Jump to content

Recommended Posts

Hi everyone this is my first post! Happy to have found this forum. I'm just starting to learn about malware removal.

My main question is should I join AlienVault Open Threat Exchange? I'd like to be able to more easily identify threats that are found on my devices and network. The website is https://otx.alienvault.com . I'd also like to learn how to identify who an IP address belongs to and if it is safe.

Below are details related to the malware on my iMac (Mojave 10.14.6. If anyone cares to delve in and comment on any of it, that would be fantastic. Thank you in advance.

  • My Safari (v13.1) cache has 50+ websites in it that I have not navigated to, and if I delete each cache individually, some automatically come back. I've looked into a few of these cached sites, but am extremely hesitant to continue to go to these websites or even to google them to investigate because it may raise my risk of getting infected. I've run EasyFind (Devon Technologies app) searches on some of the websites in the cache, and it is not finding them despite searching all files and volumes.
  • 1st run of the Premium trial of Malwarebytes found Crossrider, mitmproxy, a browser extension in Chrome (adware), several files and directories related to TopicLookup, and a couple other files and directories. Screenshot attached of quarantined items. Nothing else found since then and my trial has run out; should I upgrade to Premium?
  • Flash Player was installed and updated multiple times from a 3rd party. This was over a year ago; I don't remember doing it but it updated monthly for some time. Adobe cannot find it on my iMac to uninstall it; I'm assuming that is because Flash Player was not installed from Adobe to begin with. I've started to manually find and delete the Flash files. Deleting Flash Player from the system preferences pane requires me to put in my admin password, which I haven't done yet (again, hesitant).
  • EtreCheck report below. I am new to EtreCheck and am still deciphering the report. I have a runaway process and kernel panics that could be related to 3rd party software. Also, I downloaded Norton from my Internet provider (xfinity) on 4-9-2020, and EtreCheck shows Norton for Mac and Norton Security were both installed. The app is Norton Security; I can't find Norton For Mac anywhere on my iMac. At any rate, Norton Security has been useless in finding threats. 

EtreCheck version: 5.5.4 (5106)

Report generated: 2020-04-28 03:34:46

Download EtreCheck from https://etrecheck.com

Runtime: 2:04

Performance: Excellent

Sandbox: Enabled

Full drive access: Enabled

Problem: Other problem

Description: 

Remove Flash Player, adware, malware

 

Major Issues:

    Anything that appears on this list needs immediate attention. 

    Runaway process - A process is using a large percentage of your CPU.

    Kernel panics - This system has experienced kernel panics that could be related to 3rd party software.

 

Minor Issues:

    These issues do not need immediate attention but they may indicate future problems or opportunities for improvement. 

    Heavy network usage - This machine has recently restarted and has high network usage.

    Apps crashing - There have been numerous app crashes.

    Unsigned files - There are unsigned software files installed. Apple has said that unsigned software will not run by default in a future version of the operating system.

    32-bit Apps - This machine has 32-bits apps will not work on macOS 10.15 "Catalina".

    Kernel extensions present - This machine has kernel extensions that may not work in the future.

 

Hardware Information:

    iMac (Retina 5K, 27-inch, 2017)

    iMac Model: iMac18,3

    4.2 GHz Intel Core i7 (i7-7700K) CPU: 4-core

    8 GB RAM - Upgradeable

        BANK 0/DIMM0 - 4 GB DDR4 2400 

        BANK 0/DIMM1 - Empty 

        BANK 1/DIMM0 - 4 GB DDR4 2400 

        BANK 1/DIMM1 - Empty 

 

Video Information:

    Radeon Pro 580 - VRAM: 8 GB

        iMac (built-in) 5120 x 2880

 

Drives:

    disk0 - APPLE SSD SM2048L 2.00 TB (Solid State - TRIM: Yes)

    Internal PCI-Express 8.0 GT/s x4 NVM Express

        disk0s1 - EFI [EFI] 315 MB

        disk0s2 [APFS Container] 2.00 TB

            disk1 [APFS Virtual drive] 2.00 TB (Shared by 4 volumes)

                disk1s1 - Macintosh HD (APFS) (Shared - 653.85 GB used)

                disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

                disk1s3 - Recovery (APFS) [Recovery] (Shared)

                disk1s4 - VM (APFS) [APFS VM] (Shared - 5.37 GB used)

 

Mounted Volumes:

    disk1s1 - Macintosh HD

        2.00 TB (Shared - 653.85 GB used, 1.35 TB available, 1.34 TB free)

        APFS

        Mount point: /

 

    disk1s4 - VM [APFS VM]

