Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/Users/Shared/DBngin/postgresql/17.0/sbin/escapesrc gets flagged as malware #169

Open
FullStackIdiot opened this issue Mar 8, 2025 · 5 comments
Open

/Users/Shared/DBngin/postgresql/17.0/sbin/escapesrc gets flagged as malware #169

FullStackIdiot opened this issue Mar 8, 2025 · 5 comments

Comments

@FullStackIdiot
Copy link

Hi there,

I'm working on macOS and use Kandji as MDM.
Upon installing and starting postgresql with DBngin /Users/Shared/DBngin/postgresql/17.0/sbin/escapesrc gets flagged as malware and gets quarantined. The same happens with other postgresql versions. Upon a short Google search I didn't find anything about that binary. What exactly is it for and why does it get flagged as malware (virustotal lists similar files with same name as malware).

Feel free to contact me if you need more information, I'm looking forward to your insight.
@huyphams
Copy link
Contributor

huyphams commented Mar 8, 2025
edited
Loading

Hi @FullStackIdiot it is a part of the ICU project https://github.com/unicode-org/icu which is compiled in our server and signed by TablePlus then notarized by Apple (we do not download it anywhere), maybe it is a fail alarm?

@huyphams
Copy link
Contributor

huyphams commented Mar 8, 2025
edited
Loading

Here is it https://github.com/unicode-org/icu/blob/main/icu4c/source/tools/escapesrc/escapesrc.cpp

@FullStackIdiot
Copy link
Author

Hi @huyphams thanks for the quick reply.
I know that this exists in ICU. But interestingly the files used by homebrew do not get flagged. I sure hope this is a false alarm. But I doubt I am the only one experiencing this issue, as the file signature is suspicious (as of Virus Total's opinion: https://www.virustotal.com/gui/file/d788d2f300d9aff3ce5a097a7c34b937309406ca1f75ef533aa099264268ab75. Most vendors do not think of it as malware apparently. But this still could be an Issue). But I can contact the ICU team for further investigation if you think there is no problem in the compile-chain 😊

@huyphams
Copy link
Contributor

huyphams commented Mar 8, 2025

It is x86_64, so it must be compiled by our Intel server. We do not use that computer for anything except compiling the database, and it has been that way for years. Since Apple stopped releasing Intel devices, we have kept the server solely for that purpose, so the chance of it being affected is nearly impossible, I think.

@huyphams
Copy link
Contributor

huyphams commented Mar 8, 2025

But interestingly the files used by homebrew do not get flagged

Our build is a universal build, so it's a merge of x86_64 and ARM. I think only the x86_64 version received the warning, which is why the ARM version on Homebrew is fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@huyphams @FullStackIdiot