Can DT be infected by the WizardUpdate malware?

CleanMyMac is telling me that the Devonthink app is infected with the WizardUpdate malware:

Is this possible or is clean my mac misdiagnosing something?

It does not come up when I start DT, only when I try to send a document from preview to DT.

My best guess is that the malware might be pretending to be DT?

Hard to tell as we’ve not yet encountered such a malware ourselves. But if it is something that could infect an app, it could well be that it somehow infected the app or, as you suggest, that WizardUpdate scans other apps like DEVONthink for share extensions and handlers, copies them, and then imposes as the other app?

When I let CleanMyMac remove the threat, it completely removed DT. I don’t know how smart CleanMyMac is, but that seems to indicate that the actual app was infected, or the “Save to Devonthink” service (or whatever it is).

When I redownloaded DT and installed it, I had a 30 day trial which worked without any malware warning. I then entered my license details and luckily, it accepted them without complaining that all seats were already in use, i.e. it saw that this was the same instance as a previously registered seat.

So, for me the problem seems to be solved, but I’d be curious if anybody had any similar experiences.

Actually, there is one little glitch: after installing DT, the app did not show up in the dock (not even when launched). But I’m hoping that issue will disappear once I restart the mac,

1 Like

Had you installed Flash Player at some point?

No, never. Not unless some other app installed it.

It was one of the vectors for the WizardUpdate according to what I was reading.

It’s also unclear if this was a false positive or not.

I cannot comment on the reliability of CMM; in a quick search I can find no articles on the software which don’t read like ads to me.

It is interesting to note that both the DEVONthink and com.devon-technologies.think3 are listed twice in the warning displayed by CMM.

I would expect that behaviour; none of the other items listed are executables; so if CMM thinks there is a malicious app on your Mac, it makes sense for it to remove an app.

From the descriptions I can find, it is not apparent that WizardUpdate infects other files, or even masquerades as another app (other than the one it was downloaded as, that is). You may have lost some diagnostic options by letting CMM go ahead - I think I would have uploaded the file to virustotal first.

Did you download DT3 from the DEVONtech website directly?

It may be worth trying to find further information on WU; this website, for example, suggests that the malware changes the sudoer’s list, which might be something you could use to detect its current or past presence. It would also seem to change the behaviour of your browser; again, something which you may be able to detect.

In addition, please let me mention Objective See’s rather helpful suite of Mac security tools; the aim of the game is to be ahead of the malware (e.g. by prohibiting it from making itself permanent, or accessing the internet), which (some of) these tools are designed to do.

Oh, and - of course - keep macOS up to date.

1 Like


Thanks for mentioning this. Very useful!

When it comes to DT, I’m afraid that things are not quite right yet. My DT-inbox is now all empty, while it previously contained hundreds of documents. I hope to be able to recover those via timemachine. Which folder do I want to restore to get the contents of the inbox back?

/Users/yourusername/Library/Application Support/DEVONthink 3/Inbox.dtBase2

It may also be worth checking this DT blog entry on migrating DT to a new Mac (which is kinda what you’re doing). Whether you actually want to copy all the settings etc. (has a plist been changed by malware…?) from the backup to the new install is another question.

I got the same warning today.

  • DT3 is version 3.8.4 (created 2022-06-22, updated 2022-06-23) on macOS 12.5.
  • CMM X is version 4.11.1 (part of SetApp) and was updated on 2022-07-14.
  • CMM’s malware db was updated just minutes before I got the warning.

I chose to put DT3 on the ignore list…


That’s probably the right thing to do. Really starts to sound like a false positive.

The warning just came back when I restored my inbox plus these (highlighted) files:

One of the telltale signs of infection is altered plist files. I guess CMM is detecting one of DTs plist files as suspicious. Unless WU is able to target DT directly, it’s unlikely altering those plist files could possibly do anything useful (from WU’s vantage point). I guess that makes a false positive more likely.

The plist files were not altered. I restored them because CleanMyMac removed all of them.

I filed a support ticket with Macpaw (the developers of CMM).

Altered, I meant, by WU, which becomes permanent by - amongst other things - altering plists.

Yes, I understood that. And unless WU can alter those files without changing the last modified timestamp, those files were not modified. Or what am I misunderstanding?

We appreciate that and we have also contacted them as well.

1 Like

Nothing; I wasn’t sure we weren’t talking at cross purposes, and missed the modification date in you screenshot tbh :see_no_evil:

Same problem here: Malware warning for DT3 today (Wizard Update). CleanMyMac also issued the same warning for ScanSnap I uninstalled it completely using CMM, reinstalled the app and got the same warning on relaunch. I then put ScanSnap Manager as well as DT3 on CMM’s ignore list. This could very well be a CMM issue.

1 Like

Welcome @waltrr

We also believe it’s a false positive and thanks for sharing your thoughts and actions.

1 Like

Same report for me today. For Devonthink just finished using it, but then this report disappeared and Scansnap’s appeared instead. I redid the CMM scan and both reappeared (16 threats for all the programs in their suites). I hope it’s a CMM bug.