        2.00 TB (Shared - 5.37 GB used, 1.34 TB free)

        APFS

        Mount point: /private/var/vm

 

Network:

    Interface en0: Ethernet

    Interface en5: iPhone

    Interface en1: Wi-Fi

        802.11 a/b/g/n/ac

    Interface en4: Bluetooth PAN

    Interface bridge0: Thunderbolt Bridge

 

System Software:

    macOS Mojave 10.14.6 (18G4032) 

    Time since boot: About 4 hours

 

Notifications:

 

    EtreCheck.app

        5 notifications

    Safari.app

        4 notifications

 

Security:

    Gatekeeper: Enabled

    System Integrity Protection: Enabled


    Antivirus software: Apple and Malwarebytes

 

Unsigned Files:

    Launchd: /Library/LaunchDaemons/jp.co.canon.MasterInstaller.plist

        Executable: /Library/PrivilegedHelperTools/jp.co.canon.MasterInstaller

        Details: Exact match found in the whitelist - probably OK

 

    Launchd: /Library/LaunchDaemons/com.symantec.sharedsettings.MES.plist

        Executable: /Library/Application Support/Symantec/Silo/MES/DomainSettings/SymSharedSettingsd

        Details: Executable file is not accessible without Full Drive Access

 

32-bit Applications:

    5 32-bit apps

 

Kernel Extensions:

    /Library/Application Support/Malwarebytes/MBAM/Kext

        MB_MBAM_Protection.kext (Malwarebytes Corporation, 4.4 - SDK 10.11)

 

    /Library/Extensions

        SymXIPS.kext (Symantec, 9.0.1 - SDK 10.10)

        SymInternetSecurity.kext (Symantec, 9.0.3 - SDK 10.10)

        SymIPS.kext (Symantec, 9.0.2 - SDK 10.10)

        NortonForMac.kext (Symantec, 9.0.1 - SDK 10.10)

 

System Launch Agents:

    [Not Loaded] 15 Apple tasks

    [Loaded] 187 Apple tasks

    [Running] 97 Apple tasks

    [Other] One Apple task

 

System Launch Daemons:

    [Not Loaded] 38 Apple tasks

    [Loaded] 199 Apple tasks

    [Running] 97 Apple tasks

 

Launch Agents:

    [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2020-04-21)

    [Loaded] com.microsoft.update.agent.plist (Microsoft Corporation - installed 2020-04-21)

    [Running] com.symantec.uiagent.application.MES.plist (Symantec - installed 2020-03-26)

 

Launch Daemons:

    [Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2020-03-18)

    [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2020-04-27)

    [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2020-04-21)

    [Loaded] com.microsoft.OneDriveUpdaterDaemon.plist (Microsoft Corporation - installed 2019-01-23)

    [Loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2020-04-21)

    [Loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2019-01-15)

    [Loaded] com.symantec.SymLUHelper.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.UninstallerToolHelper.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.deepsightdownload.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.dsp.nortonaggregatord.MES.plist (Symantec - installed 2020-03-26)

    [Running] com.symantec.kexthelper.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.liveupdate.daemon.MES.plist (Symantec - installed 2020-03-26)

    [Running] com.symantec.sharedsettings.MES.plist (? 84ffa067 - installed 2020-03-26)

    [Running] com.symantec.symdaemon.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.symqual.detail.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.symqual.panicreporter.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] com.symantec.symqual.submit.MES.plist (Symantec - installed 2020-03-26)

    [Loaded] jp.co.canon.MasterInstaller.plist (? d0637166 - installed 2019-03-24)

 

User Launch Agents:

    [Other] com.google.keystone.agent.plist (Google, Inc. - installed 2020-04-27)

    [Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2020-04-27)

 

User Login Items:

    [Running] CIJSULAgent (Canon Inc. - installed 2019-03-24)

        Modern Login Item

        /Applications/Canon Utilities/IJ Scan Utility/Canon IJ Scan Utility Lite.app/Contents/Library/LoginItems/CIJSULAgent.app

 

    [Not Loaded] Launcher Disabler (Microsoft Corporation - installed 2019-01-23)

        Modern Login Item

        /Applications/OneDrive.app/Contents/Library/LoginItems/Launcher Disabler.app

 

    [Not Loaded] OneDrive Launcher (Microsoft Corporation - installed 2019-01-23)

        Modern Login Item

        /Applications/OneDrive.app/Contents/Library/LoginItems/OneDrive Launcher.app

 

