Jump to content

False detection: LaunchAgent


Recommended Posts

I have a LaunchAgent that runs an osascript command every minute to launch Dropbox (in case it chrashes). That was detected as suspicious code by Malware bytes.

The reason for using osascript is that then Dropbox will be launched even if I (accidentally) quit Dropbox. With a regular launchAgent an application will be restarted only after a crash.

This was just a report, not a question to the forum.

Link to post
Share on other sites

  • Staff

Frankly, that's quite suspicious behavior, from a security-related perspective. Embedding executable code inside a launchd plist is something mostly seen with malware, and there's actual malware out there that is using this technique with osascript.

We don't really want to remove or alter the rule that is detecting this file, as that could leave our users not as well protected. Unfortunately, that's complicated by the fact that we don't yet have an Allow List in Malwarebytes for Mac.

What I would advise is to change this launch agent a bit. Move the script into a Script Editor file, and save it as an application. Then, change the launch agent to launch the executable inside that application, rather than running the script via osascript.

Link to post
Share on other sites

I totally agree. This is how malware could work, so it should be warned for.  Changing the plist to launch an applet instead could be a solution for me - or I could just ignore that specific warning.
However you should really work on an allow list for the Mac. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.