OSX/Amos.ext

Since I installed VirusBarrier version 10.9.96 on my Intego virus checker, Intego reports that the virus OSX/Amos.ext is present in the file SQLIteDatabase.dylib in the compiled app directory …/Contents/Frameworks in apps compiled for Mac desktop.

The warning is only related to desktop apps with SQLite usage. There is no warning for Xojo version 2024 release 4.2 itself.
My MacOS version is: Sequoia 15.3.1

This may be a false warning from the virus checker, but as OSX/Amos.ext is a very serious virus, I would like to know if other Xojo users on Mac have had similar warnings recently.

I had the same Intego warnings; downloaded the latest version of Xojo; copied the SQLiteDatabase.dylib from the Xojo app frameworks; deleted it from the database apps and replaced it with the dylib I had copied. I went to the trouble to try to be certain, although I think it was a false positive, as I hadn’t recompiled any of the apps in a few weeks and Intego had never returned the warning until immediately after I had run the latest Intego upgrade. I did a double-check with Avast, which reported no issues. You’re right: this is disturbing and I’ve been unable to get a response from Intego on the matter.

Many thanks for the feedback. It would be nice if you could reproduce a possible later reply from Intego.
One more note: Mac’s integrated virus scanner XProtect has not reported any anomalies so far.

That’s going to invalidate the application’s code signature which is exactly how amos.ext is installed to begin with - skipping code signature verification.

There are differences between the SQLiteDatabase.dylib of the Xojo.app (under Frameworks) and the generated SQLiteDatabase.dylib of an app compiled for Mac Desktop.
The former is 2.3MB in size, the latter only 1.1MB. In the compiled app there are linker hints at hex level, which should be normal. What I don’t understand is how the SQLiteDatabase.dylib could be infected during the Xojo build: Calls to GCC etc.? I did a full scan and got no warnings other than those from a compiled Xojo desktop application.

Are you sure is infected or is just a false positive?

You can create an issue for Xojo to investigate. I’m sure they don’t want false positives on their product or users’ products.

Thank you for the information. When I recompile to correct the insertion, the Intego warning recurs again. I’ve not heard back from Intego, so I’ll recompile again to verify code signature and hope it’s a false positive.

As you suggested I created an issue to verify if it is a correct or false positive warning concerning OSX/amos.ext, see: https://tracker.xojo.com/xojoinc/xojo/-/issues/78635

In a built app the size also is 2,3 MB. If you see 1,1 MB then probably in a debug app where you only have Intel OR Arm and not both like in the built app.

Screenshot 2025-03-06 at 12.06.532238×1462 354 KB

As there is more than one person using SQLite in Xojo I would think that someone would have noticed a virus infection. So this is just false alarm.

Though the size change could also mean that @Hans-Peter_Görg has the virus actively running and infecting apps on his computer as they are built and before they are signed.

The virus makes the file smaller AND does the same SQLite functionality as before?

If the virus contained all of the functionality for the platform it’s on (Intel or arm) and then a little payload of its own that gets triggered whenever certain functions run, I’d bet you’d never know.

Okay, that makes sense.

Submit the build to VirusTotal. If it’s truly infected, other scanners will detect it.

Any tips on submitting a bundle to VirusTotal? I had tried this to confirm a false positive, but all I could find was submitting a single file or a link, and when I did the link all it did was check the actual link in the databases. Their wording didn’t seem to imply it scanned the contents of my Zip or Xojo’s DMG.

Do you have any information that explains how this infection works? The resources I found made this sound like a low quality, “you’ve got to be kidding me, you right-click opened THAT?” kind of attack.

What I found was it was AppleScript presenting a fake authentication dialog for installation of the info stealer. It did not read like a self replicating Trojan.

My impression was this is nothing to worry about unless you’re unfamiliar with how to use a Mac.

I may very well be wrong. I just want to be informed.

I’ve only ever used it for Windows installers, but according to their docs it should scan Mac zips and DMGs. You cannot submit a bundle because (as you know) it’s a folder.

Okay I’ll have to try uploading directly. I used the download links because I thought it would save a step.

I opened a ticket with Intego. They had already received other reports of possible false positives, but wanted me to provide a sample for further review in a password encrypted container, which they provided. The final piece of information is that they expect that with the next VirusBarrier Definitions update, there will be no more false positives.
Once I have performed an alert-free scan with a newer VirusBarrier definition file, I will close this chat.

The update of the virus checker definition file of Intego VirusBarrier with the version number 07.03.25-2 has just been released. There are now no more warnings related to applications generated by Xojo with usage of SQLIteDatabase.dylib. These were false positive warnings.