    [Not Loaded] StartUpHelper (Spotify - installed 2019-05-16)

        Modern Login Item

        /Applications/Spotify.app/Contents/Library/LoginItems/StartUpHelper.app

 

    [Not Loaded] HP Device Monitor (HP Inc. - installed 2019-01-08)

        Modern Login Item

        /Library/Printers/hp/Frameworks/HPDeviceMonitoring.framework/Versions/1.0/Helpers/HP Device Monitor Manager.app/Contents/Library/LoginItems/HP Device Monitor.app

 

    [Not Loaded] HP Product Research (HP Inc. - installed 2019-01-08)

        Modern Login Item

        /Library/Printers/hp/Utilities/HPPU Plugins/ProductImprovementStudy.hptask/Contents/Helpers/HP Product Research Manager.app/Contents/Library/LoginItems/HP Product Research.app

 

    [Not Loaded] HP Data Uploader (HP Inc. - installed 2019-01-08)

        Modern Login Item

        /Library/Printers/hp/Utilities/HPPU Plugins/ProductImprovementStudy.hptask/Contents/Helpers/HP Product Research Manager.app/Contents/Library/LoginItems/HP Product Research.app/Contents/Resources/HP Data Uploader.app

 

Audio Plug-ins:

    AppleTimeSyncAudioClock: 1.0 (Apple - installed 2019-09-20)

    BluetoothAudioPlugIn: 6.0.14 (Apple - installed 2020-04-15)

    AirPlay: 2.0 (Apple - installed 2020-04-15)

    AppleAVBAudio: 760.6 (Apple - installed 2019-09-20)

    BridgeAudioSP: 5.52 (Apple - installed 2020-04-15)

    iSightAudio: 7.7.3 (Apple - installed 2019-09-20)

 

3rd Party Preference Panes:

    Flash Player (Adobe Systems, Inc. - installed 2020-02-25)

 

Time Machine:

    Auto backup: Yes

    Volumes being backed up: 

        Macintosh HD: Disk size: 2.00 TB - Disk used: 660.08 GB 

    Destinations: 

        Data [Network] (Last used)

            Total size: 2.85 TB

            Total number of backups: 20

            Oldest backup: 2020-03-15 10:45:32

            Last backup: 2020-04-28 03:13:43

    16 local snapshots

    Oldest local snapshot: 2020-04-27 03:11:25

    Last local snapshot: 2020-04-28 03:08:02

 

Performance:

    System Load: 3.20 (1 min ago) 2.51 (5 min ago) 2.26 (15 min ago)

    Nominal I/O speed: 7.97 MB/s

    File system: 30.11 seconds

    Write speed: 2267 MB/s

    Read speed: 2832 MB/s

 

CPU Usage Snapshot:

    Type Overall

    System: 3 %

    User: 18 %

    Idle: 78 %

 

Top Processes Snapshot by CPU:

    Process (count) CPU (Source - Location)

    Other processes 127.13 % (?)

    Console 25.05 % (Apple)

    EasyFind 7.43 % (App Store)

    Safari 4.80 % (Apple)

    EtreCheck 2.89 % (App Store)

 

Top Processes Snapshot by Memory:

    Process (count) RAM usage (Source - Location)

    EtreCheck 443 MB (App Store)

    Console 246 MB (Apple)

    Safari 183 MB (Apple)

    Finder 177 MB (Apple)

    EasyFind 122 MB (App Store)

 

Top Processes Snapshot by Network Use:

    Process Input / Output (Source - Location)

    Other processes 638 MB / 1.13 GB (?)

    com.apple.WebKit.Networking 2 MB / 408 KB (Apple)

    SystemUIServer 873 B / 36 B (Apple)

    Terminal 0 B / 0 B (Apple)

    diagnostics_agent 0 B / 0 B (Apple)

 

Virtual Memory Information:

    Physical RAM: 8 GB

 

    Free RAM: 23 MB

    Used RAM: 7.02 GB

    Cached files: 982 MB

 

    Available RAM: 1006 MB

    Swap Used: 1.76 GB

 

Software Installs (past 30 days):

    Install Date Name (Version)

    2020-04-01 Numbers (10.0)

    2020-04-01 Pages (10.0)

    2020-04-01 Keynote (10.0)

    2020-04-02 Safari (13.1)

    2020-04-02 MRTConfigData (1.58)

    2020-04-09 Norton For Mac (8.5.5.277.277)

    2020-04-09 Norton Security SKU (8.5.5.277.277)

