Jump to content

Question about "com.maintain.ShutDown.plist" on macOS 10.14.6


Recommended Posts

For the first time in the many months I've been using MalwareBytes, it's shown a couple of alerts. They are...

Name: OSX.Generic.Suspicious   Type: Malware   Object Type: File   Location: /Library/LaunchAgents/com.maintain.ShutDown.plist

Name: OSX.Generic.Suspicious   Type: Malware   Object Type: File   Location: /Library/LaunchAgents/com.maintain.Restart.plist     

Does anyone know where these files came from? Should I be worried? And should I keep them quarantined?

Link to post
Share on other sites
  • Staff

It looks like this is based on rules we recently added related to OSX.OSAMiner.

One of those changes was to add detection of a launch agent plist file that attempts to directly run an AppleScript command via the "osascript -e" command. This is highly suspicious behavior, seen with OSX.OSAMiner, and very similar to other past malware that runs complicated shell scripts directly via a launch agent or daemon plist.

In this case, it looks like this is detecting legitimate plist files belonging to the Cocktail software, which are exhibiting the same behavior. We'll investigate and see what we can do. Although we don't generally recommend "cleaning" apps, Cocktail is not one we should be detecting. 

  • Like 1
Link to post
Share on other sites

Before I deleted the files from the place where they were found, a made safe copies and moved them so I could have a closer look. Here is the /Library/LaunchAgents/com.maintain.ShutDown.plist...

1883174106_Screenshot2021-01-14at15_12_56.thumb.png.5bcebdf4881c40f2ca0f9f22744cd826.png

And here is the /Library/LaunchAgents/com.maintain.Restart.plist...

753687649_Screenshot2021-01-14at15_13_13.thumb.png.bb5564ff5340edd3d9e30c7c77f400a4.png

@treed, it looks like you are spot on with the reference to Cocktail software, though it's not a name I recognise. I'll have to do some searching...

Okay, I've found what I think is the relevant software https://www.maintain.se/cocktail/. I don't remember installing it, but a search on my Mac seems to suggest that it may have made a fleeting appearance on my computer! 

1082432546_Screenshot2021-01-14at15_33_36.thumb.png.efc2695401b7386c1da50a645fa43d87.png

 

In my case, the software has long since been deleted. @JakeSteidl, if you still use Cocktail then it's probably best to remove it from quarantine.

Cheers,

Carl

 

 

 

 

 

Link to post
Share on other sites
  • Staff

Carl,

Yup, looks like it must have been installed on your Mac at some point, but the plist files were never removed.

For folks who do use Cocktail, we've got an update out that will ensure those files don't get detected any more. To ensure you've got the latest database update, choose Update Protection from the Malwarebytes menu bar icon.

527779267_ScreenShot2021-01-14at10_49_03AM.png.b69ffd28ef995531a3ac87fe78ff3165.png

Link to post
Share on other sites

Thanks @treed! I was interested in what you were saying about "cleaning apps". I recently chose to remove "CleanMyMac" from my computer after it decided to remove a whole bunch of music related files (VSTs) from my system. I was able to replace all of the missing files, but it has really put me off such programs. Having said that, I still have Onyx installed. As far as I can tell, it has a good reputation amongst Mac tech-heads, and it certainly saved my bacon I fixing a serious "spinning circle of doom" issue I had about 3 years ago. I'd be interested in your thoughts on Onyx. The other tool I really like is Grand Perspective, which allow you to do any number of scans on different volumes/folders on you drive(s).

54738091_Screenshot2021-01-14at16_08_16.png.ac3c714e794e48ad4e08b167a6db5923.png

 

 

Link to post
Share on other sites
  • Staff
14 minutes ago, carlcaulkett said:

Thanks @treed! I was interested in what you were saying about "cleaning apps".

We generally recommend against them. They can fix some uncommon issues, like corrupted caches. However, that doesn't happen often - I've never seen caches become corrupt on any of my machines, and I believe if your caches get corrupt, there's probably some other issue at play.

On the other hand, routinely removing caches, log files, etc, is actually not good. Caches are there to keep your computer running fast, and if you remove them they'll just get re-created (which takes time). Logs can contain important diagnostic information, so if you're removing those, it can remove the ability to figure out why a problem happened. Plus, "cleaning" a machine when there's a problem often just masks the true cause of the problem, and as you've found, sometimes "cleaning" apps remove things they shouldn't have.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.