This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Trojan Horse Infection Almost Daily [False Alarm]

waikala
waikala
in Mac
Hi

I'm running Safari 5.1 and using MacKeeper for security. Almost every day, I find that my 1Password Cache is infected with a Trojan Horse virus.



I have three questions.



1. Does this mean that I have to change all my passwords each time this happens? and

2. Why is this file so vulnerable?

3. What can be done, whether on your end or mine to prevent this from happening? I like this extension and I want to keep using it. But not at the expense of security, which it is supposed to be all about.
Flag

Comments

  • samdix
    samdix
    Really, I didn't know it was this system was so vulnerable, that's scary. Is there any response to this question? I really want to know. Thanks
    Flag
  • waikala
    waikala
    I too am shocked. It is literally the ONLY vulnerable file on my computer.
    Flag
  • roustem
    roustem AgileBits Founder
    There is no executable code in the cache file, it cannot get infected.



    My guess is that something is wrong with the virus signature matching in MacKeeper.
    Flag
  • waikala
    waikala
    I like the sound of that. but being a long-time mac user, who was always told, "Viruses can't get you!" I get terrified when I see the words,"Trojan Horse" on my screen. Once they are in to the cache, can't they just collect my passwords and the urls they go to? Sorry if this is a total noob question.
    Flag
  • TunaMaxx
    TunaMaxx
    Does 1Password continue to work even after the (probably) false alert? If so, then I'd imagine it is just that... a false alarm. If the cache file was infected I have a hard time seeing how 1Passwordcould continue to use it.
    Flag
  • F451
    F451 Pretzel Logistician
    edited August 2011
    [quote name='waikala' timestamp='1314416932' post='42719']

    I like the sound of that. but being a long-time mac user, who was always told, "Viruses can't get you!" I get terrified when I see the words,"Trojan Horse" on my screen. Once they are in to the cache, can't they just collect my passwords and the urls they go to? Sorry if this is a total noob question.

    [/quote]

    There was a time when Macs were hit hot hard, and Norton AntiVirus (when Peter Norton still owned Norton) ruled the roost, so you must not have been around as long as I have <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' /> . Currently, I run Intego Virus Barrier X6 and find nothing regarding 1Password. Apple propagates the misnomer that Macs are safe from viruses (in a perfect world—maybe). Nothing is safe, and it takes a concerted effort on the user's part in being vigilant about keeping an eye out for suspicious computer activity, and what [i]you[/i] allow on your Mac. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/emoticon-0165-bandit.gif' class='bbc_emoticon' alt='(bandit)' />
    Flag
  • waikala
    waikala
    [quote name='F451' timestamp='1314456344' post='42807']

    There was a time when Macs were hit hot hard, and Norton AntiVirus (when Peter Norton still owned Norton) ruled the roost, so you must not have been around as long as I have <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/wink.png' class='bbc_emoticon' alt=';)' /> . Currently, I run Intego Virus Barrier X6 and find nothing regarding 1Password. Apple propagates the misnomer that Macs are safe from viruses (in a perfect world—maybe). Nothing is safe, and it takes a concerted effort on the user's part in being vigilant about keeping an eye out for suspicious computer activity, and what [i]you[/i] allow on your Mac. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/emoticon-0165-bandit.gif' class='bbc_emoticon' alt='(bandit)' />

    [/quote]



    Yup. Been around a long time, but still learning. Will check out Virus Barrier. Many thanks.
    Flag
  • waikala
    waikala
    [quote name='TunaMaxx' timestamp='1314422960' post='42746']

    Does 1Password continue to work even after the (probably) false alert? If so, then I'd imagine it is just that... a false alarm. If the cache file was infected I have a hard time seeing how 1Passwordcould continue to use it.

    [/quote]



    Yes, it continues to work. So I guess there's no problem?
    Flag
  • brenty
    brenty
    Hey guys! Sorry for the trouble. Although I am not certain exactly which file(s) are being reported by MacKeeper as a trojan, I can only speculate that it may be related to [url="http://forum.agilebits.com/index.php?/topic/6995-mackeeper-reporting-false-positive-for-firefox-6-extension/"]a similar issue reported for our new Firefox 6 extension[/url] (which is based on the same code as our Safari 5.1 extension).



    While I am confident that we are not shipping malware in our products, I believe it is also important that I point out that our browser extensions are now running sandboxed, which means that they are not directly executing code at the system level. This is great for stability and avoiding conflicts, but also ensures the security of each process -- and that of your system as a whole.



    If anyone can provide more specifics on what MacKeeper is reporting, we will be happy to get in touch with them to get this straightened out. Thanks for bringing this to our attention. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
    Flag
  • waikala
    waikala
    [quote name='brenty' timestamp='1314493394' post='42893']

    Hey guys! Sorry for the trouble. Although I am not certain exactly which file(s) are being reported by MacKeeper as a trojan, I can only speculate that it may be related to [url="http://forum.agilebits.com/index.php?/topic/6995-mackeeper-reporting-false-positive-for-firefox-6-extension/"]a similar issue reported for our new Firefox 6 extension[/url] (which is based on the same code as our Safari 5.1 extension).



    While I am confident that we are not shipping malware in our products, I believe it is also important that I point out that our browser extensions are now running sandboxed, which means that they are not directly executing code at the system level. This is great for stability and avoiding conflicts, but also ensures the security of each process -- and that of your system as a whole.



    If anyone can provide more specifics on what MacKeeper is reporting, we will be happy to get in touch with them to get this straightened out. Thanks for bringing this to our attention. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

    [/quote]



    This is what I get: Trojan in /Users/lolouila/Library/Caches/com.apple.Safari/Extensions/1Password.safariextension/data/src/sjcl.js

    Does that help?
    Flag
  • Ben
    Ben AWS Team
    [quote name='waikala' timestamp='1314570846' post='43013']



    This is what I get: Trojan in /Users/lolouila/Library/Caches/com.apple.Safari/Extensions/1Password.safariextension/data/src/sjcl.js

    Does that help?

    [/quote]



    Yep, it's a false alarm. Thanks for reporting it. We've already reported the error on MacKeeper's part to them and are waiting for them to fix it. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
    Flag
  • waikala
    waikala
    [quote name='bwoodruff' timestamp='1314578422' post='43032']



    Yep, it's a false alarm. Thanks for reporting it. We've already reported the error on MacKeeper's part to them and are waiting for them to fix it. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

    [/quote]



    YAY! Thank you. *sigh of relief*
    Flag
  • brenty
    brenty
    Indeed. Hopefully they can avoid this in the future. Nothing worse than that kind of scare...well, except for an actual trojan. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/blink.png' class='bbc_emoticon' alt=':blink:' />
    Flag
  • Omen
    Omen Junior Member
    Sometimes these virus programs are like Chicken Little who cried "the sky is falling" one too many times. Common sense is the most important trojan protection you can have <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
    Flag
  • [Deleted User]
    [Deleted User]
    Couldn't agree more Omen, the best form of defence in the online world today is common sense. Be careful where you download files from, don't click 'Hey look at these pics, lol' links in Facebook or other social networks and if you feel the need run a good anti-virus solution.



    If you don't want a anti-virus app that can potentially slow down your system then I'd personally recommend [url="http://www.clamxav.com/"]ClamXav[/url] which is free and should help keep your system free of bugs, which at the moment is more of a courtesy to your Windows friends, there are nowhere near the number of 'in the wild' exploits for OS X than there are for Windows, though when there is a new one found it tends to make the news because of the general claim that Macs are more secure.
    Flag