    2020-04-15 Security Update 2020-002 (10.14.6)

    2020-04-15 Mobile Device (1.0.0.0)

    2020-04-15 Microsoft Excel (16.36.20041300)

    2020-04-15 Microsoft OneNote (16.36.20041300)

    2020-04-15 Microsoft Outlook (16.36.20041300)

    2020-04-15 Microsoft PowerPoint (16.36.20041300)

    2020-04-16 XProtectPlistConfigData (2119)

    2020-04-21 Microsoft AutoUpdate (4.22.20042003)

    2020-04-27 EasyFind (4.9.3)

    2020-04-27 EtreCheck (5.5.4)

    2020-04-27 Microsoft Word (16.36.20041300)

    2020-04-27 Malwarebytes for Mac (1.0)

 

Diagnostics Information (past 7-30 days):

    2020-04-28 03:19:47 Safari.app - Crash (15 times)

        Executable: /Applications/Safari.app

        Details: 

            dyld: launch, loading dependent libraries

 

 

    2020-04-27 23:43:59 coreservicesd - High CPU Use (2 times)

        Executable: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd

 

    2020-04-26 06:07:30 com.apple.WebKit.WebContent - High CPU Use

        Executable: /System/Library/StagedFrameworks/Safari/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

 

    2020-04-25 22:53:44 backupd - High CPU Use

        Executable: /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd

 

    2020-04-22 13:44:47 Kernel Panic (2 times)

        Details:

            panic(cpu 0 caller 0xffffff8013205446): "a freed zone element has been

             modified in zone kalloc.128: expected 0xdeadbeefdeadbeef but found 0x

            ffffff803a83c250, bits changed 0x2152416fe42e7cbf, at offset 88 of 128

             in element 0xffffff803a83b800, cookies 0x3f00119a67238ab8 0x53521dd0d

            22eb3d"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.2

            78.28/osfmk/kern/zalloc.c:1206

 

        3rd party kernel extensions: 

            com.malwarebytes.mbam.rtprotection

            com.symantec.SymXIPS

            com.symantec.internetSecurity.kext

            com.symantec.ips.kext

            com.symantec.nfm.kext

 

 

End of report

 

If you got this far, I am indebted to your kindness. Thank you!

Screen Shot 2020-03-25 at 4.46.59 PM.png

Link to post
Share on other sites

You are mostly way off topic here since the forum is supposed to help you remove Mac Malware that was discovered using Malwarebytes for Mac, but I don't see any indication that you had any difficulty finding and quarantining quite a bit of adware. Since they appear to all be disabled at this point you can either leave them where they are or delete them now and never have to look at them again. The only one that might be something you want is the Booking application. If it's doing something useful for you that you can't find anywhere else, then you might want to restore it, but if not just get rid of that too.

If you aren't able to delete them or are still seeing evidence of adware or a runaway process related to any of these, be sure to return so we can troubleshoot that part of your problems.

The remainder of your questions would be better handled on a site such as the Apple Support Community forum, where far more Mac troubleshooters with other than a malware background can probably give you better answer than we can here.

But I'll throw a few things out...

Your cache will normally fill out with all kinds of sites that you aren't visiting directly but have links on them that must be access to provide images, ads and other content. That's perfectly normal and there isn't much you can do about it if you continue to frequent such sites. Cache files are inert and cannot do any harm by themselves. Any damage from such sites is already done. They do help speed up your browsing experience, so deleting them will simply slow you down and as you have found will simply be reconstituted after a day or so of normal browsing. The number of sites that might seriously infect you is close to zero (over 99% of the malware found last year was simple adware), so the best you can hope for is to use a good adblocker to reduce nuisance ads and avoid all sketchy sites. You will waste a lot of time trying to figure out who owns each IP address and any that are malicious will likely have registered with an anonymous intermediary that is being paid to not reveal the real owner.

Upgrading to premium is something you need to decide for yourself. You can see what would be added near the bottom of this page. The biggest advantage is that it will stop installers and apps the minute they are downloaded, before they have a chance to install any malware they contain. It's unlikely to find anything different from what the free version finds, just that it will be before, rather than after the fact of infection.

I don't know of any 3rd party app that will actually install a legitimate version of Flash Player, so that was a big mistake. At some point you must have gone to the Adobe site to install it or it wouldn't appear in your System Preferences. Since you had to enter your admin password in order for it to appear there, I'm not clear on why you would now be hesitant to do so again in order to uninstall. That must be done in order to uninstall any 3rd party preferences you have there. It's a good bet that you don't need Flash Player for any reason and it will no longer be supported by the end of the year, so you must ignore all future popups that say you need to install or update.

