I don't know much about the Mac installation....
But afaik Lazarus does use a symlink inside the app-bundle.
I.e. The "lazarus" executable file is NOT inside lazarus.app/Contents/MacOS (or wherever it would be). Instead it is outside the bundle, and the bundle contains a symlink.
It would be plausible, that an AV considers this an attempt to "sneak" something into the bundle.... But I don't know if that is what causes the issue here.
I don't have the means to try and reproduce it. But McAffe (as any other AV vendor) should have a support site, that allows you to upload a suspected false positive. In my experience with other AV companies, if you do so they should respond within about a week.
I suspect it to be a false positive, since you have the correct checksum, and if it was indeed infected, there would very likely have been other reports by now. (Not a proof, but...)