Sophos Antivirus claims port 'zlib' ships a Virus/Spyware called "iPh/WireLurk-G"...

Marko Käning mk-macports at
Fri Sep 4 15:18:22 PDT 2015

Hi folks,

today I got a warning from my "Sophos Antivirus" w.r.t. MacPorts!!!

It claimed that zlib’s dylib file


carried a virus called


and I wonder now whether this was
	- actually true or
	- a false positive or 
	- whether Sophos is trying to trade snake oil to me…

It was very weird, that at some stage the dylib file - despite being readable -
$ ls -l /opt/local/lib/libz.1.2.8.dylib
-rwxr-xr-x 1 root admin 76404 Nov 15  2013 /opt/local/lib/libz.1.2.8.dylib
could _not_ be read by any user.
	Later it was readable again...
		Was I tricked by some OSX internals (triggered by Sophos’ quarantine workflow)
		or indeed by a virus?

Is there a way to verify whether the files installed by port “zlib” are actually those
currently to be found in MacPorts’ own archives? Are there verifiable hashes for files
installed by a port somewhere?


More information about the macports-users mailing list