AVG quarantined 1Password libswiftDispatch.dylib

fred_h
fred_h
Community Member

Mac running MacOS 10.12.6, with version 6.8.6 of 1Password. I've been running 1Password for years without issue. AVG Anti-virus quarantined two files today. Both were instances of libswiftDispatch.dylib from the Applications/1Password.app. AVG says they are MacOS:BitCoinMiner-AS[Trj]. Any idea what's going on and will this inhibit the functionality of 1Password? Is this a false positive and should I restore the files to their previous locations?


1Password Version: 6.8.6
Extension Version: Not Provided
OS Version: MacOS 10.12.6
Sync Type: Dropbox
Referrer: forum-search:libswiftdispatch.dylib

«13

Comments

  • @fred_h,

    This sounds like a false positive to me. libswiftDispatch.dylib is an Apple provided dylib.

    Rudy

  • alex_h
    alex_h
    Community Member

    I just ran into the same issue. Both AVG and 1Password decided to update this morning, and now this file is getting quarantined.

    • libswiftDispatch.dylib
    • AVG claims it is "MacOS:BitCoinMiner-AS [Trj]"

    It looks like this is a standard Swift library, but I'm not sure enough to know if I should trust AVG or not.

  • iadickie
    iadickie
    Community Member

    Getting the same on Avast. The alert is pinging constantly on the screen.

  • RS57
    RS57
    Community Member

    During the 1Password 6 upgrade process, the “MacOS:BitCoinMiner-AS” Trojan was detected by Avast Antivirus. At the moment, the Safari plugin is still working, but the application doesn't work any longer. What should I do?


    1Password Version: Not Provided
    Extension Version: Not Provided
    OS Version: Not Provided
    Sync Type: Not Provided
    Referrer: forum-search:avast

  • Eeal
    Eeal
    Community Member
    edited February 2018

    Same here, although not yet for 1Password. Forklift and LittleSnitch are infected, according Avast AV. Currently running a full system scan and it wouldn't surprise me if 1Password is 'infected' too.

    Most likely a false positive, right? I find it hard to believe that so many files of trusted developers are infected.

    Edit: yep, 1Password infected too.

  • vol
    vol
    Community Member

    My 1password doesn't show this issue but I have it when building ANY iOS app on Xcode. I'm pretty sure it's a false-positive with Swift standard library file.

    https://forum.avast.com/index.php?topic=216164.0

  • Lars
    Lars
    1Password Alumni

    Quick question: did anyone in this thread update Avast but NOT 1Password? Or have you all updated both?

  • alex_h
    alex_h
    Community Member
    edited February 2018

    For me, AVG updated it's virus definitions to version 18022102 (AVG version 18.2 Free Edition) first, then 1Password popped up asking to update from 6.8.6 to 6.8.7 (download version, not App Store). The update process immediately triggered AVG and quarantined the file(s - multiple instances). This stopped the update with verification errors (as expected).
    I've since restored the libraries from quarantine, disabled AVG Mac Shield, and updated 1Password with no error.

  • arastoo_93
    arastoo_93
    Community Member

    I just got the same infection notification (and BitCoinMiner label). Along with two 1Password files, Avast quarantined one from my Skype framework, and one in the AvastSecureLine app.

    Both applications are up to date.

  • knitterb
    knitterb
    Community Member
    edited February 2018

    I'm not so sure I'd make the assumption that this is a false positive. Just because Apple is a big company with great controls for releasing software, libraries and tooling; they are not excluded from making a mistake. If the most recent iOS boot loader leak is ant example, not everything Apple does is perfect.

    I'll wait for the virus updates to be sent out to correct this. Then I'll be satisfied it's a false positive!

  • iadickie
    iadickie
    Community Member

    @Lars, I do not have 1Password and have updated Avast

  • Lars
    Lars
    1Password Alumni

    @arastoo_93 - so Avast quarantined one of its OWN files? Did I read you correctly?

  • arastoo_93
    arastoo_93
    Community Member

    @Lars - Yes! I was quite surprised to see this. Wasn't sure what to make of it.

  • sw1ssb4nd1t
    sw1ssb4nd1t
    Community Member

    I had the same issues with avast. It is easy to fix. You can just go to the so-called "Virus Chest" and restore the reported files from there. Then 1password works like a charm. No need to stop avast in advance and no further false positives afterwards.