It's easy to get EtreCheck support directly from the developer (who happens to be an acquaintance of mine) and he provides extensive help files to walk you through most everything. He frequents the aforementioned Apple Support Community, so after you have exhausted all efforts to go through each item, ask there.

Link to post
Share on other sites
1 hour ago, Joely said:

My main question is should I join AlienVault Open Threat Exchange? I'd like to be able to more easily identify threats that are found on my devices and network. The website is https://otx.alienvault.com .

Sorry, I overlooked your main question.

I have been subscribed to AlienVault for a couple of months now and have not received one notice of a Mac threat among maybe a hundred notifications. I haven't been able to find a separate section for Macs nor gotten any reply for my request that one be established, so no, I don't recommend it. It might possibly be useful to Mac anti-malware labs, but certainly not the average user.

Link to post
Share on other sites

Thank you so very much. I misunderstood the scope of this forum; the forum description reads "A forum dedicated to cleaning infected Mac computers. Get personalized help removing adware, malware, spyware, ransomware, trojans, viruses and more from tech experts.". If it is just for topics related to removing malware discovered by Malwarebytes for Macs, the description should be updated. 

I reviewed the link you sent me and Malwarebytes premium looks good. I like that it blocks threats before they are installed and that it is an adblocker as well. I need to look into whether it will work well with Norton which has real-time anti-malware (doesn't seem to be blocking anything though).  I read you shouldn't have two real-time programs installed. I'm very concerned about inadvertently navigating to websites that may cause damage. In trying to remove malware, it seems logical that I am increasing my chances of getting infected by visiting sites with potential solutions. 

Appreciate your input on AlienVault. I'll hold off. Had hoped it would help me better identify existing threats.

Glad to learn the browser cache can't hurt me, not so glad to think about the damage from visiting those sites is already done. I was using the browser cache/cookies/local storage/data to get clues on where existing threats came from so that I can remove them and prevent them from happening again. Some examples:

  • My network security (xFi from xfinity) blocks 4-10 threats weekly on my devices and network. It only gives me the originating url or IP. Today it stopped a "suspicious site visit" to vap1ord1.lijit.com on one of my routers, and I remember clearing browser caches on my iMac from lijit.com a while back. Today it also blocked 76.116.301.16 from accessing port 56724 on my son's laptop.
  • Safari browser redirects.
  • Chrome is wrongly saying "Managed by your organization" when it should not be. Also had redirects; after some effort these appear to be fixed.

Nervous about inputting my admin pw to delete Flash Player from the preference pane, since can't find any indication of Flash being installed from Adobe, and you said that was the only way that Flash would be in the preference pane. My iMac's Installation history says "Source: 3rd Party" with monthly updates after the initial Flash install. I must have entered my pw to get rid of Flash from my MacBook, there it originated via a macromedia.Flash Player.plugin on com.google.Safari; com, PlugInPageURL = "http://purchase.tickets.com/"), which was troublesome. Deleted every Flash reference I could find. I guess I will just go ahead and delete this last vestige from my Preference Pane and be done with it. 

I bought the premium version of EtreCheck and will go through those channels for support. I've seen some of etresoft's posts on Apple communities. He seems very knowledgeable and helpful to his users. Nice to have friends in high places :)

Thanks again. Have a good night.
 

Link to post
Share on other sites

You should follow the broader definition of what can be discussed here and ignore mine, which was just what normally is posted here. I just think you’ll get broader answers to some of the items you mentioned from more experts on the ASC.

In general, you are correct that only one real-time / on-access scanner should be in use from anti-malware software, primarily because they will race each other to be the first to scan the same file and significantly slow your computer experience. They probably also fill up more RAM in the process. I can’t say whether Malwarebytes and whichever Norton product you have will conflict, but it should be obvious to you once you try them both. I simply disable all but one when under normal circumstances and when testing a product.

Link to post
Share on other sites
  • Staff

It's perfectly fine to discuss any malware removal here, but in general you should try running Malwarebytes for Mac first to make sure that doesn't take care of whatever problem you might post about here. It looks like you did that, but the question's a bit confusing, since it seems to be about AlienVault, but on closer inspection seems to be more related to other things.

It looks like you have multiple questions, relating to Safari cache files, Malwarebytes detections, whether or not you should upgrade to Premium, something related to Adobe Flash Player but no apparent question, an Etrecheck report, and confusion about where the Norton/Symantec software is hiding on your Mac. This is a lot for a single post, where the subject is completely unrelated to all of that, so in the future I'd recommend simplifying and using multiple posts for unrelated questions.

