Jump to content


  • Content Count

  • Joined

  • Last visited

About ALN

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Hi, Lately I use to get installer errors while updating as you can see below (on macOS 10.14.5.) Still, everything seems to work fine, except one weird thing: I'm missing the kext in /Library/Extensions (and the installer complains about it as you can see below.) locate MB_ retrieves this (is this a high-sophisticated-encrypted-patent-pending-evil-villian-defence-tactic or just a typo? :-) /Library/Application Support/Malwarebytes/MBAM/Kext/MB_MBAM_Protection.txek History: I upgraded from Sierra to Mojave last year, so I had no problems with authorizing. I allowed full disk access to RT daemon and all worked well. Then somewhere in time I got problems while updating and recognized the errors. Cheers, ALN File content of install.log: 2019-05-14 20:14:24+02 <REDACTED> installd[552]: PackageKit: ----- Begin install ----- 2019-05-14 20:14:24+02 <REDACTED> installd[552]: PackageKit: request=PKInstallRequest <1 packages, destination=/> 2019-05-14 20:14:24+02 <REDACTED> installd[552]: PackageKit: packages=( "PKLeopardPackage <id=com.malwarebytes.mbam.installer, version=1.0, url=file:///tmp/42D2E5E8-2A5C-4B1F-B3CF-5F4ADB8532A0.pkg#MBAM.pkg>" ) 2019-05-14 20:14:24+02 <REDACTED> installd[552]: PackageKit: Set reponsibility for install to 71 2019-05-14 20:14:25+02 <REDACTED> installd[552]: PackageKit: Extracting file:///tmp/42D2E5E8-2A5C-4B1F-B3CF-5F4ADB8532A0.pkg#MBAM.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/A598993A-C111-4EF9-A749-84CFECA0A739.activeSandbox/Root, uid=0) 2019-05-14 20:14:25+02 <REDACTED> installd[552]: PackageKit: prevent user idle system sleep 2019-05-14 20:14:25+02 <REDACTED> installd[552]: PackageKit: suspending backupd 2019-05-14 20:14:26+02 <REDACTED> installd[552]: PackageKit: Executing script "./preinstall" in /private/tmp/PKInstallSandbox.GPcuQK/Scripts/com.malwarebytes.mbam.installer.0hah7U 2019-05-14 20:14:26+02 <REDACTED> install_monitor[42283]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr 2019-05-14 20:14:26+02 <REDACTED> installd[552]: ./preinstall: Current user: root (0) 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: Killing 'FrontendApplication' main UI if it's running... 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: Killing 'Malwarebytes' launcher if it's running... 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: No matching processes were found 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: Agent unload for All active users from '/Library/LaunchAgents/com.malwarebytes.mbam.frontend.agent.plist'... 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: Using new launchctl interface: 2019-05-14 20:14:27+02 <REDACTED> installd[552]: ./preinstall: UID: 501 2019-05-14 20:14:28+02 <REDACTED> installd[552]: ./preinstall: Agent unloading has been finished. 2019-05-14 20:14:28+02 <REDACTED> installd[552]: ./preinstall: Stopping 'com.malwarebytes.mbam.rtprotection.daemon' RTP daemon... 2019-05-14 20:14:29+02 <REDACTED> installd[552]: ./preinstall: kextstat result '' 2019-05-14 20:14:29+02 <REDACTED> installd[552]: ./preinstall: FSO driver 'com.malwarebytes.mbam.rtprotection' is not loaded. 2019-05-14 20:14:29+02 <REDACTED> installd[552]: ./preinstall: Stopping 'com.malwarebytes.mbam.settings.daemon' SK daemon... 2019-05-14 20:14:29+02 <REDACTED> installd[552]: PackageKit: Removing client PKInstallDaemonClient pid=42223, uid=0 (/usr/sbin/installer) 2019-05-14 20:14:29+02 <REDACTED> installd[552]: ./preinstall: Removing files... 2019-05-14 20:14:31+02 <REDACTED> installd[552]: ./preinstall: chown: /Library/Extensions/MB_MBAM_Protection.kext: No such file or directory 2019-05-14 20:14:31+02 <REDACTED> installd[552]: ./preinstall: chmod: /Library/Extensions/MB_MBAM_Protection.kext: No such file or directory 2019-05-14 20:14:31+02 <REDACTED> installd[552]: ./preinstall: chown: /Library/Extensions/com.malwarebytes.mbam.rtprotection.kext: No such file or directory 2019-05-14 20:14:31+02 <REDACTED> installd[552]: ./preinstall: chmod: /Library/Extensions/com.malwarebytes.mbam.rtprotection.kext: No such file or directory 2019-05-14 20:14:32+02 <REDACTED> installd[552]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/A598993A-C111-4EF9-A749-84CFECA0A739.sandboxTrash for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/A598993A-C111-4EF9-A749-84CFECA0A739.activeSandbox 2019-05-14 20:14:32+02 <REDACTED> installd[552]: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/A598993A-C111-4EF9-A749-84CFECA0A739.activeSandbox/Root (2 items) to / 2019-05-14 20:14:33+02 <REDACTED> softwareupdated[274]: Event handler called with flags: 103 2019-05-14 20:14:33+02 <REDACTED> installd[552]: PackageKit: Executing script "./postinstall" in /private/tmp/PKInstallSandbox.GPcuQK/Scripts/com.malwarebytes.mbam.installer.0hah7U 2019-05-14 20:14:34+02 <REDACTED> installd[552]: ./postinstall: Current user: root (0) 2019-05-14 20:14:34+02 <REDACTED> installd[552]: ./postinstall: Installer path: /tmp/42D2E5E8-2A5C-4B1F-B3CF-5F4ADB8532A0.pkg. 2019-05-14 20:14:34+02 <REDACTED> installd[552]: ./postinstall: Installer filename: 42D2E5E8-2A5C-4B1F-B3CF-5F4ADB8532A0.pkg. 2019-05-14 20:14:34+02 <REDACTED> installd[552]: ./postinstall: Adding parameters to the protection daemon plist. 