treed

I'm glad to hear that!

I got the data you sent over, and you definitely have three files that are related to adware and that will periodically launch Chrome. Those three files were included with the data, so I was able to test them here and confirm that they are all detected by Malwarebytes. I can also confirm that the version of the Malwarebytes database you have installed is the latest one. I notice that the scan history shows that the last scan was done in March. If you've done a scan more recently, that may suggest that the Malwarebytes software on your machine is not functioning properly. If you perform a scan now, and it doesn't detect anything, here is my recommendation: Open the Malwarebytes app Choose Uninstall from the Help menu within the app Download the latest Malwarebytes installer from here: https://downloads.malwarebytes.com/file/mb-mac Reinstall Malwarebytes using the newly downloaded installer Be sure you're online, so the database can be updated, and start a scan After these files are detected, restart your computer Let me know if you run into any problems with any of that.

This is concerning, as this is something acting entirely outside of Chrome. I would like to get more information about your system. Please follow the instructions at the following link to download our support tool, run it, and send me the resulting MWB_Info.zip file via a direct message here. You can send me a direct message by clicking my name or avatar at left and then clicking the Message button. https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac Once I have that information, I can investigate to see what's going on.

Looking back at the details, I see that there is an old rule that would have detected this plist file as OSX.Generic.Suspicious. That one's been around for a while, so it would have detected this file a long time before we added more specific detections for CloudMensis.

Yup, that's correct. There may even be some question about whether this particular variant is even still in circulation. For a lot of these kinds of targeted attacks, we never see any detections. That could be because the attacker chooses not to target machines with antivirus, for fear of having their malware be discovered. It could also be because it's used to target people in Asia - which is the case with a fair bit of recent malware - where we have a very small user base. (In this case, we don't know who is being targeted.)

A "null" IP address usually means there's a problem with the network. Can you clarify what kinds of networks you've tried on? Some networks may not be VPN friendly. I know of a few public networks I've tried over the years, with a variety of VPNs, where I either was not able to connect, or was able to connect but then had no network connection until I disconnected from the VPN. Are any of these networks set up with some kind of firewall that may block certain connections? Another thing that would be worth trying would be to reset the network settings on your Android device. Go to Settings > System > Advanced > Reset options > Reset network settings and tap Reset Settings.

It's detected as OSX.CloudMensis, actually, but yes, since the 20th. No detections so far, though, as is fairly typical with this kind of highly targeted malware. The average Mac user probably will never see this.

Actually, no Premium subscription is needed for BrowserGuard.

To add more context, a .emlx file is an e-mail message in one of your mailboxes in the macOS Mail app. It's a good thing BitDefender isn't quarantining it, as deleting it can cause mailbox corruption, and wouldn't remove the message from the e-mail server anyway. I can't say whether that detection is a false positive or a legitimate detection. If it's a real detection, it's almost certainly something that targets Windows, and would not affect your Mac. (E-mail messages designed to target Macs are VERY rare.) Malwarebytes for Mac does not scan e-mail messages.

I take it you're referring to the list of issues displayed on the main screen in Malwarebytes Mobile Security? If so, please don't compare this with Security Advisor on Windows. It's a much older feature. We will be replacing this with Security Advisor on Android as well, and will be working towards following a consistent philosophy across all platforms. I can't promise that we won't use the word "critical," or something similar, in some cases, because there are certain things we feel are very important for your security. However, the goal is not to use this to sell Malwarebytes. We would not want to flag as an issue something that you would have to pay for Premium to get. The intent is for it to be unbiased advice on how to best secure your device, not upsell. I can't recall off the top of my head how well the current "issue list" on Android follows this ideal, but we will be reviewing that.

It doesn't even have to be a service that wasn't reputable. Even the most reputable advertising services can fall victim to "malvertising," where someone manages to get a malicious ad into their queue. That's a very common occurrence these days, and it undermines what little respectability online advertising had left. Ads cannot be considered to be a harmless annoyance any longer. They always have the potential to be malicious, and as others have stated, a good ad blocker is really the only solution.

As Al mentions, what you're describing sounds like a hardware issue rather than malware. There's no known Mac malware that can persist across a factory reset. It also sounds like there may be a problem with that hard drive. It could be corrupt, or the problems you're seeing could be another effect of a hardware problem with your computer.

Note that you can manage subscriptions and payment methods through your Malwarebytes account (https://my.malwarebytes.com). https://support.malwarebytes.com/hc/en-us/articles/360039023733-Manage-your-subscriptions-in-My-Account https://support.malwarebytes.com/hc/en-us/articles/360038522934-Manage-your-payment-method-in-My-Account If you do not have an account yet, see this for information on setting it up: https://support.malwarebytes.com/hc/en-us/articles/360039700574-Video-Setup-your-Malwarebytes-My-Account

Advanced Mac Cleaner is actually the only PUP (Potentially Unwanted Program) that is blocked by the built-in security software on macOS. It's possible macOS actually removed Advanced Mac Cleaner at some point. Generally speaking, anything identified as malware or adware should be quarantined and removed, unless you have a very good reason to believe it's a false detection (which is actually quite rare with Malwarebytes for Mac). PUPs are more up to you. Removal is our recommendation, of course, because there are reasons that we detect them as such.

