Trojan.OSX.Eleanor [false positive detected by ClamXav 2.9 Public Beta]

HFTobeason
HFTobeason
Community Member
edited July 2016 in Mac

ClamXav is reporting that the 1Password6.app is infected by the Trojan.OSX.Eleanor worm. Thoughts? Comments? Solutions? TIA.

1Password Version: 6.5.BETA-7 (650007)
Extension Version: 4.5.7b3
OS Version: 10.11.6 Beta (15G24b)
Sync Type: iCloud

Comments

  • rudy
    rudy

    hi @HFTobeason,

    thanks for bringing this to our attention; what path does ClamXAV indicate is the suspect file?

    Rudy

  • HFTobeason
    HFTobeason
    Community Member

    Two places:

    /Applications/1Password/1Password 6.app

    /Applications/1Password/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper

  • rudy
    rudy

    Hi @HFTobeason,

    I would recommend quitting 1Password & mini , and deleting /Applications/1Password/1Password 6.app and re-downloading it from our website.

    It looks like you're running the latest beta from https://cache.agilebits.com/dist/1P/mac4/1Password-6.5.BETA-7.zip, we just scanned that binary with ClamXAV and it indicates it has no infection.

    Rudy

  • HFTobeason
    HFTobeason
    Community Member

    Done. But, I'm still getting the same two infection alerts!

  • HFTobeason
    HFTobeason
    Community Member

    Note that I'm running ClamXav v2.9/0.99.2 (2367).

  • rudy
    rudy

    Hi @HFTobeason,

    It looks like the ClamXav 2.9 public beta is incorrectly identifying them as being Trojan.OSX.Elanor. The current release version of clamxav, 2.8.9.4, which is what we were checking with correctly detects no issues with the binary.

    We'll start a conversation with them about the false positive they're detecting with their public beta.

    Thanks again.

    Rudy

  • HFTobeason
    HFTobeason
    Community Member

    Thanks, Rudy.

  • Drew_AG
    Drew_AG
    1Password Alumni

    On behalf of Rudy, you're very welcome! Hopefully you're all set now, but if you have more questions about that or need anything else, just let us know. :)

  • rudy
    rudy

    @HFTobeason,

    I just heard back from the ClamXav developers, they've resolved the false positive!

    If you update your virus definitions under ClamXav 2.9 it should now correctly recognize that 1Password isn't Trojan.OSX.Elanor.

    Rudy

  • zackeryfretty
    zackeryfretty
    Community Member

    Hello!

    I'm also having this issue -- I was running Version 2.9/0.99.2 (2367) of ClamAVx and got hit with the issue. I've since deleted 1Password and downgraded to the latest version of ClamAVx that's stable (2.8) and still get the problem.

    I think I might just have the newer ClamAVx scanner installed, so, it's possible that might be causing the problem still -- but thought I'd mention it.

    Ex: http://i.imgur.com/b2381BN.jpg

    Thanks for all the help!

  • HFTobeason
    HFTobeason
    Community Member

    @rudy:

    Confirmed - the latest definitions update resolves the alert. Thanks!

  • ag_kevin
    ag_kevin

    Hi @HFTobeason ,

    Thanks so much for taking the time to report it to us. I'm glad they were able to resolve it so quickly.

    Cheers,
    Kevin

This discussion has been closed.