encore icon indicating copy to clipboard operation
encore copied to clipboard

Published 20 hours ago verified publisher icon encoredev

`encore run` triggers false positive malware detection due to `mdfind` calls (macOS)

Open cyr-l opened this issue 8 months ago • 1 comments

Describe the bug

The encore run command on macOS triggers false positive malware alerts from our XDR agent (Cortex XDR by Palo Alto Networks). The agent flags the behavior as suspicious and terminates the encore run process shortly after it starts.

To Reproduce

Steps to reproduce the behavior:

  1. Have Cortex XDR (or potentially other XDR/EDR solutions with similar heuristics) installed and active on a macOS system.
  2. Run the encore run command in an Encore project.
  3. Observe the XDR agent flagging the process and terminating it.

Expected behavior

encore run should execute without triggering malware alerts and process termination.

Observed behavior

The XDR agent identifies the rapid series of mdfind calls as suspicious behavior, consistent with malware like XCSSET, and kills the encore run process.

Root Cause Analysis

The issue stems from the editor detection logic in pkg/editors/lookup_darwin.go. This code repeatedly calls mdfind to discover installed editors. The rapid succession of mdfind calls is a known heuristic used by security software to detect certain types of malware, including XCSSET.

I confirmed this by modifying the file to return an empty array of editors, rebuilding the encore binary, and observing that the issue no longer occurred. This strongly suggests that the mdfind calls are the direct cause of the false positive.

System Information

  • OS: macOS Sequoia 15.3
  • Encore: 1.46.4
  • XDR Agent: Cortex XDR by Palo Alto Networks, 8.6.1
  • Go: 1.23.5

Possible Solutions/Suggestions

Here are a few potential approaches to mitigate this issue:

  1. Alternative Editor Discovery: Explore alternative methods for discovering installed editors that do not rely on repeated mdfind calls. This might involve using macOS APIs (if available) or maintaining a curated list of common editor locations.
  2. Configuration Option/Feature Flag: Provide a configuration option (e.g., in encore config or via an environment variable) or a feature flag to disable or modify the editor discovery behavior. This would allow users experiencing this issue to work around it without modifying the source code.

Impact

This issue prevents users with certain XDR/EDR solutions from using encore run on macOS, significantly hindering development workflows.

Additional context

This behavior might be observed with other security software that employs similar detection heuristics. While I've confirmed it with Cortex XDR, it's worth considering the broader implications for users with different security setups.

cyr-l avatar Feb 07 '25 19:02 cyr-l