System Integrity and Security Concerns on M1 MacBook Pro — Persistent Framework, Disk, and Potential Malware Issues

Question

Level 1

4 points

System Integrity and Security Concerns on M1 MacBook Pro — Persistent Framework, Disk, and Potential Malware Issues

Hello Apple Support Community,

I'm reaching out for assistance with several persistent and potentially serious issues on my M1 MacBook Pro (2021). These involve system integrity, security concerns, and performance instability that have been challenging to resolve. Here’s a summary of the primary concerns and findings:

System Framework Modifications and Integrity Issues:
Unknown Origin for Frameworks: Many frameworks are listed with "Obtained from: Unknown," an unusual status for system components, suggesting possible issues with their authenticity or origin. Combined, these factors hint at potential tampering or unintended modifications to the core system.
Startup Disk and Pre-Boot Volume Errors:
Recurrent Repairs Needed: Despite running repairs multiple times in both standard and safe modes, these issues reappear, suggesting underlying problems with the APFS volume structure or deeper disk integrity concerns.
Performance and App Stability:
1. High System Load and Crashes: EtreCheck reports frequent crashes and high CPU usage in various applications, particularly in core services like WindowServer and system background processes. High resource consumption in these areas has impacted performance and stability, raising concerns about software or potential background tasks straining the system.
Security Concerns and Malware Indicators:
1. Potential Remote Access and Malware Risks: With flagged unsigned files and specific issues with Fing.app, including unsigned LaunchDaemons, there are concerns about unauthorised access or malware. Additionally, there are indications of network and background services exhibiting abnormal behaviour.

EtreCheck Report Summary

Major Issue: Time Machine backup not found.
Minor Issues: Frequent app crashes, instances of high CPU usage, and unsigned software files.

The full EtreCheck report is attached below for your reference. I would greatly appreciate guidance on any steps to reinforce system security and resolve these issues.

Thank you for your time and expertise.

EtreCheckPro Report generated: 2024-10-31 08:27:05

EtreCheckPro version: 6.8.6 (68057) Report generated: 2024-10-31 08:27:05 Download EtreCheckPro from https://etrecheck.com Runtime: 2:19 Performance: Excellent Problem: Other problem Description: Potential issues with pre-boot and startup disk, and main memory hardw are/software following first aid reports that suggest errors and corru ption to number of files. ~Malware also concern with remote access con trol and computer use by a third-party Major Issues: Anything that appears on this list needs immediate attention. No Time Machine backup - Time Machine backup not found. Minor Issues: These issues do not need immediate attention but they may indicate future problems or opportunities for improvement. Apps crashing - There have been numerous app crashes. Apps with heavy CPU usage - There have been numerous cases of apps with heavy CPU usage. Unsigned files - There are unsigned software files installed. These files could be old, incompatible, and cause problems. They should be reviewed. Hardware Information: MacBook Pro (14-inch, 2021) Status: Supported MacBook Pro Model: MacBookPro18,3 Apple M1 Pro (m1) CPU: 10-core 16 GB RAM - Not upgradeable Battery: Health = Normal - Cycle count = 310 Video Information: Apple M1 Pro Color LCD 3024 x 1964 Drives: disk0 - APPLE SSD AP1024R 1.00 TB (Solid State - TRIM: Yes) Internal Apple Fabric NVM Express disk0s1 [APFS Container] 524 MB disk1 [APFS Virtual drive] 524 MB (Shared by 4 volumes) disk1s1 - iSCPreboot (APFS) [APFS Preboot] (6 MB used) disk1s2 - xART (APFS) (6 MB used) disk1s3 - Hardware (APFS) (6 MB used) disk1s4 - Recovery (APFS) [Recovery] (20 KB used) disk0s2 [APFS Container] 994.66 GB disk3 [APFS Virtual drive] 994.66 GB (Shared by 6 volumes) disk3s1 - Macintosh HD - Data (APFS) [APFS Virtual drive] (168.81 GB used) disk3s2 - Update (APFS) (49 MB used) disk3s3 (APFS) [APFS Container] (10.74 GB used) disk3s3s1 - Macintosh HD (APFS) [APFS Snapshot] (10.74 GB used) disk3s4 - Preboot (APFS) [APFS Preboot] (6.61 GB used) disk3s5 - Recovery (APFS) [Recovery] (975 MB used) disk3s6 - VM (APFS) [APFS VM] (20 KB used) disk0s3 [APFS Container] 5.37 GB disk2 [APFS Virtual drive] 5.37 GB (Shared by 2 volumes) disk2s1 - Recovery (APFS) [Recovery] (1.89 GB used) disk2s2 - Update (APFS) (2 MB used) Mounted Volumes: disk1s1 - iSCPreboot [APFS Preboot] Filesystem: APFS Mount point: /System/Volumes/iSCPreboot Used: 6 MB Shared values Size: 524 MB Free: 501 MB disk1s2 - xART Filesystem: APFS Mount point: /System/Volumes/xarts Used: 6 MB Shared values Size: 524 MB Free: 501 MB disk1s3 - Hardware Filesystem: APFS Mount point: /System/Volumes/Hardware Used: 6 MB Shared values Size: 524 MB Free: 501 MB disk3s1 - Macintosh HD - Data [APFS Virtual drive] Filesystem: APFS Mount point: /System/Volumes/Data Encrypted Used: 168.81 GB Shared values Size: 994.66 GB Free: 807.28 GB Available: 822.52 GB disk3s2 - Update Filesystem: APFS Mount point: /System/Volumes/Update Used: 49 MB Shared values Size: 994.66 GB Free: 807.28 GB Available: 822.52 GB disk3s3s1 - Macintosh HD [APFS Snapshot] Filesystem: APFS Mount point: / Read-only: Yes Used: 10.74 GB Shared values Size: 994.66 GB Free: 807.28 GB Available: 822.52 GB disk3s4 - Preboot [APFS Preboot] Filesystem: APFS Mount point: /System/Volumes/Preboot Used: 6.61 GB Shared values Size: 994.66 GB Free: 807.28 GB Available: 822.52 GB disk3s6 - VM [APFS VM] Filesystem: APFS Mount point: /System/Volumes/VM Used: 20 KB Shared values Size: 994.66 GB Free: 807.28 GB USB: USB 3.1 bus <Empty> USB 3.1 bus <Empty> USB 3.1 bus <Empty> Network: Interface en4: Ethernet Adapter (en4) Interface en5: Ethernet Adapter (en5) Interface en6: Ethernet Adapter (en6) Interface bridge0: Thunderbolt Bridge Interface en0: Wi-Fi 802.11 a/b/g/n/ac/ax Interface en7: iPhone System Software: macOS Sequoia 15.1 (24B83) Time since boot: Less than an hour Notifications: EtreCheckPro.app 2 notifications WhatsApp.app 3 notifications Fing.app 2 notifications Security: Gatekeeper: App Store and identified developers System Integrity Protection: Enabled Secure Boot: Full Security Antivirus software: Apple and Malwarebytes Unsigned Files: Launchd: /Library/LaunchDaemons/com.fing.service.plist Command: /Applications/Fing.app/Contents/Resources/service/fing --servicemode com.fing.service.plist --agentroot /Applications/Fing.app/Contents/Resources/service Details: Exact match found in the legitimate list - probably OK System Extensions: [Not Loaded] Malwarebytes Engine - version 5.7.1 (Malwarebytes Corporation - 2024-10-29) Application: /Applications/Malwarebytes.app - version 5.7.1 (Malwarebytes Corporation - 2024-10-29) Description: The Malwarebytes Engine extension manages your connection to the Malwarebytes VPN service. System Launch Daemons: [Not Loaded] 40 Apple tasks [Loaded] 202 Apple tasks [Running] 166 Apple tasks [Other] 2 Apple tasks System Launch Agents: [Not Loaded] 21 Apple tasks [Loaded] 223 Apple tasks [Running] 202 Apple tasks [Other] One Apple task Launch Daemons: [Running] com.cloudflare.1dot1dot1dot1.macos.warp.daemon.plist (Cloudflare Inc. - installed 2024-10-30) Executable: /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP [Running] com.fing.service.plist (Not signed - installed 2024-10-27) Command: /Applications/Fing.app/Contents/Resources/service/fing --servicemode com.fing.service.plist --agentroot /Applications/Fing.app/Contents/Resources/service [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2024-10-29) Command: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app/Contents/MacOS/RTProtectionDaemon -i Malwarebytes-Mac-5.7.1.1804.pkg [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2024-10-29) Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/SettingsDaemon.app/Contents/MacOS/SettingsDaemon [Not Loaded] us.zoom.ZoomDaemon.plist (Zoom Video Communications, Inc. - installed 2024-10-29) Executable: /Library/PrivilegedHelperTools/us.zoom.ZoomDaemon