False detection: LaunchAgent

[Jorst]

I have a LaunchAgent that runs an osascript command every minute to launch Dropbox (in case it chrashes). That was detected as suspicious code by Malware bytes.

The reason for using osascript is that then Dropbox will be launched even if I (accidentally) quit Dropbox. With a regular launchAgent an application will be restarted only after a crash.

This was just a report, not a question to the forum.

[cli]

Can you provide logs or the file that was detected? Thanks.

[Jorst]

Sure. Hera is the launchAgent.

 

KeepDropboxAlive.zip

[treed]

Frankly, that's quite suspicious behavior, from a security-related perspective. Embedding executable code inside a launchd plist is something mostly seen with malware, and there's actual malware out there that is using this technique with osascript.

We don't really want to remove or alter the rule that is detecting this file, as that could leave our users not as well protected. Unfortunately, that's complicated by the fact that we don't yet have an Allow List in Malwarebytes for Mac.

What I would advise is to change this launch agent a bit. Move the script into a Script Editor file, and save it as an application. Then, change the launch agent to launch the executable inside that application, rather than running the script via osascript.

[Jorst]

I totally agree. This is how malware could work, so it should be warned for.  Changing the plist to launch an applet instead could be a solution for me - or I could just ignore that specific warning.
However you should really work on an allow list for the Mac. 

[treed]

9 minutes ago, Jorst said:

However you should really work on an allow list for the Mac. 

It is in progress right now.