  • knitterb
    knitterb
    Community Member

    @Lars My virus definitions updated today, but the detection of the supposed trojan didn't trigger until I ran the 1Password updater. Of course, now the updater won't run because Avast! removed the required library. The updater crashes now. Todoist has the very same issue with the core product.

    Crash message after A/V removed the file:

    Dyld Error Message:
    Library not loaded: @rpath/libswiftDispatch.dylib
    Referenced from: /Applications/1Password 6.app/Contents/Helpers/1Password Updater.app/Contents/MacOS/1Password Updater
    Reason: image not found

  • Lars
    Lars
    1Password Alumni

    @iadickie - wait, what? You aren't a 1Password user? What files is it showing for you that are supposedly infected?

  • Greener77176
    Greener77176
    Community Member

    Same for me, i have got avast detection on my Macbook air when i tried to update 1password 6
    Thanks in advance for your help and instructions.

  • Greener77176
    Greener77176
    Community Member

    Same for me, i have got avast detection on my Macbook air when i tried to update 1password 6
    Thanks in advance for your help and instructions.

  • ricalanis
    ricalanis
    Community Member
    edited February 2018

    I just experienced the same on avast about the file in an XCode path. Also I have 1password, but had no news from that end (or any folder related to 1pass)

    Attached (spanish) Image

  • sw1ssb4nd1t
    sw1ssb4nd1t
    Community Member

    @knitterb: Take a look at my comment. Just before yours. I explain how to fix it within avast itself. No big issue. Tell us , if it worked for you as well.

  • vol
    vol
    Community Member

    Big issue for iOS/MacOS developers :) But not the 1password problem.

  • knitterb
    knitterb
    Community Member

    Thanks @sw1ssb4nd1t , but I'm not going to blindly accept that the library does not have a virus. If a new set of virus definitions that resolve this are released, then I'll trust it. But there is nothing which indicates that this isn't a virus.

  • Lars
    Lars
    1Password Alumni

    Thanks, everyone -- this is definitely looking like an issue between Avast! and that particular Swift library. To be clear with you (and based on the helpful replies of everyone above this post), it appears this is not limited to 1Password, but is happening in many applications that make use of this particular Swift library.

    At this point, we don't have any more information, but as @rudy mentioned earlier, this library is part of the core Swift package, straight from Apple. That's not to say it COULDN'T be infected, only that - as of now - we've got no reports I'm aware of from users of any other antivirus product regarding the same library. Let us know if you have anything new; we're trying to look into this from our end as well.

  • sw1ssb4nd1t
    sw1ssb4nd1t
    Community Member

    @knitterb: Well, probably a wise decision. I just think (hope) @Lars would be a little more concerned if he considered it a serious issue. Fingers crossed ;-))

  • alex_h
    alex_h
    Community Member

    @Lars this is also being reported by AVG, not just Avast. However, I am inclined to agree with you that this is a not a 1Password issue, and likely not even a virus/trojan, rather a bad virus definition that was just released today.

  • knitterb
    knitterb
    Community Member

    @alex_h Totally agree that this is cross-AV products. They share signatures. That said, I don't think many of us can call up Apple and ask for confirmation, that would be best handled by AgileBits (and other s/w providers) due to their development relationship.

    Here's to hoping this is just a mistake!

  • ben10
    ben10
    Community Member

    these have been popping up for the past hour
    not the same location as others on here so i fear more issues

  • tkline98
    tkline98
    Community Member

    I just tried installing MalwayreBytes for Mac and AVG flagged the same libswiftDispatch.dylib file during the install for me. No a 1password issue, but coincidence non the less.

  • cashman12
    cashman12
    Community Member
    edited February 2018

    Literally having the same message pop up from AV. It started with Skype for me. Now Skype will not open. My computer will not allow.
    Happening with 1password for me as well.

  • Lars
    Lars
    1Password Alumni

    @sw1ssb4nd1t - we take issues like these quite seriously. We've enjoyed a great working relationship with Apple over the years which continues right up through today, but that doesn't mean I think it's impossible for them to make a mistake. I think the fact that we're not getting reports of this sort from users of all antivirus products -- just this one -- should cause us all to not start going to defcon 5 if you will. But we are definitely looking into what might be going on with this, and we'll keep you all updated in this thread as soon as we have anything more definitive to say. In the meantime, I'd suggest caution but not panic, and thanks to ALL of you for reporting what you know.

This discussion has been closed.