Possible Trojan
During scan with Sophos Antivirus I received the log with two trojans, found in the 1password's container: on my Macbook: 2BUA8C4S2C....
One of them was removed during the scan and later I have removed also the 2nd one. Is this a serious tread and why it is residenting in the 1password folder?
Comments
-
It looks to me, at first glance, as though (if there was actually a trojan) it was in something you attached to a 1P item. Is that possible? It's not particularly clear from your screenshot what the name of the identified file was but it appears to be a zip file. There is further reference to a path and filename that seems to be referring to the Mail app. Putting two and two together (and possibly making five, sorry!) is it possible you added a mail attachment to a 1P item and that attachment was identified as the trojan?
If all my guesses are wrong I think we need some more information from you (including the version of 1P that you're running). What would be particularly useful to know is:
- the exact and full filename of the file containing the alleged trojan;
- the exact location (full path) of that file on your disk.
Stephen
0 -
Hi Stephen,
Thank you for the feedback! Unfortunately, after this message I have deleted this files from my Mac. You are right, that they are in the mail folders, but why they appeared in the container of 1P is for me unclear. I tried to find any attachment which I have in my 1P entries, but no success. When i find out more information, i will send it to you.
Best regardsStefan
0 -
If you have any log from this episode I know I'd be interested in seeing it. I have my suspicion but I can't say for sure.
The
Containersfolder is where sandboxed applications keep their files. If you were to peek inside a few you'd notice they have a mixture of real folders and a lot of aliases to standard OS folders. What this means is you can view the contents of:~/Library/Mail/V2/MailDatawhile it looks like you're in
~/Library/Containers/com.agilebits.onepassword-osx/Data/Library/Mail/V2/MailDataSo I'm wondering if that's somehow the cause. Any log may help to clear this up though. I don't suggest you post the log here but if you were to email us at support@agilebits.com we could look at it in private. If you were to do this I would suggest the subject of the email to be
https://discussions.agilebits.com/discussion/35179/possible-trojan
and if you were to mention my name, littlebobbytables I will be added as a watcher to the ticket. What would also help speed up the process is if you were to post the ticket ID back here afterwards.
0 -
I sent e-mail to support@agilebits.com with Sophos log info, screenshots, and other details related to the same warnings on my Mac. Thanks for taking a look.
0 -
Hi @aal Your email was found and assigned to myself. You should hopefully have two replies in your inbox. Thank you for sending in that information and we'll continue the discussion there :smile:
0 -
Your explanation makes sense and I really appreciate it. I didn’t know that all of the MAS applications would have a folder in …Containers… with subfolders that alias out to other directories such as the Mail directory. And now it makes sense that Sophos would would process ~/Library/Containers/ before ~/Library/Mail/ and therefore first encounter the threat file inside of ~/Library/Containers/….com.agilebits.onepassword-osx-helper/Data/Library/Mail/V2/.
It is so rare to get a customer service with (a) a solid and detailed technical explanation, (b) timely response, (c) addresses the issue the first time.
Thanks!
0 -
On behalf of @littlebobbytables you are very welcome! I'm glad we were able to provide the help and technical explanation you were looking for. :)
Ben
0