2019-05-14 20:14:35+02 <REDACTED> installd[552]: ./postinstall: Launching components on OSX v10.14.5... 2019-05-14 20:14:35+02 <REDACTED> installd[552]: ./postinstall: Loading 'com.malwarebytes.mbam.settings.daemon' SK daemon... 2019-05-14 20:14:35+02 <REDACTED> installd[552]: ./postinstall: Loading 'com.malwarebytes.mbam.rtprotection.daemon' RTP daemon... 2019-05-14 20:14:37+02 <REDACTED> installd[552]: ./postinstall: Agent loading for All active users from '/Library/LaunchAgents/com.malwarebytes.mbam.frontend.agent.plist'... 2019-05-14 20:14:37+02 <REDACTED> installd[552]: ./postinstall: Using new launchctl interface: 2019-05-14 20:14:37+02 <REDACTED> installd[552]: ./postinstall: UID: 501 2019-05-14 20:14:41+02 <REDACTED> installd[552]: ./postinstall: LSOpenURLsWithRole() failed with error -10810 for the file /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendApplication.app. 2019-05-14 20:14:42+02 <REDACTED> install_monitor[42283]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr 2019-05-14 20:14:43+02 <REDACTED> installd[552]: PackageKit: releasing backupd 2019-05-14 20:14:43+02 <REDACTED> installd[552]: PackageKit: allow user idle system sleep 2019-05-14 20:14:43+02 <REDACTED> installd[552]: PackageKit: Failed to get responsibility for client 42223. Will skip Installer.app check. 2019-05-14 20:14:43+02 <REDACTED> installd[552]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112
  2. Thank you, Alvarnell, for you time and effort on this. That‘s bad. It seems he‘s got hacked and time for me to say goodbye to his apps. This is indeed a valuable information and should be kept on focus. Cheers ALN
  3. And serves as a marvelous example how not to do it for your next security seminar. ds offer ... sounds like adware com.dsoffer an ID which is invalid as a domain WhatsupKeys ... intentionally misspelled to give people false confidence? com.dsoffer.WhatsupKeys.WhatsAppKeyboard for an app named Phraseboard (2x diff. spelling for WhatsApp!) A lesson to learn! It‘s a pity that Malwarebytes and Apple don’t have a strategic partnership. MB could deliver the technology and Apple could integrate it with the OS. And everybody would win. Apple had some strategic partnerships in the past. It is really sad.
  4. Update: dsoffer is an abbreviation for a developer named Daniel Soffer offering a Math keyboards app and Phraseboard, the latter I have installed. The name WhatsupKeys is misleading as Phraseboard offers only buttons for custom text (a TextExpander as a keyboard) which is inserted upon click. The whole smoke came up b/c his bundle ID com.dsoffer is not a valid domain . Although he is not a villain having invalid domain as bundle and providing an inappropriate app name is more than annoying. Sorry for the mess. ALN
  5. Thomas, Thanks for your reply. First, it is only a crash report from a week ago. Second, an app can be named anything but can be intented for different things, as you know. So, it makes it really hard to classify. I remember only PadKeys (which is a Computer-like keyboard with ALT and cursor keys etc.) having an update, but any app could run for months without surfacing. The problem is, uninstalling something doesn’t yield more than false confidence, as you can’t determine on iOS if this specific app is still installed, only wait for next crash. But what if doesn’t happen. So, I think it‘s origin must be proved somehow. Additionally, I have no ads, no suspicious network connects. I have installed disconnect.me, permanently monitoring the network and blocking everything I don’t need for operation. So, I would notice any suspicious activity other than the normal ad-sites which are blocked. And these are very few. (I always try to research a domain, who is behind, its purpose etc. before making decisions.) Anyway, thank you for your time and effort. If you ever come up with more ideas, you are more than welcome. Cheers ALN
