Removing PUP system extensions

[treed]

Recently, Apple has given special entitlements to programs that Malwarebytes detects as Potentially Unwanted Programs (PUPs). For details, see:

https://blog.malwarebytes.com/mac/2020/11/apple-security-hampers-detection-of-unwanted-programs/

Because of this, Malwarebytes for Mac will repeatedly block affected system extensions, but cannot actually remove them. Instructions for removing the system extensions associated with these PUPs are as follows:

1) Restart the Mac in recovery mode (hold down command-R while restarting):

https://support.apple.com/HT201314

2) In recovery mode, choose Terminal from the Utilities menu:

3) In the Terminal window, enter the following command and press return to disable the System Integrity Protection (SIP) security feature:

csrutil disable

Important: this should only be done temporarily! Be sure to follow the instructions all the way to the end, to turn SIP back on in step 7.

4) Reboot the computer normally

5) Open the Terminal, which is found in the Utilities folder in the Applications folder when not in recovery mode

6) Depending on what program is being blocked, run the appropriate command below

MacKeeper:

systemextensionsctl uninstall 64424ZBYX5 com.mackeeper.AntivirusEndpointSecurity

TotalAV:

systemextensionsctl uninstall 47M7HL5AG8 com.jdi.ss.TotalAV.EndpointExtension

or:

systemextensionsctl uninstall 47M7HL5AG8 net.protected.macos.TotalAV.ESAVExtension

ScanGuard:

systemextensionsctl uninstall 47M7HL5AG8 com.jdi.ss.ScanGuard.EndpointExtension

PCProtect:

systemextensionsctl uninstall 47M7HL5AG8 com.jdi.ss.PCProtect.EndpointExtension

7) Repeat steps 1-3, except this time enter the following command in the Terminal:

csrutil enable

 

For more information on why we detect these things as PUPs, see:

https://blog.malwarebytes.com/puppum/2016/08/pup-friday-mackeeper/

https://blog.malwarebytes.com/detections/pup-jdi/

Edited October 29, 2021 by treed