Pretty sure there is no virus, malware or trojan at play and his is all a highly coincidental false positive.
It’s most likely a false positive since /var/db/uuidtext/
is related to the new “Unified Logging” subsystem that was introduced in macOS Sierra (10.2). As this article explains:
The first file path (/var/db/diagnostics/
) contains the log files. These files are named with a timestamp filename following the pattern logdata.Persistent.YYYYMMDDTHHMMSS.tracev3
. These files are binary files that we’ll have to use a new utility on macOS to parse them. This directory contains some other files as well including additional log *.tracev3 files and others that contain logging metadata. The second file path (/var/db/uuidtext/
) contains files that are references in the main *.tracev3 log files.
But in your case the “magic” seems to come from the hash:
BC8EE8D09234D99DD8B85A99E46C64
Just check out this reference for known Windows malware files that references that one specific hash. Congratulations! Your Mac has magically created a filename that matches a known vector that has been primarily seen on Windows systems… But you are on a Mac and this filename is just a hash that is connected to the “Unified Logging” database system’s file structure and it is completely coincidental that it matches that malware filename and should not mean anything.
And the reason that specific file seems to regenerate is based on this detail from the above explanation:
The second file path (/var/db/uuidtext/
) contains files that are references in the main *.tracev3 log files.
So you delete the file in /var/db/uuidtext/
, but all it is is a reference to what is in /var/db/diagnostics/
. So when you reboot, it sees it is missing and recreates it in /var/db/uuidtext/
.
As for what to do now? Well, you can either tolerate the Avast alerts or you can download a cache cleaning tool such as Onyx and just force the logs to be recreated by truly purging them from your system; not just that one BC8EE8D09234D99DD8B85A99E46C64
file. Hopefully the hash names of the files it regenerates after a full cleaning won’t accidentally match a known malware file again.
UPDATE 1: It seems like Avast staff acknowledges the issue in this post on their forums:
I can confirm this is a false positive. The superuser.com post describes the issue quite well - MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner which also happen to trigger one of our detections.
Now what is really odd about this statement is the phrase, “…MacOS seems to have accidentally created a file that contains fragments of malicious cryptocurrency miner.”
What? Is this implying that someone on the core macOS software development team at Apple somehow “accidentally” setup the system so it generates neutered fragments of a known malicious cryptocurrency miner? Has anyone contacted Apple directly about this? This all seems a bit crazy.
UPDATE 2: This issue is further explained by someone Radek Brich the Avast forums as simply Avast self-identifying itself:
Hello, I'll just add a bit more information.
The file is created by MacOS system, it's actually part of "cpu usage" diagnostic report. The report is created because Avast uses the CPU heavily during the scan.
The UUID (7BBC8EE8-D092-34D9-9DD8-B85A99E46C64) identifies a library which is a part of Avast detections DB (algo.so). The content of the file is debugging information extracted from the library. Unfortunately, this seems to contain a string which is in return detected by Avast as a malware.
(The "rude" texts are probably just names of malware.)
Best Answer
I'm pretty sure the traffic is not being caused by updates. It happening because avastsvc acts as a kind of proxy in order to block harmful web content - so most normal traffic will be shown under Avast instead. See very similar question here, answered by Avast technical staff: http://forum.avast.com/index.php?topic=56474.0
You could try temporarily disabling Avast in order to check this and make it easier to track the true culprit.
Perhaps your increased bandwidth is due to Windows Update or something? It might also be worth running a MalwareBytes scan or something to be extra sure you don't have a virus.