  6. Addendum: FWIW, as I mostly use Apple‘s internal keyboard, the time of the crash report points somehow to a time when I used Apple‘s emoji keyboard (I rarely use emojis.) Can this be related to this? Although, com.dsoffer is very weird and the URL (dsoffer.com) does not exist. Anyway, hopefully helpful for everybody. Cheers ALN
  7. Thank you, Thomas. I know about the security issues about keyboard apps but I only use them for very specific tasks, no full access and internet access is denied. Thank you for your valuable advice anyway. The interesting thing about this is, that none of any apps I installed provides something equal. I do not use WhatsApp and there is no settings in any of my apps which offer such a feature to switch. I‘m now researching this as I don‘t know which one causing this. As this popped up this week and I use these apps now for very long, I don’t know where it is hiding. So, if someone has a similar experience and finds something, I thought this place can help us all. Thanks. ALN
  8. Now hopefully for the last time. I‘m sorry, I fully misunderstood the problem. I was talking about a completly different but similar looking incident. Now after testing this, I realized my mistake, sorry to confuse everybody. Dragging the MB app to dock from /Applications is of course a seperate app as in Engine.bundle and Dock shows it correctly as two seperate files. Again, very sorry. ALN
  9. By the way, it is also new if I‘m not mistaken, that internal processes spawned off are displayed in Dock etc. I recognized this recently in different apps which should not happen. Maybe this can play a role too. I still see such incidents as an OS related problem.
  10. I would not count on it. I believe you will need more time consuming investigation. All these double „instances“ are mostly configuration mishaps, always happened with LaunchServices, Dock etc. whenever settings storage was involved (e.g. Open with... showing multiple apps no more installed etc.) I wouldn’t take much comfort into the stub incident either. How was this confirmed? Is it proved that both icons point to different locations on disk? As the UI does not show you what‘s actually happening, you can be tricked into believing you are confronted with two different apps. macOS is keen to hide „system“ data, so showing the inerts of Engine.bundle via Siri and the like won‘t happen, in my experience. Although, Spotlight is the backbone of any search for the system itself, only proper constructed queries in Spotlight‘s own querie language will uncover these. Besides porgramming, there are some tools which allow the send these queries where you can test (e.g. Quicksilver.) Testing this is equally hard, as the order of appearance can vary and you find yourself launching the same app over and over again. After all this is not really something to worry about. I just wanted to turn the attention to such a problem in macOS. And everybody can go by his business.
  11. Thank you for yor attempt to help but you should not assume everybody you talk to is technically declined. If a second app would have been somewhere I would have noticed it, believe me. It has to do with macOS internal settings, a configuration mishap (maybe it got confused with trashcan.) Immediately after triggering an auto-update BBEdit will ask to quit itself, install it and relaunch. After proceeding a second icon appeared and the original, which was permanently pinned, was inactive. Deleteing old icon and making new icon permanent solved the problem. It has nothing to do with physical instances and locations. And it didn‘t happen all the years. I just wanted to inform about this which may happen to other apps as well. Cheers ALN
  12. I recently had this after updating BBEdit, showing two icons on the Dock. Firts tome appeared after updating to macOS 10.14.3. I suspect macOS problem. Cheers ALN
  13. Hello everybody, I just came across a crash report on my iPad running iOS 12.1.4 with the bundle name „com.dsoffer.WhatsupKeys.WhatsAppKeyboard“. No results on any search engines. Anyone know this? The only keyboard apps I installed are: Clips, Phaseboard, PadKeys, MyScript Stylus. In general, I‘m very security concered and don‘t install much apps, only what I need and after research. Thanks in advance. ALN
  14. Thanks, Manfred! That's why I posted my observations here. This must be seriously examined by the developers as it's the only process with such a behaviour and it's racing kernel_task, and I think they will. It's important that they are aware of it now. For now I only start the daemon while I'm online (I use my iPad for all my inet work, my computers/TV/etc. are always offline, except for updates or specific use) and kill the process afterwards. Then it stays at acceptable range. Cheers, ALN
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.