Re: [MlMt] ClamXAV warning / DarthMiner in ~/Library/Application Support/MailMate/Database.noindex/Headers/#quoted.cache

2019-02-02 Thread Bill Cole 

On 2 Feb 2019, at 10:01, Robert M. Münch wrote:

Hi, I got a warning today from ClamXAV about DarthMiner in the above 
file. And ClamXAV moved the file into quarantine.


Anybody any idea how this can happen?


I would hope that since the people who make ClamXAV charge a 
subscription for their malware pattern database, they would be able to 
explain their product's behavior to users. You should be able to get a 
firm answer from them.


My GUESS is that this is a false positive. For most people using macOS, 
using an "anti-virus" tool in an active mode presents a greater risk for 
destructive behavior due to false positives (e.g. quarantining files 
without warning) than they would be due to actual malware. According to 
the descriptions I've seen of the "DarthMiner" malware it is distributed 
as a fake software piracy tool, so avoiding an actual infection is a 
trivial matter.



What the file contains?


~/Library/Application\ 
Support/MailMate/Database.noindex/Headers/#quoted.cache contains a cache 
of quoted body text from your emails. It is part of MailMate's search 
system. Moving it may or may not do permanent damage, depending on what 
has been done since the move.



How to best proceed now?


0. Fix your ClamXAV configuration to never move or delete files without 
asking for permission.

1. Quit MailMate
2. Check if MailMate has created a replacement for the file. If it has, 
your index database is probably not valid and should be rebuilt from the 
actual messages. See the MM documentation for how to force a rebuild.
3. Check the last change time of the quarantined file. If it was last 
changed when you quit MM, it may be fine: just move it back to where it 
belongs. If the last change time is before it was quarantined, it is 
probably stale and therefore worthless: rebuild the database.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

[MlMt] ClamXAV warning / DarthMiner in ~/Library/Application Support/MailMate/Database.noindex/Headers/#quoted.cache

2019-02-02 Thread Robert M. Münch 
Hi, I got a warning today from ClamXAV about DarthMiner in the above file. And 
ClamXAV moved the file into quarantine.

Anybody any idea how this can happen? What the file contains? How to best 
proceed now?

Viele Grüsse.

-- 

Robert M. Münch, CEO

Saphirion AG
smarter | better | faster

http://www.saphirion.com
http://www.nlpp.ch


signature.asc
Description: OpenPGP digital signature
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate