To jump from having a single false positive to the conclusion that a widely known security vendor are "liars" is paranoia, pure and simple.
In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.
Quote:
Originally Posted by ddarko
What I'm still waiting for is an explanation of HOW the methodology is flawed
I do not have the technical knowledge to find out how and why, I can only report what I saw. And what I saw seriously questions their approach. Wrong methodology is the other possible explanation.
Quote:
Originally Posted by ddarko
If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.
Again, instead of making an effort to enlighten me as to what explanations we could give, except the obvious ones that I stated before, you try to discredit my findings by turning the attention to the technical aspects no one here could ever know. Nice try! But the big question marks remains: what is behind this?
Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.
OK, this is what I wanted to see. Yes, it may be an error of the online tool. But then they should retire it until it runs correctly. Same goes to f-secure and Symantec if their tools do not work correctly. Also, I disabled Java two years ago, so no, I am not infected.
In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.
It's not a live check. They are matching your UUID against their database of records of contacts to their server.
- your computer was infected and sent a contact to their server
- they setup an online tool to verify if your UUID is in their database
- if it finds your UUID, it will tell you that you are infected
All the tool means is that at some point in time, your machine contacted them. They may only check against the original database.
You should also check you don't have the other payload someone noted on the forum about the .rserv file. In the terminal, type:
ls -a ~/
If you see a file called .rserv, you still have an executable contacting their servers. There will also be a launchagent called ~/Library/Launchagents/com.adobe.reader.plist, which is used to run it.
@ Marvin: Thank you for the input; thoughtful and focused as always.
I understand that this is not a system scan but a simple database check, otherwise it would not ask the UUID.
Also, I checked up everything you suggested, even for the ~/Library/Preferences/Preferences.dylib used by old versions of Flashback, just in case, and I came out clean. I checked even my Time Machine backups for older traces of .rserv etc, in case I forgot something, but nothing.
I run Little Snitch and Java is disabled for at least 2 years now. The fact that Kaspersky's online tool flags my Mac as infected is still a big mystery to me. But considering what an AI user said here, probably it should be not.
Comments
To jump from having a single false positive to the conclusion that a widely known security vendor are "liars" is paranoia, pure and simple.
In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.
What I'm still waiting for is an explanation of HOW the methodology is flawed
I do not have the technical knowledge to find out how and why, I can only report what I saw. And what I saw seriously questions their approach. Wrong methodology is the other possible explanation.
If you have any explanation why this doesn't work - one that doesn't resort to charges of lying, which doesn't actually rebut or undermine the methodology but only attacks the integrity of the researchers - I am very curious to hear it.
Again, instead of making an effort to enlighten me as to what explanations we could give, except the obvious ones that I stated before, you try to discredit my findings by turning the attention to the technical aspects no one here could ever know. Nice try! But the big question marks remains: what is behind this?
Anyone else willing to risk a guess?
Here's some: (1) you entered your UUID incorrectly; (2) the tools and instructions from F Secure and Symantec are wrong, you are infected; (3) it's just an plain old false positive, i.e. an error by Kaspersky's online tool.
OK, this is what I wanted to see. Yes, it may be an error of the online tool. But then they should retire it until it runs correctly. Same goes to f-secure and Symantec if their tools do not work correctly. Also, I disabled Java two years ago, so no, I am not infected.
In case you missed it, I did not jump to any conclusions. I am trying to find reasonable explanations. Like it or not, lying is one of them.
It's not a live check. They are matching your UUID against their database of records of contacts to their server.
- your computer was infected and sent a contact to their server
- they setup an online tool to verify if your UUID is in their database
- if it finds your UUID, it will tell you that you are infected
All the tool means is that at some point in time, your machine contacted them. They may only check against the original database.
You should also check you don't have the other payload someone noted on the forum about the .rserv file. In the terminal, type:
ls -a ~/
If you see a file called .rserv, you still have an executable contacting their servers. There will also be a launchagent called ~/Library/Launchagents/com.adobe.reader.plist, which is used to run it.
I understand that this is not a system scan but a simple database check, otherwise it would not ask the UUID.
Also, I checked up everything you suggested, even for the ~/Library/Preferences/Preferences.dylib used by old versions of Flashback, just in case, and I came out clean. I checked even my Time Machine backups for older traces of .rserv etc, in case I forgot something, but nothing.
I run Little Snitch and Java is disabled for at least 2 years now. The fact that Kaspersky's online tool flags my Mac as infected is still a big mystery to me. But considering what an AI user said here, probably it should be not.