely
/opt/local/lib/db48/libdb_cxx-4.8.dylib
/opt/local/var/macports/software/db48/db48-4.8.30_4.darwin_17.x86_64.tbz2
which seem to be infected by something called
Gen:Variant.Application.MAC.Koiot.575
The is not an indication of a specific 'infection' but rather a generic
heuristic match with characteristics seen in known malware. This is NOT
a match with any specific known malware.
Does this sound plausible,
I believe Bitdefender flagged it. I don't believe it is worth concern. I
have no reason to believe that a Bitdefender generic match it worth
anything. Do you?
or is it more likely a false positive?
It's nothing. It's not a 'positive' of any sort, it's an almost random
assertion that a file has some vague characteristics in common with
unspecified malware.
Generic matches by "antivirus" programs that do not document those
patterns are worse than worthless. Your use of Bitdefender has wasted
your valuable time.
In any case, I am thinking of reinstalling the port. Is this possible,
and how should I proceed? (uninstall first, perhaps, but what about
dependents?).
You can't make Bitdefender worthwhile software by reinstalling Berkeley
DB 4.8.
I have machines with these local source builds of the db48 port,
v4.8.30_4:
Darwin10/i386
Darwin15/x86_64
Darwin17/x86_64
Darwin18/x86_64
All of these now show the same 5 junk hits at VirusTotal on their
libdb_cxx-4.8.dylib. The first 2 did not show any hits in years-old
tests, but they hit when rescanned in the last few hours. I also have
downloaded the pristine source from Oracle, patched it to fix naming
conflicts, and built it without using anything from MacPorts. That
libdb_cxx-4.8.dylib hits at VT identically to the 4 other builds I have.
It is certainly possible that the source code of BerkeleyDB v4.8.30 has
been compromised at its definitive repository by some
as-yet-unidentified MacOS X malware which has unspecified similarities
to some unspecified known malware which is only known to 5 3rd-rate AV
tools, 4 of which give it the same name which is unreferenced anywhere.
It is more likely that those junk AV packages have detected the use of
BerkeleyDB v4.8.30 (one of the most ubiquitous open source libraries in
existence) by some malware and have deemed some of its characteristics
as being indicative of malware, incorrectly.
If you are a paying customer of Bitdefender, I urge you to ask them what
this detection actually means and ask that they justify the waste of
your time over this apparently pointless "detection." They owe you an
explanation.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
