MallocNanoZone

Discussions relating to ClamXav

Moderator: Mark

MallocNanoZone

Postby leamcd » Thu 15 Mar 2018 4:52 pm

Hi: I have seen this on my last two scans:
{
MallocNanoZone = 0;
}
for pattern .*DYLD_INSERT_LIBRARIES.*

Is this a problem?

Lea

MacBook Pro
Version 10.13.3
High Sierra
leamcd
 
Posts: 37
Joined: Sat 05 May 2012 5:44 pm

Re: MallocNanoZone

Postby alvarnell » Fri 16 Mar 2018 8:50 am

I'm see it also, so could be a minor programming issue.

Submit a ticket to the ClamXAV Help Desk and they may need you to submit a diagnostic if they aren't aware of it.<============DISREGARD.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.2 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: MallocNanoZone

Postby alvarnell » Fri 16 Mar 2018 12:30 pm

I spoke with Mark a few minutes ago so he's aware.

It only happens during System scans and appeared once before, so should be easy enough to fix.

He added that it's harmless, and doesn't indicate any actual problems.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.2 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: MallocNanoZone

Postby Joe_mac » Wed 11 Apr 2018 12:29 am

Related to the question about MallocNanoZone:

Today I booted into my Yosemite partition which I haven't used since updating to High Sierra in mid-December. I opened Firefox, and a box in the upper right corner informed me that an update was available. This was the normal-looking Firefox update advisory, not a phony-looking click bait box. So I clicked "install now". Within a few seconds, ClamXav informed me of a "live infection" by the Flashback trojan. I clicked the Quarantine File button, but ClamXav said that it could not be quarantined, so I clicked Delete File instead. The warning text changed from red to green. Then I dragged the Firefox application icon into ClamXav to scan it, and no more infections were found.

Here is a clipping from clamXav-scan.log showing the first appearance of "MallocNanoZone" coinciding with the report of the Flashback trojan:

-------------------------------------------------------------------------------
Oct 30, 2017, 10:29:57 AM
Starting system scan…
Live Infections Found: 0

-------------------------------------------------------------------------------
Dec 15, 2017, 5:41:11 PM
Starting system scan…
Live Infections Found: 0

-------------------------------------------------------------------------------
Apr 10, 2018, 4:50:39 PM
Starting system scan…
Checking {
MallocNanoZone = 0;
}
for pattern .*
/Applications/Firefox.app/Contents/Info: Trojan.OSX.Flashback FOUND
Live Infections Found: 1
Live Infections Found: 0

Scanning selected files…

LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************

----------- SCAN SUMMARY -----------
Known viruses: 7452009
Engine version: 0.99.2
Scanned directories: 40
Scanned files: 117
Infected files: 0
Data scanned: 113.67 MB
Data read: 159.50 MB (ratio 0.71:1)
Time: 23.607 sec (0 m 23 s)

Live Infections Found: 0



So, my questions are:
1) Is there any relationship between the appearance of "MallocNanoZone" in the scan log and the unexpected trojan warning?

2) Is it really possible that Flashback could have downloaded along with the Firefox update? If so, that's very troubling.

3) How often does ClamXav do a system scan anyway? It doesn't appear to be settable in ClamXav the Preference window.

Thanks.
-Joe
Joe_mac
 
Posts: 10
Joined: Tue 03 Apr 2012 9:31 pm

Re: MallocNanoZone

Postby alvarnell » Wed 11 Apr 2018 1:18 am

I'm going to skip all your questions and note that you missed the most important entry in your log:
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************

This report is a false-positive which was resolved on February 7 of this year.

Please go back into ClamXAV and check for updated virus definitions again which will solve the problem.

You can update ClamXAV's virus definitions by clicking the "Update Definitions" button on the toolbar, or by clicking the ClamXAV menu (top left beside the Apple logo) and choosing "Update Virus Definitions".

I would also recommend setting a schedule via ClamXAV's preferences to update virus definitions on a daily basis - be sure to set a time when you know your computer will be running and logged in.
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.2 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: MallocNanoZone

Postby Joe_mac » Wed 11 Apr 2018 1:59 am

Thanks Al. Was not aware of the false positive issue. I do update virus definitions automatically every day on my regular system (High Sierra) but didn't think to do so immediately when I booted into the old Yosemite partition today for a specific task. I did so right after the event when I saw the log.

Would still like to know, how often does ClamXav do a system scan? I don't see a setting for it in Preferences. Am I overlooking it? I do have Sentry watching several folders such as downloads, email attachments, and browser cache.

-Joe
Joe_mac
 
Posts: 10
Joined: Tue 03 Apr 2012 9:31 pm

Re: MallocNanoZone

Postby alvarnell » Wed 11 Apr 2018 5:25 am

System scans are conducted at every launch of the ClamXAV app and Sentry. In addition, Sentry runs a system scan each time certain key directories (folders) are changed (file added or modified).
-Al-
--
21.5" iMac Quad-core i7 / Mac OS X 10.9.5, 10.10.5, 10.11.6, 10.12.6 & 10.13.2 / ClamXAV v2.18.1/0.100.0 (3610)
alvarnell
Site Admin
 
Posts: 5477
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA


Return to ClamXav

Who is online

Users browsing this forum: No registered users

cron