Information about a deleted data/file recovery tool to see if it is a virus/ransomware for MAC

[Kums]

Dear All,

I am a new MAC user and I have OS X Yosemite 10.10.5.

Recently I was in a need to recover deleted files from my WD external HDD, so I plugged in the external hdd to my MACBook , searched in google and downloaded a software named "EaseUS Data Recovery Wizard for Mac" from the website easeus.com, installed the same and ran a scan pointing to me external hdd. 

However due to recent news about ransomware/virus attacks , I was trying to see if the software that I downloaded is a legitimate one by searching if it has a legitimate certificate , but could not find one(may be it's just me).

So if I may wanted to reach out to the experts here

1. to see if it is a legitimate software and also

2. to request for steps to run to detect malware

detection if possible please.

The instllaer name was mac_drw_trial.dmg, I installed it by being in offline mode , it started a process named DRWTray.

 

Kindly guide me here please.

Also please note that I am not saying it is a malware or ransomware but seeking guidance to  get clarified

Thank You so much in advance

[treed]

EaseUS is not recovery software that I'm familiar with, but it's not malicious as far as I'm aware.

You can verify the code signature of the EaseUS Data Recovery Wizard by doing a couple things, both in the Terminal. First, open the Terminal, found in the Utilities folder in the Applications folder.

Next, enter the following command - but do not press return yet!

codesign -dvvv 

Make sure there's a single space at the end of the command, then drag and drop the EaseUS app onto the Terminal window. This will insert the path to the app into the command for you, so that you don't have to worry about figuring out how to properly type the whole thing. Then press return. The resulting output should look like this:

thomas$ codesign -dvvv /Volumes/EaseUS\ Data\ Recovery\ Wizard/EaseUS\ Data\ Recovery\ Wizard.app 
Executable=/Volumes/EaseUS Data Recovery Wizard/EaseUS Data Recovery Wizard.app/Contents/MacOS/DRWLoader
Identifier=com.easeus.datarecoveryloaderapp
Format=app bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20200 size=436 flags=0x0(none) hashes=14+3 location=embedded
Hash type=sha1 size=20
CandidateCDHash sha1=96bd0c92364d28ebce9608f2d69df22574544627
Hash choices=sha1
CDHash=96bd0c92364d28ebce9608f2d69df22574544627
Signature size=4283
Authority=Developer ID Application: CHENGDU Yiwo Tech Development Co., Ltd (DLLVW95FSM)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Jun 15, 2017, 2:28:25 AM
Info.plist entries=23
TeamIdentifier=DLLVW95FSM
Sealed Resources version=2 rules=12 files=12
Internal requirements count=1 size=192

The important thing is the Authority. EaseUS does appear to be in Chengdu, but I can't say whether this is actually the correct authority for the app. For that, you'd need to ask EaseUS to be sure.

Next, you can verify the signature to make sure that the certificate hasn't been revoked and the code hasn't been modified in any way since being signed. To do that, follow the same procedure to enter the following command:

spctl --assess /path/to/EaseUS.app

(Be sure to use the same procedure to insert the proper path; don't actually type the path I did!)

If all is good, you'll get no output at all from the command. If you get any output, that means there's some kind of problem. Exactly what problem will depend on the output.

Hope this helps!

[Kums]

Thanks a lot Reed. Below are the outputs from my system.

 

Step1:

codesign -dvvv /Volumes/EaseUS\ Data\ Recovery\ Wizard/EaseUS\ Data\ Recovery\ Wizard.app 

Executable=/Volumes/EaseUS Data Recovery Wizard/EaseUS Data Recovery Wizard.app/Contents/MacOS/DRWLoader

Identifier=com.easeus.datarecoveryloaderapp

Format=bundle with Mach-O universal (i386 x86_64)

CodeDirectory v=20200 size=436 flags=0x0(none) hashes=14+3 location=embedded

Hash type=sha1 size=20

CDHash=96bd0c92364d28ebce9608f2d69df22574544627

Signature size=4283

Authority=Developer ID Application: CHENGDU Yiwo Tech Development Co., Ltd (DLLVW95FSM)

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Signed Time=Jun 15, 2017, 8:28:25 AM

Info.plist entries=23

TeamIdentifier=DLLVW95FSM

Sealed Resources version=2 rules=12 files=12

Internal requirements count=1 size=192

 

 

Step2:

spctl --assess /Volumes/EaseUS\ Data\ Recovery\ Wizard/EaseUS\ Data\ Recovery\ Wizard.app

<Nothing returned as output>

 

Based on the above results

1. May I know is it safe to assume that nothing is suspicious please?

2. Below is the url from where I downloaded the software, do you think it is malicious please?

https://www.easeus.com/data-recovery/deleted-recovery-software/recover-deleted-files-external-flash-drive.htm

3. One additional question, is MAC capable of identifying and quarantine the viruses from the external HDD too automatically please? esp:  OS version Yosemite 10.10.5.

4. Are there any steps to run the malware quarantine in MAC please?

 

Thanks in advance again.

[treed]

I can't say whether this is legit or not. If EaseUS has been hacked - and I don't have any reason to think they have, but also cannot rule it out - then the only way to verify whether that code signature belongs to them is to ask them.

I have no reason to believe that EaseUS itself is malicious, so assuming that you're willing to trust EaseUS, downloading from the easeus.com site should be good.

As far as quarantining malware, macOS will only block known malware. If we hypothesize that EaseUS has been hacked and is deploying malware - which, again, I have no reason to believe - then macOS will not block it because it will undoubtedly be new malware, not some old, existing, already-blocked malware.

[Kums]

Ok, thanks a lot for the great piece of guidance.