Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 6 subscribers
  • Views 4462 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positive with Adobe Flash Player

charlesdyer

I just downloaded Adobe Flash Player 11 Installer from Adobe's site. Sophos flagged it as a trojan. I really, really, REALLY doubt that Adobe is hosting malware.

:1004125


This thread was automatically locked due to age.
Parents
  • 0

    To answer your last question first: Do you have "Open "safe" files after downloading disabled?  If so, you're fine, nothing executed.  If not, you're fine as long as you never clicked install for the fake Adobe installer window....

    As for the others, try going to terminal.app, typing mdls and dragging the file to the command line.  Then press return, and check the *actual* date stamps associated with the file.  Not only will you get the date created and modified listed in the Finder, you'll also get date added, date content last changed, and date created on your system.  Check the link to the Flashback description in this thread to find out more.

    It's possible that you picked up a copy of the trojan that wasn't detected by Sophos, and then we updated the detection to catch it after the fact.

    While in Terminal, type "grep DYLD_INSERT_LIBRARIES ~/.MacOSX/environment.plist /Applications/*/Contents/Info.plist" -- if the response contains a line that says something like <key>DYLD_INSERT_LIBRARIES</key> then you are likely infected.  If you just get "environment.plist: No such file or directory," then you're clean.  Also, if you're running Little Snitch, you're likely clean as the trojan detects this when it's installed and deletes itself.

    :1004151
Reply
  • 0

    To answer your last question first: Do you have "Open "safe" files after downloading disabled?  If so, you're fine, nothing executed.  If not, you're fine as long as you never clicked install for the fake Adobe installer window....

    As for the others, try going to terminal.app, typing mdls and dragging the file to the command line.  Then press return, and check the *actual* date stamps associated with the file.  Not only will you get the date created and modified listed in the Finder, you'll also get date added, date content last changed, and date created on your system.  Check the link to the Flashback description in this thread to find out more.

    It's possible that you picked up a copy of the trojan that wasn't detected by Sophos, and then we updated the detection to catch it after the fact.

    While in Terminal, type "grep DYLD_INSERT_LIBRARIES ~/.MacOSX/environment.plist /Applications/*/Contents/Info.plist" -- if the response contains a line that says something like <key>DYLD_INSERT_LIBRARIES</key> then you are likely infected.  If you just get "environment.plist: No such file or directory," then you're clean.  Also, if you're running Little Snitch, you're likely clean as the trojan detects this when it's installed and deletes itself.

    :1004151
Children
No Data