[MlMt] ClamXAV warning / DarthMiner in ~/Library/Application Support/MailMate/Database.noindex/Headers/#quoted.cache

Bill Cole mmlist-20120120 at billmail.scconsult.com
Sat Feb 2 19:54:08 EST 2019

Previous message (by thread): [MlMt] ClamXAV warning / DarthMiner in ~/Library/Application Support/MailMate/Database.noindex/Headers/#quoted.cache
Next message (by thread): [MlMt] Emails not found in searches but they exist
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2 Feb 2019, at 10:01, Robert M. Münch wrote:

> Hi, I got a warning today from ClamXAV about DarthMiner in the above 
> file. And ClamXAV moved the file into quarantine.
>
> Anybody any idea how this can happen?

I would hope that since the people who make ClamXAV charge a 
subscription for their malware pattern database, they would be able to 
explain their product's behavior to users. You should be able to get a 
firm answer from them.

My GUESS is that this is a false positive. For most people using macOS, 
using an "anti-virus" tool in an active mode presents a greater risk for 
destructive behavior due to false positives (e.g. quarantining files 
without warning) than they would be due to actual malware. According to 
the descriptions I've seen of the "DarthMiner" malware it is distributed 
as a fake software piracy tool, so avoiding an actual infection is a 
trivial matter.

> What the file contains?

~/Library/Application\ 
Support/MailMate/Database.noindex/Headers/#quoted.cache contains a cache 
of quoted body text from your emails. It is part of MailMate's search 
system. Moving it may or may not do permanent damage, depending on what 
has been done since the move.

> How to best proceed now?

0. Fix your ClamXAV configuration to never move or delete files without 
asking for permission.
1. Quit MailMate
2. Check if MailMate has created a replacement for the file. If it has, 
your index database is probably not valid and should be rebuilt from the 
actual messages. See the MM documentation for how to force a rebuild.
3. Check the last change time of the quarantined file. If it was last 
changed when you quit MM, it may be fine: just move it back to where it 
belongs. If the last change time is before it was quarantined, it is 
probably stale and therefore worthless: rebuild the database.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Previous message (by thread): [MlMt] ClamXAV warning / DarthMiner in ~/Library/Application Support/MailMate/Database.noindex/Headers/#quoted.cache
Next message (by thread): [MlMt] Emails not found in searches but they exist
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the mailmate mailing list