Cautionary tale about antivirus software

In the process of troubleshooting an issue of two different customers with very little in common (different countries, different web hosts, different macOS versions, different different project files), after much head scratching, we found something unexpected and surprising.

The symptom was the site was rather broken (missing images mainly). Upon digging a bit more we found that a supporting Javascript file (jquery.xxxx.js) was badly mangled. Specifically the first 64K bytes of the original file were at the end of the server file, with the rest at the beginning.

We ran through many hypothesis:

• a server cache issue of some kind
• a broken Sparkle.app
• a broken file transfer library in Sparkle 3.1
• a broken FTP server

After running around this for days it finally clicked.

• both customers were using unencrypted FTP to their web host
• unencrypted FTP can be intercepted and the contents can be modified
• some types of malware presumably intercept and upload malware by modifying javascript on the fly (I’m not a security expert so I don’t know how many)
• for that reason antivirus software intercepts all outgoing FTP traffic and checks it for malware
• if antivirus software has bugs, it will affect anything you transfer to your server

As it turns out both customers had Norton 360 installed, and a quick check by deactivating it solved all publishing issues.

I personally don’t use antivirus software, but I also don’t download stuff from questionable places and don’t have a big corporation imposing an antivirus as a policy on me.

My suggestion is not to uninstall or disable antivirus software if you can’t, rather to ensure that the connection from Sparkle to your server is encrypted, either SFTP or FTP with TLS. This prevents antivirus software from snooping into and corrupting your transfers.

Sparkle does warn you about using an insecure FTP connections, it’s a more serious issue than it seems!

This problem wasted many engineering hours that we’ll never get back, for a bug we didn’t create and we have no way to fix, I find this kind of antivirus behavior to be inexcusable.

O Wow! Who would have thought!

Thanks heaps for the heads up and explaining how this can be avoided!

I decided years ago that Norton was the worst virus I had on my Mac

Maybe it’s the Anti-virus companys you should be informing about this issue.

I am only used the SPARKLE FTP, please tell me if he his encrypted?
Because I am also using NORTON 360, is there a possible issue with this set-up? Should I unload Norton?

Thanks!

Sparkle can use FTP in encrypted and unencrypted forms, so it depends how you set it up. If you don’t remember you can go to the site settings, publishing section, click on the publish location, click “Edit”, then when you get to the screen with the FTP protocol you can check what protocol was used.

Sparkle picks the highest security protocol available, so it depends on what your web host supports. Sometimes it’s SFTP (best), often it’s FTP with TLS (also encrypted), sometimes plain unencrypted FTP. If it turns out you are using unencrypted FTP, turning off Norton 360 will be necessary to publish the site properly.

I could give you a very technical and deep explanation on this, but the short version is:
Unless you go to porn or gaming sites on your Mac the chances of getting a virus is **nearly non-existent.

Any kind of anti-virus software whether it’s Norton, Avast or even Malwarebytes (which by comparison to Norton has a small footprint and low data overhead) always slows down the system and with Catalina and Big Sur always tries to compete for control with Apple SIP (system integrity protection) and the new T2 chip. (gee, that sounds more like something from The Terminator - hahaha)

Mac OS has built-in malware definitions that SIP and other core apps use to scan apps and documents as they are installed or created. These definitions are installed with OS Security updates (and why they’re so important to keep up to date.)

Bottom line, get rid of any antivirus. If you’re fearful of something that might be not nice living on your system you can download the free version of Malwarebytes and do a scan manually. That way it’s not always running in the background, stealing system resources and being a nuisance.

My 2 cents…

PS: If you ever need to completely delete a bad player living on your system or, want to delete an app and make sure you get all of it’s hidden elements, use the free app, “AppCleaner” from FreeMacSoft.

https://freemacsoft.net/appcleaner/

I agree. In all the years I’ve been using Macs, I’ve never had a virus - maybe one or two bits of Malware, but nothing serious. A few years back, I purchased an app called “Clean My Mac”. This is a non-obtrusive utility that has real-time malware protection and generally keeps macs running smoothly and efficiently. It will notify you periodically if it feels you need to optimise your Mac and rids it of junk files and left over remnants of deleted apps. Scans take a few minutes through a simple user interface. It doesn’t interfere with ftp uploads and causes no interference to any of your Mac applications. It’s light-weight, no-subscriptions and can be removed from your Mac just like any other app - no special utilities needed.

While I generally agree, CleanMyMac’s feature to remove localizations from applications is what caused a widespread Sparkle issue, with Sparkle not being able to open project files in some cases. A bug in our code to be sure, but messing with app internals is not nice behavior.

So, what is a virus anyway? It’s not magic, it has to do with the way files are stored on disk. When you allocate a file on disk, you get many chunks of space over and over. Even if you store one byte, you get the whole chunk (usually 3 x 512K bytes.) The file length is called the logical extent, and the amount allocated on the disk is the physical extent. In the beginning, UNIX grew up in a memory poor computer, with physical rings (cores) wound with wire. The UNIX developers did not want to waste memory, so they added the length of the executable in the header. When the computer reads in a UNIX exe, you do get the physical extent, the excess beyond the logical extent is discarded and the program is run. Roll forward. Windows grew up in a memory rich environment, so the length of the executable was omitted from the header. The exe file is read in, and the file all the way to the physical extent is send to the loader. There is some space left over at the end, but who cares?

Ahhh… Turns out, it’s pretty easy to confuse the loader into thinking is more than one program coming in. One stream of ones and zeroes, but two programs. This is called a “cavitation virus”. When you run an “antivirus”, what it is actually doing is reading each physical file from the end backward, trying to pattern match and detect this second program. Since UNIXen keep the length in the header, which is protected with other memory tricks (CRC), it’s amazing hard to trick a UNIX loader into running a second program without making it fail redundancy check.

That’s all it is.

I hate anti-virus programs as they generally make a mess without giving a return in security improvement. Back in my days fixing PCs (UGH!), they were always the first suspect for any problem and usually slowed the PC while failing to detect the incoming malware. For example, the fake invoices that get sent as attachments in many spam emails tend to be zero-day MS Office macro viruses NONE of which will be detectable by any of the mainstream detectors until enough time has passed for updates to be released. Try submitting one to VirusTotal when you first receive it and see how few detectors flag it.

However, Macs CAN get malware infections, usually if the user does something unwise. Patrick Wardle (https://objective-see.com/) has done extensive work on the subject and his tools are the only ones I trust. They protect without putting undue loading on the machine and I recommend them highly.

Yes, after reading Duncan’s “Cautionary tale about antivirus software” specifically the section about posting site with “Unencrypted FTP”. My problem was solved by switching to “FTP with TLS”.

sparkle-problem-solved1472×1304 141 KB

Another reason to never ever use Norton 360: