Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: usnamustang
usnamustang Author
User level: Level 1
9 points

Strange files after Catalina upgrade

A few days ago I completed the auto-upgrade to Catalina 10.15.3.

Here a couple things to condor when reading my question:

  1. I only have a cursory understanding of system files.
  2. I have no understanding of code
  3. I generally complete all upgrades as Apple pushes them out.


I found a strange folder that popped up after I completed the upgrade with some files that I do not understand, and am looking for guidance on how to handle it.


Question 1: I found the following file folders and don't know if they are malicious

Relocated Items>configuration>private>etc>

Inside this folder there is one file "master.passwprd.system_default" and two folders: "openldap" and "postfix"


The master password file is what caused me to start investigating further. When I try to open it, a window pops up telling me that there is no application set to open the document.


Inside the and "postfix" folder are a number of files, none of which can be opened with existing applications:

  1. access.system_default
  2. canonical.system_default
  3. header_checks.system_default
  4. main.cf.default.system_default
  5. main.cf.system_default
  6. transport.system_default
  7. virtual.system_default



My concern is that these are malware / spyware files. Do I have cause to be concerned? If so, what do I do to fix the problem.







MacBook Pro 15”, macOS 10.15

Posted on Mar 4, 2020 3:48 AM

Reply
Question marked as Best reply
User profile for user: leroydouglas
leroydouglas
Community+ 2024
User level: Level 10
183,750 points

Posted on Mar 4, 2020 4:24 AM

usnamustang wrote:

1. A few days ago I completed the auto-upgrade to Catalina 10.15.3.

Relocated Items



I would have no concern about these files.

This is general house cleaning as the macOS transitions to the new apfs and the read-only system volume in macOS Catalina.


macOS Catalina runs in a read-only system volume, separate from other files on your Mac. When you upgrade to Catalina, a second volume is created, and some files may move to a Relocated Items folder


About the Relocated Items folder

While creating the two separate volumes during the upgrade process, files and data that couldn’t be moved to their new location are placed in a Relocated Items folder. The Relocated Items folder is in the Shared folder within the User folder (/Users/Shared/Relocated Items) and available though a shortcut on the Desktop. The Relocated Items folder includes a PDF document with more details about these files.


ref: Apple Support - https://support.apple.com/en-us/HT210650


Further reading if you would like to understand more:

https://bombich.com/kb/ccc5/working-apfs-volume-groups

.

.

View in context
4 replies
Question marked as Best reply
User profile for user: leroydouglas
leroydouglas
Community+ 2024
User level: Level 10
183,750 points

Mar 4, 2020 4:24 AM in response to usnamustang

usnamustang wrote:

1. A few days ago I completed the auto-upgrade to Catalina 10.15.3.

Relocated Items



I would have no concern about these files.

This is general house cleaning as the macOS transitions to the new apfs and the read-only system volume in macOS Catalina.


macOS Catalina runs in a read-only system volume, separate from other files on your Mac. When you upgrade to Catalina, a second volume is created, and some files may move to a Relocated Items folder


About the Relocated Items folder

While creating the two separate volumes during the upgrade process, files and data that couldn’t be moved to their new location are placed in a Relocated Items folder. The Relocated Items folder is in the Shared folder within the User folder (/Users/Shared/Relocated Items) and available though a shortcut on the Desktop. The Relocated Items folder includes a PDF document with more details about these files.


ref: Apple Support - https://support.apple.com/en-us/HT210650


Further reading if you would like to understand more:

https://bombich.com/kb/ccc5/working-apfs-volume-groups

.

.

Reply
User profile for user: dominic23
dominic23
User level: Level 10
83,916 points

Mar 4, 2020 5:58 AM in response to usnamustang

These files are neither malware nor spyware.

When upgrade was installed, macOS didn't know where to keep it.

Therefore system created a new folder "Relocated Items" , kept these files in

and added a shortcut to the folder on the Desktop.

You can remove the shortcut if you want.

But getting to the folder itself is not easy because it is "protected".



usnamustang wrote:

Is there any way to determine that and if the malware is still on the computer?

Yes. You can scan your system with either Malwarebytes for Mac app or EtreCheck app.

Developers of these two apps are members of Apple Support Community.

These apps are developed for helping we the users.


Check for adware and malware


 1. Run the latest release of Malwarebytes for Mac to remove malware/adware, if installed on your Mac.


     For instructions: Install Malwarebytes for Mac v4      Uninstall Malwarebytes for Mac

     Click the “Scan Now” button. Once done, quit Malwarebytes for Mac.

     Restart the computer and relaunch Safari holding the shift key down.

     Scan for Malware again.

Scan result will be reported.


 2. Download EtreCheck: https://etrecheck.com/,

run it and post the report here if you wish or click the Security button in the sidebar and read it.


     Click  “Click to download” button,    

     Open Downloads folder, click on it to open, and then select ”Open”.

     “Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.

     Click “Share Report” button in the toolbar, select “Copy report” .

     Paste the report when you reply if you wish, so that anyone here can go through it and post a reply.


Reply

Strange files after Catalina upgrade

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up