Regarding the Etrecheck report, I see no signs of anything malicious remaining on your computer, but I do see LOTS of Symantec stuff. Rather than trying to root it all out manually - if your intent is to remove it - I'd recommend talking to Symantec support. There are so many different versions of various Symantec software that I have no idea what it stores where. You could try deleting things listed in the Etrecheck report, but that's not going to be everything.

Safari cache files are not a threat, and it is normal to see files from domains you didn't visit directly. I won't comment on whether you should upgrade to Premium, as that would be self-serving as a Malwarebytes employee. I'd be glad to point you to more info if you need to understand the benefits of Premium.

Link to post
Share on other sites

Thomas - thank you. I admit I am all over the place. I'm very new to malware and have many more questions than answers. This all started with a browser redirect that affected Safari & Chrome on my MacBook and iMac. Once Malwarebytes found 13 quarantines (mostly mitmproxy, TopicLookup, Crossrider), I started to look at how I got infected, how to remove leftovers, and how to best prevent getting infected again. Went down the path of Malwarebytes, Norton, Etrecheck, AlienVault, looking at browser caches for clues etc.

What I would love to do is be able to search a trusted repository to help identify a potential threat on my network or devices without googling or going to the website. Just a few examples: vap1ord1.lijit.com, confiant-interactions.global.ssl.fastly.net (my browser redirect had a related url), and the apps ExploreTask, EngineCache, EngineDiscovery, ProcessLocator and WebScheduler. I trashed these 5 apps, have no idea where they came from, they still have files all over my iMac, and even tried to put back one of them to further investigate and it will not put back from the trash. That's why I started looking at AlienVault.

I uninstalled Norton because it had not detected a single threat in a month, and it did not seem to be working properly. There were a ton of errors and faults in the Console msgs. In just a month of running it, upon launching it said Pending and took several minutes to launch. 

I would like to learn more about Malwarebytes Premium.  

 

Link to post
Share on other sites
2 hours ago, Joely said:

I would like to learn more about Malwarebytes Premium.

Can you narrow that down by asking about questions about the specific features listed in the chart toward the bottom of this page: https://www.malwarebytes.com/mac/?

Link to post
Share on other sites

Will it stop me from visiting sites that could potentially be harmful? I've read that malware can be injected just by visiting a site without downloading from it.

Does it use blacklists or whitelists?

What are the limitations of Malwarebytes Premium? Are there recommended solutions to any limitations that the user should take to address infections that are outside the scope of the software?

What does the software excel at compared to top competitors? Is there anything that Malwarebytes does that competitors do not?

Thank you.

Link to post
Share on other sites
9 minutes ago, Joely said:

Will it stop me from visiting sites that could potentially be harmful? I've read that malware can be injected just by visiting a site without downloading from it.

Does it use blacklists or whitelists?

What are the limitations of Malwarebytes Premium? Are there recommended solutions to any limitations that the user should take to address infections that are outside the scope of the software?

What does the software excel at compared to top competitors? Is there anything that Malwarebytes does that competitors do not?

Thank you.

Why not download the Premium for the 14 day trial?  I did after using just the browser extension for a couple of years and decided to go premium. No regrets and the scans are very fast. 

Link to post
Share on other sites
Just now, Joely said:

Will it stop me from visiting sites that could potentially be harmful? I've read that malware can be injected just by visiting a site without downloading from it.

Mac users have not been seeing that, but that could change at any time should the current methods of preventing that with current browser technology fail at some point. User generally must purposely download something or click on a link in order for a threat to occur.

6 minutes ago, Joely said:

Does it use blacklists or whitelists?

Yes. There are blacklisted sites as well as complete top level domains that are completely blocked and must have individual domains whitelisted when found to be clean.

8 minutes ago, Joely said:

What are the limitations of Malwarebytes Premium?

Anything not explicitly listed, I suppose. The software strives to prevent all currently known attacks that have not become extinct. Zero-day infections are generally not covered, but that’s mostly true of all anti-malware software available today. Only rapid reporting and reaction will be effective for most such attacks. I would guess that new adware sites show up often and must be added to blacklists. Variants of adware threats show up with increasing frequency. If you have specific concerns about something not listed, we can attempt to steer you toward more tailored preventions.

17 minutes ago, Joely said:

What does the software excel at compared to top competitors?

