Author Topic: False Positives - ELF:MiraiDownloader-OG [Drp]  (Read 3316 times)

0 Members and 1 Guest are viewing this topic.

Offline AvastUser_0

  • Newbie
  • *
  • Posts: 4
False Positives - ELF:MiraiDownloader-OG [Drp]
« on: November 12, 2022, 10:35:13 PM »
My avast seemed to have updated when i opened the program at 4:30 today as my last scan at midnight came up with nothing. After doing a deep scan I have a threat ELF:MiraiDownloader-OG [Drp]. I'm not able to describe where it says the infected path is other than it is /private/var/db/uuidtext/dsc/A9EB0E63BFA0348AAB0E09181597B.

I ran a scan on two of my other macs and I am getting the same thing however these two have 3 threats showing up with simular file paths in addition to /system/library/dyld_shared_Chache-arm64e.

I'm more than positive that it is a false Positive as I haven't used two of the computers in almost a week and I always scan frequently. Has any one else had this happen after updating?

Offline Avast User

  • Newbie
  • *
  • Posts: 1
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #1 on: November 13, 2022, 05:41:27 AM »
I am unsure if it is false positive but am experiencing the same phenomenon.

Offline ItsTony

  • Newbie
  • *
  • Posts: 10
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #2 on: November 13, 2022, 10:53:30 AM »
Did a scan this morning and I'm finding the same three threats. They only show up when I do a deep scan, though. Smart scan shows "no threats found."

Offline ny-230

  • Newbie
  • *
  • Posts: 1
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #3 on: November 13, 2022, 02:45:41 PM »
I am finding a similar detection of the same malware/virus on two different MacBook Air M1 Apple silicon computers, one running Monterey 12.6 and one running Monterey 12.6.1, except that for me it is in SIP protected file that online forums say is necessary for the macOS:

dyld_shared_cache_arm64e

in this directory:

/System/Library/dyld/


The full path is:    /System/Library/dyld/dyld_shared_cache_arm64e

The file dyld_shared_cache_arm64e has a different creation date on 12.6.1 than 12.6 after a system update.

That file is 1.5GB and too large to upload to online scanners but I used Terminal to split the file into maximum 600MB segments, and scanned each segment on VirusTotal and no threats detected. I then split the file into 637MB segments (in case a virus was just at the "edge" of the split) - same, no detection. So my assumption is this is a false positive. I am using free Mac Avast Security so no way to report this to Avast except posting here.

Offline Nerdox

  • Newbie
  • *
  • Posts: 1
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #4 on: November 13, 2022, 03:23:03 PM »
My avast seemed to have updated when i opened the program at 4:30 today as my last scan at midnight came up with nothing. After doing a deep scan I have a threat ELF:MiraiDownloader-OG [Drp]. I'm not able to describe where it says the infected path is other than it is /private/var/db/uuidtext/dsc/A9EB0E63BFA0348AAB0E09181597B.

I ran a scan on two of my other macs and I am getting the same thing however these two have 3 threats showing up with simular file paths in addition to /system/library/dyld_shared_Chache-arm64e.

I'm more than positive that it is a false Positive as I haven't used two of the computers in almost a week and I always scan frequently. Has any one else had this happen after updating?

Same results today. Upon research the files/folder are part of MacOS Rapid Respond and Encryption.
It seems a false positive, hope some experts confirm.
« Last Edit: November 13, 2022, 03:29:22 PM by Nerdox »

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33496
  • malware fighter
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #5 on: November 13, 2022, 04:03:48 PM »
Further discussion here:
https://discussions.apple.com/thread/254371312

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ana_mc05

  • Newbie
  • *
  • Posts: 5
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #6 on: November 13, 2022, 10:47:53 PM »
I am having the same problem, as every scan I make I get either 1 or 3 of these alerts. They get resolved and if I run another scan, it shows up again. From that Apple thread, I got that Avast should be uninstalled? Is that the solution here?

Offline lokelani53

  • Newbie
  • *
  • Posts: 5
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #7 on: November 13, 2022, 11:59:51 PM »
Also just got the same threat showing upon doing deep scan today - three files were identified and resolution by moving to quarantine was successful for two - but the third could not be moved to quarantine and indicated perhaps file was protected.  Location of that one showing as others report: dyld_shared_cache_arm64e

Am not using a free AVAST so will try to report for checking as false positive.

Update Nov 14: While I haven't yet had a response from AVAST, the situation appears to have been resolved as virus definitions were updated.  Just ran a deep scan and no threats detected.
« Last Edit: November 14, 2022, 08:58:00 PM by lokelani53 »

Offline koki2

  • Newbie
  • *
  • Posts: 1
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #8 on: November 14, 2022, 03:49:02 AM »
I am in the same situation. It's an M1 macbook pro.

Maybe it's a false positive limited to the M1macbook pro?

Offline AvastUser_0

  • Newbie
  • *
  • Posts: 4
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #9 on: November 14, 2022, 02:16:29 PM »
I am in the same situation. It's an M1 macbook pro.

Maybe it's a false positive limited to the M1macbook pro?

It happened on my old Intel Macbook as well. However that only got 1 report and the M1's got 3

Offline AvastUser_0

  • Newbie
  • *
  • Posts: 4
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #10 on: November 14, 2022, 03:06:44 PM »
Update: It looks like this issue has been fixed

I updated and scanned on all 3 mac's and no results were found

Offline ItsTony

  • Newbie
  • *
  • Posts: 10
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #11 on: November 14, 2022, 04:32:36 PM »
Resolved for me too.

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 369
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #12 on: November 14, 2022, 04:46:50 PM »
Thank you for the reports, it should already be fixed.
It is however usually better to use
https://www.avast.com/false-positive-file-form.php#mac
than the forums, the response is significantly faster.
Kind regards,

Offline JacekCH

  • Newbie
  • *
  • Posts: 1
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #13 on: November 14, 2022, 10:26:40 PM »
Hello Ondrej,

That's only thanks to that forum I found the solution for the same problem I have had on my Mac.

Best regards

Offline ondrej.kolacek

  • Avast team
  • Sr. Member
  • *
  • Posts: 369
Re: False Positives - ELF:MiraiDownloader-OG [Drp]
« Reply #14 on: November 15, 2022, 05:30:16 PM »
Hello Ondrej,

That's only thanks to that forum I found the solution for the same problem I have had on my Mac.

Best regards
Hello,
while the forum is a great way for the people to get to know about various issues, the thing is that if a false positive is reported properly, it is usually fixed within minutes, while forums are mostly managed by volunteers and are not closely watched most of the time.
Kind regards,
Ondrej Kolacek