This simply does not make sense, as Malwarebytes for Mac does not block network connections at all. Only our Mac Privacy app does any kind of network blocks at the current time. Further, many people on the Mac team at Malwarebytes also use 1Password, and we're not seeing this. I just tested, by deleting an entry from 1Password on my Mac, with exactly the same version of Malwarebytes for Mac installed, and saw that it also was deleted from iPassword on my iPhone. I reviewed your conversation with support, and it looks like there was a misunderstanding. I do not believe the support agent understood what you were asking, and was under the impression that the issue was resolved. However, I can tell you definitively there's no network blocking in Malwarebytes for Mac... it doesn't have a network filtering system extension, which would be required for network blocks on Monterey. Can you provide more details about exactly how you are able to reproduce this?

Just confirming, are you using the Malwarebytes for Mac anti-malware software, or are you using Malwarebytes Privacy for Mac (the VPN software)? Malwarebytes for Mac does not include any network blocking functionality, and thus there is no facility for adding sites to an allow list. Further, if you're using it for free, there's no protection-related process running in the background. I also use 1Password and have not seen this behavior, even with real-time protection features turned on. I'm not sure what might be going on in this case. On the other hand, if you're using Privacy, there is a network filter involved with that. If you are using that, do you have the kill switch feature turned on, or do you have any connection rules active?

Can you provide more information about exactly what happens when you connect that drive, and what you see appear in the Applications folder? If you're willing, I would also like to get more information about your system. Please follow the instructions at the following link to download our support tool and run it: https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac Once you've done that, please send me the MWB_Info.zip file via a direct message here on the forums.

No problem, I hope this helps!

Running an AppleScript directly from within a launch agent plist via osascript -e is something that is done by malware and is considered suspicious behavior. A couple recommendations: Change the launch agent to remove the osascript call, by pointing it at some kind of executable file. (See suggestion below.) Set an exclusion in Malwarebytes for ~/Library/Launchagents/com.alfredapp.googledrive.plist Note that you can make a directly executable AppleScript file by simply putting the AppleScript into a text file, and using the AppleScript shebang on the first line: #!/usr/bin/osascript Then, you just make sure it has execute permissions (chmod +x) and it will be directly executable, so you could replace the ProgramArguments with just the path to that executable file. You can further secure it by making sure root permissions are needed to modify that executable file, while leaving it open to being read by any user.

If you are having a problem with Malwarebytes for Mac reverting spontaneously from Premium to Free or activating a license, you may be using an outdated version of the software. Most older versions of Malwarebytes for Mac are no longer capable of maintaining or activating a Premium license state. If you are activating a license for the first time, seeing an error message referring to a network error may be an indication that you are affected by this issue. The solution to this problem is to ensure that you are using the latest version of the software. If you are using macOS 10.12 (Sierra) or later, you need to have version 4.14.27 or later, which can be downloaded from here: https://downloads.malwarebytes.com/file/mb-mac If you have macOS 10.11 (El Capitan), you need version 4.6.13, which can be downloaded from here: https://downloads.malwarebytes.com/file/mb-mac-4-6-13 You can also update to the latest version within the app, by choosing Check for Updates from the Malwarebytes menu. You should also be sure to turn on the option to "Automatically update to a new version of Malwarebytes" in the settings, if you have turned that off. This is critical for ensuring that your Malwarebytes software is fully up to date and protecting you to the best of our ability. Unsupported versions If you are using macOS 10.10 (Yosemite) or earlier, those systems, and the versions of Malwarebytes software that ran on them (version 3.x and older), have been at end of life for years and are no longer supported. You will no longer be able to use a Premium license on such systems without upgrading to a newer version of macOS. You can still use these older versions of Malwarebytes for Mac in Free mode for now, but database updates for those versions will stop near the end of the year.

Did you restore data from backups? If so, you probably restored settings data containing the information needed to activate the license.

From the wording you chose, I'm guessing you're seeing a message from macOS saying that it cannot check something you're trying to run for malicious software, which typically means that the app you're trying to run is not cryptographically signed. What are you trying to run, and where did you get it?

Thanks for that feedback. We're going to be constantly improving Security Advisor, so definitely keep any feedback about it coming. 🙂

Yeah, there's probably not much we can do without being able to reproduce, and none of us have been able to do so on Catalina. If you can provide the full install.log file, there's a chance that might reveal something, but it also might not. I'd definitely encourage upgrading, though. It has repeatedly been found in the last year that older versions of macOS cannot be considered secure. There are known vulnerabilities that Apple has only patched in the latest system (Monterey), and older systems remain vulnerable. If you're not able to upgrade to Monterey for some reason, that doesn't mean you should stop using your Mac. For most people, it's very unlikely they'll run into any problems as long as they're cautious online. However, if you engage in any kind of risky activities, you're at much greater risk. (This doesn't just mean stuff like pirating software. Other "risky activities" can include things like journalist, working for a government agency, being involved with a human rights advocacy group, being part of a persecuted group in certain countries, etc. These things can increase your chances of being targeted by an attacker.)

Hi, all! We've just released Malwarebytes for Mac version 4.15 in beta. The primary change is an incremental improvement of our Security Advisor feature. This adds a few other Malwarebytes settings to the list of potentially insecure settings. We'll be expanding this further over time. Let us know if there's anything confusing or unclear. You can update to the beta within the app, with the Beta Application Updates feature turned on, or you can download the installer directly from here: http://cdn.mwbsys.com/packages/mmac.installer.consumer/7/4/7/8/74783872521bc86671c5a0637c5ea646/7a7b69eb-dc18-488b-bbc0-cb53f8592053.pkg Please reply here with any comments, questions, and problem reports!