Scanning speed is what most reviewers cite. It’s designed to look only where infecting files are known to be installed or downloaded. Most legacy scanners will check on every readable file and compare it against a massive database of signatures, taking hours to complete compared to a handful of minutes, depending on setup.

Link to post
Share on other sites
4 minutes ago, brcd said:

Here is a link showing MB results compared to other programs.

Those are Windows only results,  but I suspect Mac results would be similar if there were a way to capture such universal statistics.

Link to post
Share on other sites

I sort of thought they were windows only and considering how vulnerable windows is, I thought showing what MB caught compared to the misses of the other programs would be helpful to the OP.  Hope I did not step on any toes.

Link to post
Share on other sites
1 hour ago, brcd said:

Hope I did not step on any toes.

In my experience, nobody here worries about such things. As long as everybody sticks to the facts, pretty much everything on topic is welcome.

Link to post
Share on other sites
1 hour ago, alvarnell said:

Mac users have not been seeing that, but that could change at any time should the current methods of preventing that with current browser technology fail at some point. User generally must purposely download something or click on a link in order for a threat to occur.

Yes. There are blacklisted sites as well as complete top level domains that are completely blocked and must have individual domains whitelisted when found to be clean.

Anything not explicitly listed, I suppose. The software strives to prevent all currently known attacks that have not become extinct. Zero-day infections are generally not covered, but that’s mostly true of all anti-malware software available today. Only rapid reporting and reaction will be effective for most such attacks. I would guess that new adware sites show up often and must be added to blacklists. Variants of adware threats show up with increasing frequency. If you have specific concerns about something not listed, we can attempt to steer you toward more tailored preventions.

Scanning speed is what most reviewers cite. It’s designed to look only where infecting files are known to be installed or downloaded. Most legacy scanners will check on every readable file and compare it against a massive database of signatures, taking hours to complete compared to a handful of minutes, depending on setup.

Very helpful thank you. To your point Malwarebytes scan speed is extremely fast. Norton was extremely slow, never found anything, caused a ton of faults, so I uninstalled it. When I can come up for air I may take a look at Kaspersky and BitDefender. 

BTW I took another look at the free AlienVault OTX at https://otx.alienvault.com and it is proving very useful for looking up suspected threats or simply unknown items. Everything I searched for so far was whitelisted, and that was a relief, using Browse -> Malware Families and Browse -> Indicators. You can search for IP addresses, domains, much more. 

Link to post
Share on other sites
1 hour ago, brcd said:

I sort of thought they were windows only and considering how vulnerable windows is, I thought showing what MB caught compared to the misses of the other programs would be helpful to the OP.  Hope I did not step on any toes.

Thanks for the link you posted https://www.malwarebytes.com/remediationmap/. It's so interesting, even if it is Windows! Would have liked to see ClamXav stats in there. I am likely going to look at Kaspersky and BitDefender, which have stats posted along with so many other antimalware programs.

Link to post
Share on other sites
2 hours ago, brcd said:

Why not download the Premium for the 14 day trial?  I did after using just the browser extension for a couple of years and decided to go premium. No regrets and the scans are very fast. 

My Premium trial ran out before I could finish investigating it. Being more careful about installing programs that run in real-time, after a bad experience with Norton. 

Link to post
Share on other sites
22 minutes ago, Joely said:

Would have liked to see ClamXav stats in there. I am likely going to look at Kaspersky and BitDefender

ClamXAV defaults to Mac only, but if there is a need the signatures for other platforms that are a part of ClamAV (without the X) can be enabled, resulting in much longer scan times. So it cannot be included in that Remediation Map.

The results shown on that page for Kaspersky and BitDefender are windows, of course. The problem with most of those cross platform scanners is that they started out as Windows only and were adapted, much later, to run on macOS requiring many compromises. Companies that started out with macOS like Intego, ClamXAV, DetectX and the predecessor to Malwarebytes for Mac called Adware Medic is that they are generally much better and more efficient at their job, having always been tailored for macOS. In Malwarebytes case, there have been some features added to the original model based on technology developed for the Windows platform. I doubt that all such features will ever be included as some just aren’t applicable to macOS and others would be of little to importance based on the threat to Macs.

Link to post
Share on other sites

Wow thank you!
 
I found a good recent table that compares quite a few AV programs I’ll post trow since I shut down my Mac. They rated Norton very highly, though I found it to be cumbersome and not terribly effective. Malwarebytes was reviewed positively, except for something about not being certified or accredited if I remember correctly. 

