Jump to content
macgeek

OSX/Conduit.A adware. Not found by Malwarebytes

Recommended Posts

malwarebytes did not find this. could it be because MB does not scan the entire drive? it scanned about 13,000 files on my mac. My library folder alone has 43,000 files.... this is where the adware was found.  what good does it do to have a product that is not checking the entire hard drive?     Virus Barrier found the adware. can someone tell me where does MB actually scan?

 

 

mac adware july 2020.jpg

Share this post


Link to post
Share on other sites

I'm guessing that Malwarebytes had already removed the key active components of OSX/Conduit.A and that none of those components are a threat to your computer, just leftover files taking up a tiny amount of space. I can't really tell from what you posted exactly where those files were found by Virus Barrier and without examining the files for myself and knowing where they were, nobody here can be absolutely certain of that.

Malwarebytes only scans places where active components of current malware are known to be installed looking for active components, thus saving you a lot of time and computer use by not bothering to scan your entire drive looking for files that cannot, by themselves, do any harm to your computer. In other words, it's more efficient than traditional AV scanners.

I can't tell you where Malwarebytes scans because I don't know, it's proprietary information and knowing that information would only assist malware developers in knowing how to avoid detection. Just know that it looks everywhere that current active components of malware are known to exist.

 

Share this post


Link to post
Share on other sites
Posted (edited)

The scan engine in Malwarebytes is dynamic.  The Research team controls the scan locations for the default scan, selecting all the places threats are known to hide/install themselves along with all the usual places a scan should check such as all running processes and threads loaded into memory, all system startup locations and loading points, and the Malwarebytes Research team can also modify the locations scanned by pushing out database updates (such changes do not require a new version of the software) so that whenever a new location is discovered to be used by threats, they will be able to adapt to it quickly.

EDIT: Please refer to the post from alvarnell in response to this one.

Edited by exile360
Corrected info

Share this post


Link to post
Share on other sites

I believe I read that the Mac version does not check running processes, nor do I believe it checks threads loaded into memory at this time. The latter is something that was just recently found to be possible without being downloaded to disk.

Share this post


Link to post
Share on other sites

Ah, thanks for the correction, alvarnell.  I thought the Mac version shared those features with the Windows version.

Share this post


Link to post
Share on other sites

I'd be curious to find out where those files were located and what kind of files they were. Do you have that info?

Certainly, the Info.plist file is not something we would detect directly, as it is just an informational file and would not actually be a threat. I can't say what the two ct_scripting files are, there's nothing by that particular name on VirusTotal.

Share this post


Link to post
Share on other sites
13 minutes ago, treed said:

I'd be curious to find out where those files were located and what kind of files they were. Do you have that info?

Certainly, the Info.plist file is not something we would detect directly, as it is just an informational file and would not actually be a threat. I can't say what the two ct_scripting files are, there's nothing by that particular name on VirusTotal.

 

I think they were in Mac HD> library folder...  I deleted the files before I decided I wanted a closer look at them. 🙄   they could have been there for a long time, or installed recently... I have no idea. Malwarebytes has never altered me about them.

Share this post


Link to post
Share on other sites

Bummer. Without more info, I can't say much about those, other than to say that the Info.plist file is an odd thing to detect. I don't suppose you have a backup you could pull the ct_scripting files out of?

Share this post


Link to post
Share on other sites

I checked the backups no luck. I could use tech tool pro to see if I can restore the file that was deleted. its its not been overwritten.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.