HackingTeam False Positive in Photoshop CC 2015 LogTransportLaunch/TransportCall

  • 3
  • Problem
  • Updated 4 years ago
  • Acknowledged
Adobe Photoshop CC 2015 LogTransportLaunch TransportCall does not properly define bundle identifier causing false positive (I hope) on osqueryi Hacking Team vulnerability search.

Following instructions at https://code.facebook.com/posts/93859... for identifying HackingTeam infections, osqueryi returns "com.yourcompany.TransportCall" instead of "com.adobe.[*].TransportCall" resulting in a false positive.
Photo of Rob Sutter

Rob Sutter

  • 1 Post
  • 0 Reply Likes
  • anxious

Posted 4 years ago

  • 3
Photo of Miles Lane

Miles Lane

  • 1 Post
  • 0 Reply Likes
Download and install osquery-1.5.0.pkg
In a privileged terminal window, run:
"select * from apps where bundle_identifier = 'com.ht.RCSMac' or bundle_identifier like 'com.yourcompany.%' or bundle_package_type like 'OSAX';"
This command is listed here (https://osquery.io/docs/packs/) as being reliable in detecting the presence of the RAT2 Spyware.
Photo of Chris Cox

Chris Cox

  • 20280 Posts
  • 832 Reply Likes
We've investigated, and found that it is indeed a false positive.
The library which triggered this will be changed to prevent the false positive in the future.