Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: vol24pl on February 21, 2018, 08:49:06 PM

Title: False positive in Swift standard library?
Post by: vol24pl on February 21, 2018, 08:49:06 PM
Suddenly one of Swift's standard library files is considered a bitcoin miner. Is it a false positive? File name is libswiftDispatch.dylib

Same issue: https://discussions.agilebits.com/discussion/86860/avg-quarantined-1password-libswiftdispatch-dylib
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 09:11:59 PM
Same here with /Applications/Xcode.app/Contents/Frameworks/libswiftDispatch.dylib

But:

codesign -dvvv /Applications/Xcode.app/Contents/Frameworks/libswiftDispatch.dylib
Executable=/Applications/Xcode.app/Contents/Frameworks/libswiftDispatch.dylib
Identifier=com.apple.dt.runtime.swiftDispatch
Format=Mach-O thin (x86_64)
CodeDirectory v=20200 size=2498 flags=0x2000(library-validation) hashes=73+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=5b26b6d50543a5a2c9da25392eff6cdf3eaecb9b
CandidateCDHash sha256=71530697449cbf4eff0a8d7a41dbf19aa620e82d
Hash choices=sha1,sha256
CDHash=71530697449cbf4eff0a8d7a41dbf19aa620e82d
Signature size=4535
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=5
TeamIdentifier=59GAB85EFG
Sealed Resources=none
Internal requirements count=1 size=84
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 09:20:32 PM
I am having the same problem.  I am getting an Infection blocked! message about every 10 seconds.  From googling I saw a thread from one year ago that said this was a problem with an update/virus definition file.  I look forward to a resolution to this one...

Thank you,

Tim
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 09:32:33 PM
Same problem with
/System/Library/CoreServices/MRT.app/Contents/Frameworks/libswiftDispatch.dylib
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 09:38:48 PM
I'm having the same problem. About every 10 seconds Avast is saying it has blocked a threat and moved it to the chest. libswiftDispatch.dylib
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 10:24:53 PM
Same problem on my Macbook, Avast keep showing popups saying Infection blocked, file is libswiftDispatch.dylib
And I can't open my Telegram app too since it started :(
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 10:26:26 PM
Same problem. This feels like a false positive.... but maybe not. Unfortunately, quarantining half a dozen program files makes it a bit hard to get work done with it locking away all these files.
Title: Re: False positive in Swift standard library?
Post by: Sirmer on February 21, 2018, 10:26:55 PM
Hello,

sorry for your inconvenience, we are working on fix and it will be release asap.
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 10:31:40 PM
Same problem. Many libswiftDispatch.dylib alerts re MacOS:BitCoinMiner-AS [Trj], and some apps (e.g. Malwarebytes) now crash, presumably because various libswiftDispatch.dylib files, including some from CoreServices, have been moved to the Virus Chest.

This is a serious problem. Is it a real infection, or a false positive, and how will the problem be remedied?
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 21, 2018, 10:36:00 PM
This is incredibly frustrating, and basically unacceptable. libswift is used by Docker, Xcode, and a number of other development tools. I have half of my dev team unable to work until Avast stops quarantining software dependencies based on a false positive. This is the second false positive in a month that impact Xcode directly. I'll be actively migrating off of Avast after this..
Title: Re: False positive in Swift standard library?
Post by: drake145 on February 22, 2018, 12:59:23 AM
I am experiencing the same problem (screenshot attached).

From the messages, the Avast team appears to be working on it, so hopefully a fix will be released soon.

Since this appears to be a false positive, is there any harm in removing the files from quarantine?
Title: Re: False positive in Swift standard library?
Post by: drake145 on February 22, 2018, 01:06:35 AM
Meant release the files on my above post.
Title: Re: False positive in Swift standard library?
Post by: drake145 on February 22, 2018, 01:42:36 AM
Meant release the files on my above post.

Well, l took a chance and restored the files (expect the latter 2, since it appears they re-generated so I deleted them).
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 22, 2018, 02:15:09 AM
The pop up warnings stopped, and my affected program works again. Thanks for fixing it.
Title: Re: False positive in Swift standard library?
Post by: vol24pl on February 22, 2018, 10:16:53 AM
Loosely related but I need this info to adress exactly this issue properly:

How can i find:
1. My current virus definition version + date of update
2. My current Avast app version + date of update
3. Newest virus definition version
4. Newest Avast app version
Title: Re: False positive in Swift standard library?
Post by: bob3160 on February 22, 2018, 01:33:40 PM
Loosely related but I need this info to adress exactly this issue properly:

How can i find:
1. My current virus definition version + date of update
2. My current Avast app version + date of update
3. Newest virus definition version
4. Newest Avast app version
Right click the Avast sys tray icon and select "About Avast"
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 22, 2018, 04:00:44 PM
Same here not only affecting Xcode and CoreServices/MRT.app but any app that uses "libswiftDispatch.dylib" 
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 22, 2018, 04:23:17 PM
Does anyone know the AVAST version number for mac computers that has the fix?
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 22, 2018, 11:19:53 PM
Apparently AVG had a fix this AM.  What's the hold up Avast?
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 23, 2018, 05:15:14 PM
I was stupid enough to delete the libswiftDispatch.dylib file and now I can not get XCode to work properly even if I reinstall the program. Does anyone know How to get the file back?
Title: Re: False positive in Swift standard library?
Post by: REDACTED on February 26, 2018, 02:11:56 AM
So, I'm only just stumbling upon this thread because someone shared it over in the Apple forums. Admittedly, I never remember to conduct scans on my MacBook Pro and the other morning I got an alert that Avast blocked this very threat.

That prompted me to do a scan and I found this same Bitcoin Miner infection in Skype and here >> /System/Library/CoreServices/MRT.app/Contents/Frameworks/libswiftDispatch.dylib. Someone else posted finding it here as well.

Figuring the next move was to delete it, that's what I did. Skype stopped working and needed to be reinstalled. However, I haven't noticed any adverse effects from deleting that one mentioned above. Is there any concern in deleting it? Should I restore the file? I have no clue what it is! But obviously, I don't want to discover some sort of issue down the road...