Launch Agents: [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2024-10-29) Executable: /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/FrontendAgent.app/Contents/MacOS/FrontendAgent User Login Items: [Not Loaded] CleanMyMac_5_MAS_HealthMonitor (App Store - installed 2024-10-31) Modern Login Item /Applications/CleanMyMac_5_MAS.app/Contents/Library/LoginItems/CleanMyMac_5_MAS_HealthMonitor.app [Not Loaded] CleanMyMac_5_MAS_Menu (App Store - installed 2024-10-31) Modern Login Item /Applications/CleanMyMac_5_MAS.app/Contents/Library/LoginItems/CleanMyMac_5_MAS_Menu.app [Loaded] LoginLauncherApp (Cloudflare Inc. - installed 2024-10-30) Modern Login Item /Applications/Cloudflare WARP.app/Contents/Library/LoginItems/LoginLauncherApp.app [Not Loaded] Evernote Login Helper (App Store - installed 2024-10-29) Modern Login Item /Applications/Evernote.app/Contents/Library/LoginItems/Evernote Login Helper.app [Not Loaded] PasswordsMenuBarExtra (Apple - installed 2024-10-22) Modern Login Item /System/Applications/Passwords.app/Contents/Library/LoginItems/PasswordsMenuBarExtra.app Applications: 756 Apple apps 48 3rd party apps 7 x86-only apps No unsigned apps App Extensions: Share services: [Loaded] Evernote - /Applications/Evernote.app Safari extensions: [Loaded] Grammarly for Safari - /Applications/Grammarly for Safari.app Notification providers: [Loaded] ServiceExtension - /Applications/WhatsApp.app Plugins: [Loaded] Intents - /Applications/WhatsApp.app QuickLook Previews: [Loaded] EtreCheckQuickLook - ~/Downloads/EtreCheckPro.app com.etresoft.etrecheck4 *.etrecheck Audio Plug-ins: ZoomAudioDevice: 1.0 (Zoom Video Communications, Inc. - installed 2024-10-31) Backup: Time Machine Not Configured! Performance: System Load: 3.07 (1 min ago) 9.58 (5 min ago) 13.21 (15 min ago) Nominal I/O usage: 0.01 MB/s File system: 10.86 seconds Write speed: 5972 MB/s Read speed: 3768 MB/s CPU Usage Snapshot: Type Overall System: 2 % User: 3 % Idle: 95 % Top Processes Snapshot by CPU: Process (count) CPU (Source - Location) WindowServer 18.70 % (Apple) EtreCheckPro 18.28 % (Etresoft, Inc.) kernel_task 4.22 % (Apple) ControlCenter 1.48 % (Apple) RTProtectionDaemon 0.82 % (Malwarebytes Corporation) Top Processes Snapshot by Memory: Process (count) RAM usage (Source - Location) EtreCheckPro 1.41 GB (Etresoft, Inc.) localspeechrecognition 337 MB (Apple) RTProtectionDaemon 233 MB (Malwarebytes Corporation) AppleSpell 215 MB (Apple) WindowServer 167 MB (Apple) Top Processes Snapshot by Network Use: Process Input / Output (Source - Location) CloudflareWARP 6 MB / 1 MB (Cloudflare Inc.) mDNSResponder 486 KB / 304 KB (Apple) apsd 24 KB / 66 KB (Apple) rapportd 29 KB / 14 KB (Apple) netbiosd 1 KB / 1 KB (Apple) Top Processes Snapshot by Energy Use: Process (count) Energy (0-100) (Source - Location) WindowServer 8 (Apple) RTProtectionDaemon 1 (Malwarebytes Corporation) airportd 1 (Apple) CloudflareWARP 0 (Cloudflare Inc.) locationd 0 (Apple) Virtual Memory Information: Physical RAM: 16 GB Free RAM: 2.46 GB Used RAM: 7.62 GB Cached files: 5.92 GB Available RAM: 8.38 GB Swap Used: 0 B Software Installs (past 60 days): Install Date Name (Version) 2024-10-25 macOS 14.7 (14.7) 2024-10-25 Pages (14.2) 2024-10-25 ‎WhatsApp (24.21.81) 2024-10-25 CleanMyMac (5.0.0) 2024-10-25 Grammarly for Safari (9.75) 2024-10-25 Evernote (10.112.2) 2024-10-25 Mobile Device (1.0.0.0) 2024-10-26 XProtectPlistConfigData (5272) 2024-10-26 XProtectPayloads (147) 2024-10-26 macOS 15.0.1 (15.0.1) 2024-10-27 Templates for Pages - DesiGN (8.3) 2024-10-27 Kit for Pages - Templates (2.5.4) 2024-10-27 Goodnotes (6.5.7) 2024-10-29 Malwarebytes for Mac (1.0) 2024-10-29 Zoom Workplace (6.2.6.41824) 2024-10-30 Cloudflare WARP 2024.9.346.0 (2024.9.346) 2024-10-30 macOS 15.1 (15.1) 2024-10-30 RosettaUpdateAuto (1.0.0.0.1.1729588937) 2024-10-30 Gatekeeper Compatibility Data (1.0) 2024-10-30 MRTConfigData (1.93) 2024-10-30 Toolbox for Pages (8.1.4) Diagnostics Information (past 60 days): 2024-10-31 05:37:28 WindowServer - High CPU Use (2 times) First occurrence: 2024-10-27 02:41:02 Executable: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer 2024-10-31 04:46:08 ANECompilerService - High CPU Use (3 times) First occurrence: 2024-10-29 06:05:18 Executable: /System/Library/PrivateFrameworks/AppleNeuralEngine.framework/XPCServices/ANECompilerService.xpc/Contents/MacOS/ANECompilerService 2024-10-31 04:06:40 FPCKService - High CPU Use (6 times) First occurrence: 2024-10-26 15:15:59 Executable: /System/Library/PrivateFrameworks/FileProviderDaemon.framework/XPCServices/FPCKService.xpc/Contents/MacOS/FPCKService 2024-10-31 02:21:00 spotlightknowledged - High CPU Use (5 times) First occurrence: 2024-10-27 20:37:36 Executable: /System/Library/Frameworks/CoreSpotlight.framework/spotlightknowledged 2024-10-29 17:47:48 fingagent.bin - Crash (2 times) Executable: /Applications/Fing.app 2024-10-29 15:56:33 suggestd - High CPU Use Executable: /System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd 2024-10-29 04:02:58 signpost_reporter - High CPU Use (2 times) First occurrence: 2024-10-27 22:15:13 Executable: /usr/libexec/signpost_reporter 2024-10-29 03:16:18 lsd - Crash (6 times) First occurrence: 2024-10-26 00:15:46 Executable: /usr/libexec/lsd 2024-10-28 13:38:17 fileproviderd - High CPU Use (2 times) First occurrence: 2024-10-26 00:22:05 Executable: /System/Library/Frameworks/FileProvider.framework/Support/fileproviderd 2024-10-28 00:21:51 Passwords.app - High CPU Use Executable: /System/Applications/Passwords.app 2024-10-27 13:40:45 fing.app - Hang 2024-10-27 13:31:17 knowledgeconstructiond - High CPU Use (3 times) First occurrence: 2024-10-26 15:25:56 Executable: /System/Library/PrivateFrameworks/IntelligencePlatformCore.framework/Versions/A/knowledgeconstructiond 2024-10-25 23:52:18 /Library/Logs/DiagnosticReports/.fileproviderd_2024-10-25-235218_C****************o.cpu_resource.diag - High CPU Use End of report

