Jump to content

Unable to Clear Quarantine- "WebSecurity" plugin


Recommended Posts

A while ago, I noticed this extension in my Safari.

Screen Shot 2018-01-04 at 11.48.44 PM.png

I uninstalled it, but the following message came up very frequently in Safari.

Screen Shot 2018-01-04 at 11.50.24 PM.png

After a while, it stopped, and after my credit card got stolen I noticed it was back. I installed malwarebytes and it had quarantined the plugin, and after trying to clear the quarantine multiple times, the plugin files duplicated themselves and made a folder in the quarantine called WebWatcher. Clearing it again deleted the folder but not the new plugin files either. Dragging to trash does not work. Help.

Screen Shot 2018-01-05 at 12.04.16 AM.png

Update: It has duplicated again in the quarantine

 

Edited by phantomsilver
Link to post
Share on other sites

  • Staff

Can you provide a screenshot of the Malwarebytes window showing the 3 files that are being detected and that are failing to be removed? Be sure to capture the results that show the full path to those files. Make a screenshot by following the directions here:

http://support.apple.com/kb/HT5775

Attach the screenshot file, which will be found on the desktop, to a reply to this message.

These are all components of WebWatcher, a commercial - and legal - spyware tool. Are you aware of how that got onto your computer? If not, that means that someone who has had access to your computer - most likely physical access - installed it.

Link to post
Share on other sites

29 minutes ago, treed said:

Can you provide a screenshot of the Malwarebytes window showing the 3 files that are being detected and that are failing to be removed? Be sure to capture the results that show the full path to those files. Make a screenshot by following the directions here:

http://support.apple.com/kb/HT5775

Attach the screenshot file, which will be found on the desktop, to a reply to this message.

These are all components of WebWatcher, a commercial - and legal - spyware tool. Are you aware of how that got onto your computer? If not, that means that someone who has had access to your computer - most likely physical access - installed it.

5a4f81cb4ff0b_ScreenShot2018-01-05at7_45_38AM.thumb.png.496d44c931f68c6afbb419d4dd7bd124.png

 

Link to post
Share on other sites

  • Staff

Open the Terminal application, found in the Utilities folder in the Applications folder, and enter the following four commands, one after the other:

sudo chflags nosappnd /Library/Google/Chrome/NativeMessagingHosts/com.ati.websecurity.json
sudo chflags nosappnd /Library/Internet\ Plug-Ins/WebSecurity.plugin
sudo chflags nosappnd ~/Library/Safari/Extensions/WebSecurity.safariextz
sudo chflags nosappnd /Library/Application\ Support/Malwarebytes/MBAM/Quarantine/*

For the first command, you'll need to enter your user account password. Note that you'll have to do this from an admin account, and that nothing will appear on screen when you type the password as a security measure. As long as you enter the next commands soon after, you won't need to enter the password again.

Once you have done this, scan with Malwarebytes for Mac again and remove all the detected items, then clear the quarantine. You'll also want to restart both Safari and Chrome, if they were running at the time.

There will be a fix for the issue that caused these files not to be removed in the next release of Malwarebytes for Mac.

As for why those files are there, if you're not aware of how WebWatcher got installed, that means someone put it there to spy on you, and that may explain how your credit card got stolen. (WebWatcher includes keylogging functionality.) If someone malicious has had access to your computer, that's a huge issue that is not easily solved, as they will have had access to everything you've done on your computer since that software was installed.

For more information about WebWatcher, you can see the WebWatcher website (webwatcher[dot]com). These kinds of programs are completely legal, but are often used illegally, and in my opinion have no legitimate uses.

Edited by treed
Link to post
Share on other sites

On 1/5/2018 at 8:39 AM, treed said:

 

 

Since then, malwarebytes shows my system as clean, but if I search for "websecurity" on This Mac in Finder, it shows up in /Previous System/Library/Internet Plug-Ins/WebSecurity.plugin. I have tried deleting this by dragging to trash and by using the command you stated, but it remains there. Is it safe to use Safari now? Malwarebytes is still failing to remove the ones that end in .plugin from the quarantine, and they do not get removed by the command to clear the quarantine either. I am not even sure what browser these plugins are for.

Link to post
Share on other sites

The entire /Previous System/ directory should normally be Trashed a few days after you upgrade to a new macOS and are satisfied that it doesn't contain anything that you need. Nothing in it is being used by your Mac.

Everything in /Library/Internet Plug-Ins/ can be used by all your browsers.

Link to post
Share on other sites

9 hours ago, alvarnell said:

The entire /Previous System/ directory should normally be Trashed a few days after you upgrade to a new macOS and are satisfied that it doesn't contain anything that you need. Nothing in it is being used by your Mac.

Everything in /Library/Internet Plug-Ins/ can be used by all your browsers.

 

I attempted deleting that directory and several files said they were still in use and could not be deleted. Nevertheless, I continued. I think I have completely removed the websecurity.plugin from everywhere on my hard disk (except Quarantine). Am I safe now?

Link to post
Share on other sites

As long as you were able to move that directory to the Trash, none of those files will be in use after you reboot your machine and there shouldn't be further problems in emptying the Trash.

The whole idea of quarantine is to isolate files so that they cannot be accessed, launched or used, so assuming Malwarebytes has properly designed their quarantine process, you were perfectly safe from the time those files were moved to quarantine.

