Question about "com.maintain.ShutDown.plist" on macOS 10.14.6

[carlcaulkett]

For the first time in the many months I've been using MalwareBytes, it's shown a couple of alerts. They are...

Name: OSX.Generic.Suspicious   Type: Malware   Object Type: File   Location: /Library/LaunchAgents/com.maintain.ShutDown.plist

Name: OSX.Generic.Suspicious   Type: Malware   Object Type: File   Location: /Library/LaunchAgents/com.maintain.Restart.plist     

Does anyone know where these files came from? Should I be worried? And should I keep them quarantined?

[JakeSteidl]

I am seeing the same issue on my end this morning. Is this a false positive? Please advise

[carlcaulkett]

Interesting @JakeSteidl. Pretty much all of my downloads are to do with music production, VST plugins, samples and the like. Do you operate in similar areas? Did you download anything memorable last night?

[treed]

It looks like this is based on rules we recently added related to OSX.OSAMiner.

One of those changes was to add detection of a launch agent plist file that attempts to directly run an AppleScript command via the "osascript -e" command. This is highly suspicious behavior, seen with OSX.OSAMiner, and very similar to other past malware that runs complicated shell scripts directly via a launch agent or daemon plist.

In this case, it looks like this is detecting legitimate plist files belonging to the Cocktail software, which are exhibiting the same behavior. We'll investigate and see what we can do. Although we don't generally recommend "cleaning" apps, Cocktail is not one we should be detecting. 

[carlcaulkett]

Before I deleted the files from the place where they were found, a made safe copies and moved them so I could have a closer look. Here is the /Library/LaunchAgents/com.maintain.ShutDown.plist...

And here is the /Library/LaunchAgents/com.maintain.Restart.plist...

@treed, it looks like you are spot on with the reference to Cocktail software, though it's not a name I recognise. I'll have to do some searching...

Okay, I've found what I think is the relevant software https://www.maintain.se/cocktail/. I don't remember installing it, but a search on my Mac seems to suggest that it may have made a fleeting appearance on my computer! 

 

In my case, the software has long since been deleted. @JakeSteidl, if you still use Cocktail then it's probably best to remove it from quarantine.

Cheers,

Carl

 

 

 

 

 

[treed]

Carl,

Yup, looks like it must have been installed on your Mac at some point, but the plist files were never removed.

For folks who do use Cocktail, we've got an update out that will ensure those files don't get detected any more. To ensure you've got the latest database update, choose Update Protection from the Malwarebytes menu bar icon.

[carlcaulkett]

Thanks @treed! I was interested in what you were saying about "cleaning apps". I recently chose to remove "CleanMyMac" from my computer after it decided to remove a whole bunch of music related files (VSTs) from my system. I was able to replace all of the missing files, but it has really put me off such programs. Having said that, I still have Onyx installed. As far as I can tell, it has a good reputation amongst Mac tech-heads, and it certainly saved my bacon I fixing a serious "spinning circle of doom" issue I had about 3 years ago. I'd be interested in your thoughts on Onyx. The other tool I really like is Grand Perspective, which allow you to do any number of scans on different volumes/folders on you drive(s).

 

 

[treed]

14 minutes ago, carlcaulkett said:

Thanks @treed! I was interested in what you were saying about "cleaning apps".

We generally recommend against them. They can fix some uncommon issues, like corrupted caches. However, that doesn't happen often - I've never seen caches become corrupt on any of my machines, and I believe if your caches get corrupt, there's probably some other issue at play.

On the other hand, routinely removing caches, log files, etc, is actually not good. Caches are there to keep your computer running fast, and if you remove them they'll just get re-created (which takes time). Logs can contain important diagnostic information, so if you're removing those, it can remove the ability to figure out why a problem happened. Plus, "cleaning" a machine when there's a problem often just masks the true cause of the problem, and as you've found, sometimes "cleaning" apps remove things they shouldn't have.