Possible / probable false positive Trojan.OSX.Generic detection on SABnzbd.app

[Snapdragon]

I suspect what's happening is a false positive detection, but wanted to check to see if this is happening with anyone else.

• Using ClamXAV 3.9.1

• Using SABnzbd 4.5.3

1.) Updated SABnzbd to 4.5.3 on 25 August.
2.) Scheduled full scan ran on boot drive on Tuesday, 26 August with definition version 1.4.1_update_06 2380.2443. Nothing was detected.
3.) Scheduled full scan ran on boot drive on Tuesday, 2 September with definition version 1.4.1_update_06 2382.2445. Detected SABnzbd.app as Trojan.OSX.Generic. (That's as detailed as the scan report gets.)

I only mentioned the definitions version because that's the only thing between the two programs that changed between the two scans. This suggests to me that either the definitions improved and this is a valid detection, or the definitions changed such that it's now detecting something within the app as a false positive. I strongly suspect the latter.

I've already reached out to ClamXAV and provided a link to the SABnzbd Mac download page for them to check the file (today, I re-downloaded the 4.5.3 DMG file for Mac, and when I tried mounting the disk image, the QuickScan detected the same thing; couldn't be quarantined because it was on the disk image). However, I have no idea when I'll hear from them.

I tried looking around the SABnzbd site and the forums to see if there was any note about the packages being checked for malware before release. (I tried looking around the site and I couldn't find anything.) Mind you, I've been using SABnzbd for years, and I have no reason not to trust it, but if I could find such a note, I would feel better about releasing the app from quarantine.

Thanks in advance,
sandra

[safihre]

You can always upload it virustotal and see what they think.
You can see the code and whole build process on Github, everything is open source and nothing is manual.

But, usually these things resolve within a few days. So if you wait a week, I think it will be fine.

[Snapdragon]

Thanks a bunch—I'll try that!

(I wouldn't know what I was looking at, to be honest, looking at code.)

ETA: Well, with VirusTotal, there's a size limit of 3MB, the app reads as a folder, and you can only scan one file at a time. Tried uploading a ZIP file it's still too big and again, multiple files within it. I'll try to find an alternate way to scan it.

[Snapdragon]

OK, I was able to drop the zip file onto https://metadefender.com/ and this is what came up:

Engine Name: IKARUS
Verdict: Trojan.Generic.MalwareX

The path is SABnzbd.app/Contents/MacOS/SABnzbd

Here's a screenshot that I took of the results.

ETA: Never mind on that edit. There is an AV scan engine called IKARUS. Is that what this is? I'm very confused, lol

[sander]

> I'm very confused, lol

Indeed.

Read https://sabnzbd.org/wiki/faq#virusscanners

But maybe easier for you and better for your peace of mind to follow Safihre's advice "So if you wait a week, I think it will be fine."

So back to SABnzbd 4.5.2, and try again in a week or month or so.

[Snapdragon]

Just curious what the IKARUS engine in SABnzbd does, if anyone can tell me. Search results bring up the virus scanning engine. If that's what it is, then I won't worry anymore.

I did read the info at that link. Never had a problem scanning in the past. I used to work in virus removal for a big security software company, so I'm extra cautious about this sort of thing.

Thanks for your continued guidance. I really appreciate it.

[Snapdragon]

Sorry—looks like I misinterpreted the prior results, and the detection itself was made by the Ikarus engine; it isn't what was detected. My bad!

Should have done this right away, but things have been busy. I dropped the file SABnzbd.app/Contents/MacOS/SABnzbd itself into VirusTotal. 5 of 64 vendors detected on this file.
Hash: 64db6bd5af3600dc0182766c874a072ac3f22e1ce05b5776ba15e3aa33b90bb5

Fortinet: Possible Threat
Google: Detected
Microsoft: Trojan:MacOS/Multiverze!rfn
GData: OSX.Trojan.Agent.JUKPNI
Ikarus: Trojan.Generic.MalwareX

I'll continue to monitor.

Here's a link to those scan results.

[Snapdragon]

The false positive seems to have been confirmed. Scanning the download today with updated definitions, the file's no longer detected as a trojan.

Thanks again--I appreciate the feedback and guidance. I know I sounded overly paranoid, but I work in a cybersecurity-related field, so I try never to work on assumptions

[sander]

> I work in a cybersecurity-related field, so I try never to work on assumptions

So ... how does ClamXAV benchmark in your opinion / scorebook?

False Positives (and False Negatives) ... I wouldn't like such a av-scanner provider

[Snapdragon]

> I work in a cybersecurity-related field, so I try never to work on assumptions

So ... how does ClamXAV benchmark in your opinion / scorebook?

False Positives (and False Negatives) ... I wouldn't like such a av-scanner provider

This is the first time I've ever encountered a false positive with it since I first started using it in 2021. I have never had it miss a bad file (I suppose I should add the caveat "that I know of," but it has picked up threats on folders shared with a Windows machine). I've been pretty happy with it so far.