Jump to content

Recommended Posts

We use Patricks Wardle's utility BlockBlock to notify us of attempts to install Startup Items/Launch Daemons etc. It behaves sort of like LittleSnitch, except it doesn't monitor the network, it monitors for attempts to install certain types of files.

Today, shortly after booting-up our High Sierra machine we received an alert from BlockBlock about an attempt to install a launch daemon at /System/Library/LaunchDaemons/com.apple.MRTd.plist for /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT

I'm assuming that this is related to a silent update to the MRT.app by Apple but don't recall ever experiencing this particular scenario.

Are others seeing this MRTd activity?

MRT launch daemon install.jpg

Share this post


Link to post
Share on other sites

Yes, I saw it along with about a dozen users posting to twitter today (many retweeted by Patrick).

It simply replaced the prior file (identical), so not sure why we all got the alert this time. There was also a LaunchAgent installed at the same time which nobody seemed reported, making it even more curious.

Share this post


Link to post
Share on other sites

Another one today, but instead of being initiated by 'shove' it is is being installed by a 'unknown' process..

Very weird and potentially concerning...

 

 

MRT-unknown-install-Screen Shot 2019-08-16 at 12.33.21 PM.jpg

Share this post


Link to post
Share on other sites

Just got new one, but it was installed by "Shove," as usual.

 

Quote

2019-08-16 19:35:31 +0000: /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove installed a launch daemon or agent (/System/Library/LaunchDaemons/com.apple.MRTd.plist -> /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT)
2019-08-16 19:36:05 +0000: user clicked: Allow

 

Share this post


Link to post
Share on other sites

I didn't receive any alert in Mojave, probably because I checked the "remember" box after the last one. Will check on High Sierra this weekend.

The other curiosity is that BlockBlock indicates no signing authorities for the unknown process. Only processes signed by Apple are able to install anything into a System Library unless you have disabled SIP.

Share this post


Link to post
Share on other sites

I suspect that “unknown” issue is more likely to be due to a bug in BlockBlock than due to anything truly malicious.

Share this post


Link to post
Share on other sites
On 8/18/2019 at 7:17 AM, treed said:

I suspect that “unknown” issue is more likely to be due to a bug in BlockBlock than due to anything truly malicious.

Probably!

I've uninstalled and reinstalled BlockBlock.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.