If the WebSecurity.plugin ever appears in /Library/Internet Plug-Ins/ again, be sure and let them know so that the cause for it's re-installation can be determined.

Link to post
Share on other sites

  • Staff
On 1/5/2018 at 10:04 AM, phantomsilver said:

5a4f93bb8dfdf_ScreenShot2018-01-05at9_00_08AM.thumb.png.208f8b469d884feaeb8d4a66a8ef5fc2.png

It looks like the following command was not properly executed for the WebSecurity.plugin file:

sudo chflags nosappnd /Library/Internet\ Plug-Ins/WebSecurity.plugin

Note that you need to copy that exactly as-is, rather than trying to re-type. My guess is that you may have tried to enter that command manually and left off the '\' character, which would prevent the command from working properly. (The '\' is needed due to the space in the folder name. A space is not allowed in a path in Unix commands, unless you do something like "escape" it using the '\' character.)

Once this command has been run correctly, it should allow Malwarebytes for Mac to remove that file. After it has quarantined that file, you will also probably need to repeat this command, in order to be able to clear the quarantine effectively in Malwarebytes:

sudo chflags nosappnd /Library/Application\ Support/Malwarebytes/MBAM/Quarantine/*
Link to post
Share on other sites

4 hours ago, treed said:

It looks like the following command was not properly executed for the WebSecurity.plugin file:


sudo chflags nosappnd /Library/Internet\ Plug-Ins/WebSecurity.plugin

Note that you need to copy that exactly as-is, rather than trying to re-type. My guess is that you may have tried to enter that command manually and left off the '\' character, which would prevent the command from working properly. (The '\' is needed due to the space in the folder name. A space is not allowed in a path in Unix commands, unless you do something like "escape" it using the '\' character.)

Once this command has been run correctly, it should allow Malwarebytes for Mac to remove that file. After it has quarantined that file, you will also probably need to repeat this command, in order to be able to clear the quarantine effectively in Malwarebytes:


sudo chflags nosappnd /Library/Application\ Support/Malwarebytes/MBAM/Quarantine/*

The file is gone from Library/Internet Plug-Ins somehow; excecuting this command now says "no such file or directory." However, when I excecute the second command, the quarantine remains full of "WebSecurity_[number]_.plugin". Searching in Finder does not show any files named Websecurity now though, so am I fine if they are just in the quarantine? Or how else should I clear them? I am copying and pasting your command.

Link to post
Share on other sites

7 minutes ago, treed said:

The commands I gave you do not delete any files... they simply make it possible to delete those files. You will still need to clear the quarantine after running that last command if any files remain in the quarantine.

Pressing clear quarantine does nothing even after running the command

Link to post
Share on other sites

On 1/10/2018 at 10:59 AM, treed said:

Enter the following command in the Terminal, then copy the output and paste it into a reply here.


ls -alO /Library/Application\ Support/Malwarebytes/MBAM/Quarantine/

 

total 0
drwxr-xr-x  17 root  admin  - 544 Jan  6 10:14 .
drwxr-xr-x   7 root  admin  - 224 Jan  4 23:53 ..
drwxr-xr-x   3 root  admin  -  96 Jan  4 23:55 WebSecurity.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 01:28 WebSecurity_10_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 01:28 WebSecurity_11_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 01:45 WebSecurity_12_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 01:45 WebSecurity_13_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  4 23:47 WebSecurity_14_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  4 23:47 WebSecurity_15_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  4 23:59 WebSecurity_2_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:18 WebSecurity_3_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:21 WebSecurity_4_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:22 WebSecurity_5_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:51 WebSecurity_6_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:53 WebSecurity_7_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 00:57 WebSecurity_8_.plugin
drwxr-xr-x   3 root  admin  -  96 Jan  5 01:25 WebSecurity_9_.plugin

Link to post
Share on other sites

On 1/15/2018 at 6:28 AM, treed said:

I see no sign of anything that should prevent clearing of the quarantine. If those items don't go away when you click the Clear Quarantine button in Malwarebytes, restart your computer and try again, as that is an indication that something is not working correctly.

Quarantine is still not being cleared 

Link to post
Share on other sites

  • 3 months later...

Hello. I seem to be having the same problem as phantomsilver but mine is occurring on google chrome. I did all the following steps that he did, but the WebSecurity.plug-in remains on my computer even when I empty my trash. I also can't seem to delete immediately as it would say "The operation can’t be completed because you don’t have permission to access some of the items." I really need help

Link to post
Share on other sites

I know that removing Chrome Extensions are more difficult, so not sure whether Malwarebytes has mastered that yet or not.

At the end of the Chrome address bar there are three vertical dots. Click there and move down to "More Tools" and select "Extensions". Find the WebSecurity and click "REMOVE".

Link to post
Share on other sites

  • Staff

The original problem reported here, which you're replying to, is fixed in more recent versions of Malwarebytes for Mac.

Where are  you seeing the WebSecurity plugin?

You mention an enterprise policy... if you do not have admin privileges on that computer, then you would not be able to delete some things. Similarly, if the machine is managed by your employer's IT department, they can prevent you from removing things. It's not unheard of for businesses to use tools like WebWatcher to monitor their employees. I can't say whether this might be the case with your employer, or if their policies may simply be hindering the removal. That is something you may want to discuss with your IT department.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.