Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

encore run triggers false positive malware detection due to mdfind calls (macOS) #1760

Open
cyr-l opened this issue Feb 7, 2025 · 1 comment
Open

encore run triggers false positive malware detection due to mdfind calls (macOS) #1760

cyr-l opened this issue Feb 7, 2025 · 1 comment
Assignees
@eandre

Comments

@cyr-l
Copy link

cyr-l commented Feb 7, 2025
edited
Loading

Describe the bug

The encore run command on macOS triggers false positive malware alerts from our XDR agent (Cortex XDR by Palo Alto Networks). The agent flags the behavior as suspicious and terminates the encore run process shortly after it starts.

To Reproduce

Steps to reproduce the behavior:

  1. Have Cortex XDR (or potentially other XDR/EDR solutions with similar heuristics) installed and active on a macOS system.
  2. Run the encore run command in an Encore project.
  3. Observe the XDR agent flagging the process and terminating it.

Expected behavior

encore run should execute without triggering malware alerts and process termination.

Observed behavior

The XDR agent identifies the rapid series of mdfind calls as suspicious behavior, consistent with malware like XCSSET, and kills the encore run process.

Root Cause Analysis

The issue stems from the editor detection logic in pkg/editors/lookup_darwin.go. This code repeatedly calls mdfind to discover installed editors. The rapid succession of mdfind calls is a known heuristic used by security software to detect certain types of malware, including XCSSET.

I confirmed this by modifying the file to return an empty array of editors, rebuilding the encore binary, and observing that the issue no longer occurred. This strongly suggests that the mdfind calls are the direct cause of the false positive.

System Information

  • OS: macOS Sequoia 15.3
  • Encore: 1.46.4
  • XDR Agent: Cortex XDR by Palo Alto Networks, 8.6.1
  • Go: 1.23.5

Possible Solutions/Suggestions

Here are a few potential approaches to mitigate this issue:

  1. Alternative Editor Discovery: Explore alternative methods for discovering installed editors that do not rely on repeated mdfind calls. This might involve using macOS APIs (if available) or maintaining a curated list of common editor locations.
  2. Configuration Option/Feature Flag: Provide a configuration option (e.g., in encore config or via an environment variable) or a feature flag to disable or modify the editor discovery behavior. This would allow users experiencing this issue to work around it without modifying the source code.

Impact

This issue prevents users with certain XDR/EDR solutions from using encore run on macOS, significantly hindering development workflows.

Additional context

This behavior might be observed with other security software that employs similar detection heuristics. While I've confirmed it with Cortex XDR, it's worth considering the broader implications for users with different security setups.
@cyr-l cyr-l changed the title encore run triggers false positive malware detection due to rapid mdfind calls (macOS) encore run triggers false positive malware detection due to mdfind calls (macOS) Feb 10, 2025
@marcuskohlberg
Copy link
Member

Thanks for reporting, we'll take a look!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eandre eandre

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cyr-l @eandre @marcuskohlberg