The Curious Case of ‘shove’: When Legitimate Tools Trigger False Alarms

As a malware and vulnerability hunter, I often come across intriguing cases that blur the lines between legitimate system processes and potential threats. Today, I want to share a recent investigation that highlights the complexities of modern cybersecurity tools and the importance of thorough analysis. Though fairly straightforward in hindsight, something fishy kept alerting me — a utility , aka The Mysterious “shove”.

Recently, a macOS device running Ventura 13.6.9 triggered multiple alerts in SentinelOne, a popular endpoint detection and response (EDR) tool. The culprit? A file named “shove” located at /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove.

SentinelOne flagged this file as “Malware,” reporting that it achieved persistence, modified system files, and added entries to the property list. Naturally, these behaviors raised red flags.

Initial Concern — At first glance, the indicators seemed to point towards malicious activity:

1. Persistence mechanisms

2. System file modifications

3. Property list alterations

These are classic signs of malware trying to maintain its presence on a system. In most cases, the standard procedure would be to isolate and remove the suspicious file.The Plot ThickensHowever, a closer look revealed something unexpected. The file was signed by Apple, with the signature:<Type=Apple/ID=com.apple.shove>. This presented two possibilities:

1. The file is a legitimate Apple component (and we’re dealing with a false positive)

2. We’re facing a highly sophisticated piece of malware capable of spoofing Apple signatures (an extremely rare and concerning scenario)

Digging Deeper — Further investigation led to some interesting findings:

1. “shove” is actually a legitimate utility created by Apple, present in macOS systems since at least 2017 (though there does not exist much documentation on this utility when scouring the internet, whether leveraging AI search capabilities or not)

2. It’s a command-line tool primarily used for copying files.

3. In certain configurations, “shove” can be used to manipulate the Transparency, Consent, and Control (TCC) database, potentially bypassing some system protections.

The Potential for Misuse:

While “shove” is a legitimate tool, it’s worth noting that it can be misused. For example, with specific command-line arguments, it could be used to replace the TCC database with a crafted version, effectively rewriting permission rules. The command might look something like this:

shove -X /tmp/crafted.db /Library/Application\ Support/com.apple.TCC/TCC.db

This capability is what likely triggered SentinelOne’s alerts. The tool’s potential for misuse makes it a target for security software, even when it’s operating normally. The Verdict: False PositiveAfter careful analysis, we concluded that this was indeed a false positive. The key factors in this determination were:

1. The file’s location in a legitimate Apple system directory

2. The valid Apple signature

3. The absence of additional command-line arguments that would indicate misuse

4. Historical data showing that other security tools (like BlockBlock and Bitdefender) have occasionally flagged this file since 2017

Lessons Learned

This case highlights several important points for both security professionals and end-users:

1. Not all alerts indicate actual threats. False positives do occur, even with sophisticated security tools.

2. Context is crucial. The location, signature, and normal functionality of a file are all important factors to consider.

3. Legitimate system tools can sometimes have capabilities that security software might flag as suspicious.

4. Thorough investigation is key. Jumping to conclusions without proper analysis can lead to unnecessary actions or overlooked threats. I could have easily allowed SentinelOne to mitigate this threat by isolating it and removing it, though it could have been devastating as it was an intentional utility created by Apple developers.

In the ever-evolving landscape of cybersecurity, it’s crucial to approach each alert with a balance of caution and critical thinking. While we must remain vigilant against genuine threats, we also need to understand the nuances of system operations to avoid false alarms. Remember, in the world of cybersecurity, things aren’t always as they first appear. Keep investigating, keep learning, and always strive for a deeper understanding of the systems you’re protecting.

Medium.com