Link to post
Share on other sites
  • Staff
18 hours ago, Joely said:

Once Malwarebytes found 13 quarantines (mostly mitmproxy, TopicLookup, Crossrider)

Note that if you're using a recent version of Malwarebytes, you can get more information about a detection by clicking the blue links. For example, if you look at a particular report in the Reports tab on the Scanner card, you may see something like this:

2116868352_ScreenShot2020-04-30at10_58_02AM.thumb.png.95de2bded7714a7d04712fc5ef09dc07.png

Click the blue "PUP.MacKeeper" link (or whatever that text reads in your scan history) and it'll load up a page on the Malwarebytes website describing the threat. If you ever find one that doesn't load specific information, instead showing a more generic page - about what a PUP is, what malware is, or what adware is - let us know about it.

Quote

What I would love to do is be able to search a trusted repository to help identify a potential threat on my network or devices without googling or going to the website. Just a few examples: vap1ord1.lijit.com, confiant-interactions.global.ssl.fastly.net (my browser redirect had a related url), and the apps ExploreTask, EngineCache, EngineDiscovery, ProcessLocator and WebScheduler. I trashed these 5 apps, have no idea where they came from

A couple comments here... first, if you want to check a website or a file to see if it's known to be malicious, you can use VirusTotal to check that:

https://virustotal.com

Be aware, though, that something can be malicious and still not be identified as such by any of the engines on VirusTotal. The same is true anywhere you might check these things. So take it with a grain of salt.

Secondly, be extremely cautious about removing things you aren't familiar with. They may not be malicious, and I've seen people break important software or even their systems by doing that. Certainly, if something like VirusTotal identifies something as malicious, or if an antivirus program detects it, it's probably safe to delete, but otherwise be sure you know what you're deleting before you do it. It's possible that those apps are components of Norton.

Link to post
Share on other sites

Thomas - Thank you that helps a lot. I am so wary of googling a potential threat and going to a website that I have no idea about. I figure those that write malware would target these very sites to distribute their malware, so virustotal will be very useful to me. 

Under reports, I don't see any blue links in the history at all. Is it because my Premium trial ran out? Wish I could do another 14-day trial because it ran out before I could finish evaluating it and other options. My big concern is the amount of crap still on my system after running it. Total 20 threats, 18 remediated, 2 failed, 13 quarantined: OperatorMac, Crossrider, and a Booking.app PUP that still has remnants on my system. Real-time scans were only the first 2x, after that through today the scans are all scheduled or manual. Not sure what the difference between real-time and scheduled scans are. The feel I get is that the premium version operates in real time to prevent threats (blocks me from visiting bad sites? and not sure what else it does) and you could schedule scans as well with premium. 

I deleted the 5 apps from my Applications folder via Finder before installing Norton. They appeared to be user apps, and not in Utilities. After much searching and yielding virtually nothing on Apple Discussions and elsewhere using Google, Bing, and DuckDuckGo using search operators etc., I concluded it wasn't system software.

Had to reinstall MacOS due to a prohibitory symbol a month or so back. Before then I was careful about what I deleted and installed. Now I am overly cautious. 

I've been backing up to Time Machine; and a La Cie for full backups. May get CCC again. Time Machine deletes old backups so by the time you find an issue the backup you need may be gone is one problem. 

Many thanks.
1787219750_ScreenShot2020-04-30at12_50_02PM.thumb.png.b3be663fcd9939febe104999a482ddf9.png

Link to post
Share on other sites
6 hours ago, Joely said:

Not sure what the difference between real-time and scheduled scans are.

They are identical.

6 hours ago, Joely said:

The feel I get is that the premium version operates in real time to prevent threats (blocks me from visiting bad sites? and not sure what else it does) and you could schedule scans as well with premium.

In addition to blocking both bad sites and bad advertising on other sites, it’s main purpose is to scan everything you download to detect malware installers or applications.

6 hours ago, Joely said:

Time Machine deletes old backups so by the time you find an issue the backup you need may be gone is one problem. 

The amount backups that Time Machine retains is partially dependent on the size of the backup drive. Rule of thumb is that you need to have at least three times the size of the amount of data in use on your boot drive. If you find that you aren’t seeing enough older backups, then perhaps you need a larger drive.

Link to post
Share on other sites

Thank you for all those answers. Backup is a 3TB Airport 285 GB free. MacIntosh HD 650 GB used with 460 GB of that iOS, and 1.35 TB free. My Time Machine backups go back over a month but in some situations, so I like to back up to an external drive every so often. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.