Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flagged as Malware #3489

Open
dogcow opened this issue Jun 19, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@dogcow
Copy link

commented Jun 19, 2019

  • Sequel Pro Version: Nightly Build 97c1b85
  • macOS Version: 10.14.5
  • MySQL Version: 8.0.15

Description
PaloAlto Traps flags this as malware.

Steps To Reproduce
The malware report says:

  • This Mach-O is part of an app bundle and cannot be executed in standalone
    This Mach-O is part of an app bundle and therefore cannot be executed in a dynamic analysis environment.
  • May execute local commands or scripts
    Malware often shells suspicious actions out to local commands or scripts to evade detection.
  • May monitor system processes
    Malware often monitors system processes to ensure its presence is not detected.
  • Contains potentially malicious code patterns
    Malware commonly contains the binary code patterns identified. These patterns may occasionally be used by legitimate system tools and software.
  • May access user passwords
    Malware often steals user passwords from apps, keychain, and other sensitive system components.
  • May take screenshots
    Malware often takes screenshots to capture personal data, passwords, and other sensitive information.

Expected Behaviour
That it doesn't trigger antivirus warnings as malware. Why does sequelpro appear to "take screenshots, monitor system processes, execute local commands/scripts, & contain malicious code patterns"?

@rowanbeentje

This comment has been minimized.

Copy link
Collaborator

commented Jun 19, 2019

Hmm. Executing local commands/scripts would be for things like SSH tunnelling, which works by running a ssh command. The keychain is absolutely used to store/retrieve passwords. I don't believe there's anything for screenshots or system processes, and who knows what "malicious code patterns" could be.

I suggest you instead raise this with "PaloAlto Traps" as an example of an unclear and invalid malware report - I was going to take a look at the report myself to work out if it was talking about Sequel Pro or the included SequelProTunnelAssistant, but saw I had to phone someone to even try the demo and gave up pretty quickly at that point 😁

@rowanbeentje

This comment has been minimized.

Copy link
Collaborator

commented Jun 19, 2019

Ooh, maybe "monitor system processes" is https://github.com/sequelpro/sequelpro/blob/master/Source/SPNotificationsPreferencePane.m#L63 for Growl integration?

@rowanbeentje

This comment has been minimized.

Copy link
Collaborator

commented Jun 19, 2019

And maybe "may take screenshots" is the code for taking an image of the tab when dragging it around? That's the only CGWindow code I can find: https://github.com/sequelpro/sequelpro/blob/master/Source/SPWindowController.m#L861 . If that's the kind of usage PaloAlto traps is flagging I don't think there's a realistic way it can be avoided...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.