Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OSX/Nukesped.ext reported by VirusBarrier #543

Open
1 task
idiston opened this issue Dec 20, 2024 · 5 comments
Open
1 task

OSX/Nukesped.ext reported by VirusBarrier #543

idiston opened this issue Dec 20, 2024 · 5 comments
Assignees
@mark-at-pieces
Labels
app:desktop application app:pieces os bug Something isn't working os:macos status:new The ticket has been created and is awaiting initial review.

Comments

@idiston
Copy link

idiston commented Dec 20, 2024

Software

Desktop Application

Operating System / Platform

macOS

Your Pieces OS Version

10.1.15

Early Access Program

  • Yes, this is related to an Early Access Program feature.

Kindly describe the bug and include as much detail as possible on what you were doing so we can reproduce the bug.

Intego VirusBarrier has quarantined the following Apps as being infected with OSX/Nukesped.ext

  • MacOSx/Applications/Pieces OS.app/Contents/Frameworks/App.framework/Versions/A/App
  • MacOSx/Applications/Pieces.app/Contents/Frameworks/App.framework/Versions/A/App
  • /Library/Caches/com.pieces.os/org.sparkle-project.Sparkle/Installation/rXFHYYDjc/Pieces OS.app/Contents/Frameworks/App.framework/Versions/A

Image
@pieces-support-bot
Copy link

Hi @idiston - Thank you so much for creating this issue. Your issue has been automatically triaged and routed to the proper Pieces team member. Look for a follow-up within the next 24 hours.

In the meantime, please check out these helpful resources:

We appreciate your patience and contribution to making Pieces better!

@pieces-support-bot pieces-support-bot bot added bug Something isn't working status:new The ticket has been created and is awaiting initial review. app:desktop application os:macos app:pieces os labels Dec 20, 2024
@mark-at-pieces
Copy link
Member

hey @idiston Thank you so much for reaching out to support.

We have seen this issue a couple of times, however it should be partially resolved in our newest major release 11.0.0

Please let us know if this resolves your issue.

If not please schedule a time with myself (here)

@idiston
Copy link
Author

idiston commented Dec 20, 2024

Hi, I have just done a complete uninstall and install downloading the latest version from the website, and it is still showing as infected here:

MacOSx/Applications/Pieces OS.app/Contents/Frameworks/App.framework/Versions/A/App
MacOSx/Applications/Pieces.app/Contents/Frameworks/App.framework/Versions/A/App

@tsavo-at-pieces
Copy link
Contributor

tsavo-at-pieces commented Dec 20, 2024
edited
Loading

Hey there!

Some initial research on this below:

This appears to be a false positive detection by Intego VirusBarrier. Here's what's happening:

Analysis of the Detection

The detection shows OSX/NukeSped.ext being flagged in the Pieces OS application framework files. NukeSped is a known Remote Access Trojan (RAT) malware typically associated with targeted attacks[2][11]. However, several factors suggest this is a false positive:

  1. The detection pattern matches legitimate application framework paths
  2. The detections are occurring in standard macOS application bundle locations
  3. The files are part of the official Pieces OS installation[5]

Why This is Likely a False Positive

  1. Intego VirusBarrier has a history of false positive detections, particularly after virus definition updates[3]
  2. The detection is occurring in the App framework, which is a standard location for macOS application components[5]
  3. Pieces OS is a legitimate development tool that runs as a background service with specific system access requirements[5]

Recommended Actions

Thing to try @idiston :

  • Update Intego VirusBarrier virus definitions to the latest version
  • If the detection persists, report it to Intego as a false positive
  • Temporarily trust these files through VirusBarrier's interface[7]

This situation mirrors previous cases where legitimate applications were incorrectly flagged by Intego's virus definitions, which were later resolved through definition updates[3].

Citations:
[1] https://pplx-res.cloudinary.com/image/upload/v1734658829/user_uploads/OfNCbCudxcVKUQf/image.jpg
[2] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.macos.nukesped.d
[3] https://randomapplications.useresponse.com/topic/intego-virusbarrier-found-malware-false-positive
[4] https://forums.macrumors.com/threads/intego-virusbarrier-fix.2276032/
[5] https://docs.pieces.app/installation-getting-started/what-am-i-installing
[6] https://www.fortinet.com/blog/threat-research/deep-analysis-nukesped-rat
[7] https://support.intego.com/hc/en-us/articles/7010040873362-VirusBarrier-Detected-Malware-What-Should-I-Do
[8] https://objective-see.org/blog/blog_0x71.html
[9] https://www.comparitech.com/antivirus/reviews/intego-antivirus-review/
[10] https://www.jamf.com/blog/nukesped-malware-a-dud-thanks-to-jamf-protect/
[11] https://www.paloaltonetworks.com/blog/security-operations/battling-macos-malware-with-cortex-ai/

@tsavo-at-pieces
Copy link
Contributor

Let us know what the result that updating (if possible) Intego VirusBarrier has. We'll do some testing on our side to see if we can reproduce it as well.

Really appreciate you reporting this and giving us a heads up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mark-at-pieces mark-at-pieces

Labels
app:desktop application app:pieces os bug Something isn't working os:macos status:new The ticket has been created and is awaiting initial review.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mark-at-pieces @tsavo-at-pieces @idiston