System Integrity and Security Concerns on M1 MacBook Pro — Persistent Framework, Disk, and Potential Malware Issues

if you are behind a Router you control, and enable a Wi-Fi password, your over-the-air messages to your Router are encrypted.

Network Address Translation:

Your Router 'acts as your agent' on the Internet at large, and your local IP address is never sent off your own local network. Your Router ALSO has a built in state-wise firewall, and typical setting will cause it to discard any unsolicited incoming requests. Only answers to your DIRECT queries are allowed in. Your Mac is Un-reachable for unsolicited communication from the Internet at large. 

As long as you are using your own Router, there is no need to activate the Mac firewall. On public Wi-Fi, at the Airport or coffee shop, then maybe the Mac firewall would be a good idea.

By far the easiest way to cause poor performance, instability, overheating and crashing is to install ANY third-party speeder-uppers, Cleaners, Optimizers, or Virus scanners, Bit Torrent, or a VPN that you installed yourself. They are relentless in scanning your files, non-stop, looking for virus-like patterns in Everything, or looking for files that have changed. When completed, they do it all again.

The idea that a third party, with no special knowledge of the inner workings of MacOS, can somehow find a simple way to protect or speed up your computer — that is not already being done by MacOS itself — suggests that the MacOS developers are somehow "holding out on you". That is absurd.

You should remove any and all (other than Apple built-in) virus scanners, speeder uppers, optimizers, cleaners, App deleters or VPN packages you installed yourself, or anything of that ilk.

Your exceptionally well-crafted Macintosh computer does not accumulate filth that needs any third-party anything to clean it. Everything needed to run it efficiently was included in the box, except ONE: a drive on which to store a second copy of your files in case the first copy is damaged or deleted by accident. The backup software, Time Machine, is already present -- integrated deeply into MacOS.

MacOS shares a lot of the lock-down mechanisms developed for the iPhone. Applications are all sand-boxed with a list of the resources they require, and they cannot ask for anything outside their sandbox without crashing. Signed Applications are checked that they are from legitimate Developers, and Notarized Applications are delivered with the assurance that they have NOT been modified since their release by the Developer.

From MacOS 11 Big Sur onward, the system is on a Separate, crypto-locked System Volume, which is not writeable using ordinary means. Any unauthorized changes to the crypto-locked volume are quickly detected and you are alerted.

So you could store just about every malware known to mankind on your Mac, and your Mac would not get infected spontaneously. Scanning for virus-like patterns might make you feel a little better now, but non-stop scanning is outdated nonsense, and a tremendous waste of resources.

Nothing can become Executable Unless/Until you supply your Admin password to "make it so".

Effective defenses against malware and ot… - Apple Community

Grant Bennet-Alder wrote:

...

There is no need to be running Cloudflare Warp. Simple DNS numbers are perfectly adequate for ordinary users.

The Apple version of Cloudflare Warp — enabling iCloud+ Private Relay, which is akin to a two-hop Tor connection, and with Oblivious DNS over HTTPS (ODoH) — works pretty well, if you're concerned about intermediate hosts (or VPN providers) collecting your network metadata, or the servers you're connecting into.

https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

Your Etrecheck report show some unfortunate choices you have made along the way.

The most flagrant is CleanMyMac. CleanMyMac has been reported to attempt to throw away important parts of macOS itself, in the name of "Cleaning". I hope you will not require a re-install to fix the problems it may have caused. your Mac does not accumulate filth that needs any external software to clean.

-------

Not only did you install this completely un-necessary package, but the version you installed is not fully signed with a valid Developer Certificate. EVERY serious developer of Mac software obtains a [revokable] Developer Certificate with which total their software. These is no excuse for this.

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.fing.service.plist

Command: /Applications/Fing.app/Contents/Resources/service/fing --servicemode com.fing.service.plist --agentroot /Applications/Fing.app/Contents/Resources/service

and it has been crashing:

  2024-10-29 17:47:48 fingagent.bin - Crash (2 times)

        Executable: /Applications/Fing.app

  2024-10-27 13:40:45 fing.app - Hang

--------

although readers here have more respect for the Virus scanner inside MalwareBytes than many others, no senior contributors advocate leaving it running at all times, punishing performance. MalwareBytes has already accomplished everything it can do on its original pass through your files. The system volume is crypto-locked. There is nowhere for malware to hide.

________

There is no need to be running Cloudflare Warp. Simple DNS numbers are perfectly adequate for ordinary users.

If you are a high-profile person such as a Politician or International Activist, or part of the federal Witness Protection Program, consider invoking lockdown mode and using only Tor Browser.

craigcoxuk wrote:

Disk Utility and EtreCheck indicate unusual and identical modification timestamps for several core system frameworks. These timestamps don't align with recent macOS updates, raising concerns about potential unauthorised alterations.

EtreCheck isn't concerned with timestamps. In fact, EtreCheck pretty much gives anything on the system volume a pass because all this data is stored on a snapshot of a read-only, cryptographically encrypted volume. There is no possibility of unauthorized alterations.

Many frameworks are listed with "Obtained from: Unknown," an unusual status for system components, suggesting possible issues with their authenticity or origin. Combined, these factors hint at potential tampering or unintended modifications to the core system.

See above.

Multiple errors were reported in the startup disk and pre-boot volumes, with Disk Utility’s First Aid identifying issues like file corruption and integrity anomalies across system volumes.

Ignore that. It's a complicated system and prone to bugs. If you go looking for problems, there are plenty to find. You can keep yourself busy for years researching and documenting these bugs. If that's what you want to do, I suppose that's fine. You aren't going to find anything real though - just the same old bugs that the other 100 million Mac users have.

EtreCheck reports frequent crashes and high CPU usage in various applications, particularly in core services like WindowServer and system background processes. High resource consumption in these areas has impacted performance and stability, raising concerns about software or potential background tasks straining the system.

The idea behind EtreCheck is to give you information to help you identify the cause of some problem that you are experiencing. But the key part is the problem you are experiencing. You have to be experiencing something first. Otherwise, the EtreCheck report is just noise. In rare cases, an EtreCheck report can highlight problems that you didn't know about. But as the person who wrote EtreCheck, I can assure you that isn't the case here.

With flagged unsigned files and specific issues with Fing.app, including unsigned LaunchDaemons, there are concerns about unauthorised access or malware.

When EtreCheck identifies an unsigned file, the most common causes are errors or poor design from the developers of that software. You should take this as a warning that this software is at risk of bugs or poor performance in the future. If the developers are struggling that much with one of the easiest tasks like signing and notarization, then there is a risk that some random system change in the future will break it.

Actual malware is very easy to spot. You have no malware installed.

Additionally, there are indications of network and background services exhibiting abnormal behaviour.

It all looks normal.

The full EtreCheck report is attached below for your reference. I would greatly appreciate guidance on any steps to reinforce system security and resolve these issues.

Your report looks fine. You didn't specify any real problem, so the report is pretty useless in helping resolve whatever problem you were experiencing. If the only problems that you were experiencing were those concerns that you mentioned in your EtreCheck report, then your EtreCheck report definitively proves that there are no problems in that area.