Hi, I’ve been using VCV Rack on Mac for quite some time and am currently running 2.6.4 on an arm64 (M2 Pro) Mac, but for the first time ever today I’ve had it come up in scan results from Malwarebytes. It specifically says the plugin.dylib file in various vendor subfolders under ~/Library/Application Support/Rack2/plugins-mac-x64/ contains “MacOS.Stealer.Poseidon”
I don’t know if these are false alarms or a genuine issue. So far, I’ve opted not to quarantine the files, but I’d like to understand if this is a vulnerability or problem before launching Rack again. If I can provide any more information to be of assistance, please let me know.
Just got the same. It’s probably a false positive due to the fact that VCV rack plugin .dll signatures use some pretty funky processing to do the good music stuff, and malware bytes likes to err on the side of extreme caution.
Malwarebytes is one of the best in class, I would only consider it a known false positive if there is extreme trust to module developer (and their infosec practices, as cases where developers unknowingly infect their software have been documented).
There are perfectly valid VST plugins that trigger virus detection. It isn’t as though the virus detection software executes those files in a sandbox to see if they’re doing anything nefarious. They just look for known patterns of malware in the code.
I’ve been a beta tester for Audiodamage plugins for years, and I frequently have to turn off real time virus protection in Windows 11 to download and open the file. Something about JUCE-built plugins sets off virus protection.
Why does it similarly fuck up with Rack plugins? Because the virus detection isn’t very sophisticated, even at this late date. It’s a hard problem for computer science, and it’s an arms race between Antivirus programs and virus writers.
Absolutely—just like there are legitimately infected VST plug-ins (e.g., cracked ones from untrustworthy sources).
I’m not saying it’s not a false positive, I’m saying there is a chance this might not be a false positive and giving a blanket advice to treat it as false positive is a little reckless in this day and age.
Counterpoint: If you use Rack as 99.99% of Rack users do, you boot up Rack, log in, and let Rack update all your plugins. All the plugins come from a known source and are built with a clearly visible open source toolchain. And you can look at the source code for most of them.
So you think there’s a way someone has snuck malware in? Anything’s possible, but this is not probable.
Is that supposed to be comforting? Most modules have source code we can see? No, that’s not a comforting level of security.
What I would really lile to see is a better drill down on which modules trigger false positives and why.
Let’s do a ‘for instance’. Currently the most recent module approved in the library is Ambivalent Instruments: Delay Expander. That is at the top of the stack for the default ‘created’ sort in the library. Click on User Manual and you go to a github page which has an admittedly AI-generated user manual, and no source code.
I’m not casting aspersions on this module or developer in any way, just an example since it’s the most recent. But if that module triggered a malware alert and I can’t see the source code, the only solution would be to delete it.
Given that there’s been no comment from Andrew over the 6 months since this particular thread was started, I would like to ask phroun
and
mmmhmmmhmmmh and mmmmmmmmmchelMichael for a list of modules that malwarebytes is flagging.
Not sure what you expect and who should handle this in your opinion. As a developer I couldn’t tell you why some virus scanner comes up with a false positive. And neither can Andrew.
The only ones who could tell you are the antivirus software companies. Many have some way of submitting suspected false positives on their website.
I guess I’m just out of step with the majority here. I don’t assume it’s a false positive unless I can gather a bit more data. That just seems like common sense personal digital security to me.
If I had a list of some sample modules which do trigger “false” positives I would happily do some research on this.
Chances are that Malwarebytes has fixed the false positives a long time ago.
But if you want to be on the safe side, install Malwarebytes, there is a free version that offers realtime scanning for a trial period and always allows manually scanning folders or individual files.
Yes, and thanks for the suggestion. I have done this in the past and again just now. No potential malware is flagged for me, just as last time.
But it’s never a situation of “case closed, all done” if you think about security, right?
That’s why I tried to @ the 3 VCV-ers above who did report malware flags. If I had 43 plugins flagged, I would list them here and we might hopefully find a simple explanation like they all use the same dsp library which we can examine and dismiss and then send a false positive report to malwarebytes.