MacBook Pro 14″, macOS 15.1

Posted on Oct 31, 2024 1:50 AM

Reply

Answer 1

Oct 31, 2024 8:37 AM in response to Grant Bennet-Alder

if you are behind a Router you control, and enable a Wi-Fi password, your over-the-air messages to your Router are encrypted.

Network Address Translation:

Your Router 'acts as your agent' on the Internet at large, and your local IP address is never sent off your own local network. Your Router ALSO has a built in state-wise firewall, and typical setting will cause it to discard any unsolicited incoming requests. Only answers to your DIRECT queries are allowed in. Your Mac is Un-reachable for unsolicited communication from the Internet at large.

As long as you are using your own Router, there is no need to activate the Mac firewall. On public Wi-Fi, at the Airport or coffee shop, then maybe the Mac firewall would be a good idea.

Reply

Answer 2

Oct 31, 2024 8:49 AM in response to craigcoxuk

By far the easiest way to cause poor performance, instability, overheating and crashing is to install ANY third-party speeder-uppers, Cleaners, Optimizers, or Virus scanners, Bit Torrent, or a VPN that you installed yourself. They are relentless in scanning your files, non-stop, looking for virus-like patterns in Everything, or looking for files that have changed. When completed, they do it all again.

The idea that a third party, with no special knowledge of the inner workings of MacOS, can somehow find a simple way to protect or speed up your computer — that is not already being done by MacOS itself — suggests that the MacOS developers are somehow "holding out on you". That is absurd.

You should remove any and all (other than Apple built-in) virus scanners, speeder uppers, optimizers, cleaners, App deleters or VPN packages you installed yourself, or anything of that ilk.

Your exceptionally well-crafted Macintosh computer does not accumulate filth that needs any third-party anything to clean it. Everything needed to run it efficiently was included in the box, except ONE: a drive on which to store a second copy of your files in case the first copy is damaged or deleted by accident. The backup software, Time Machine, is already present -- integrated deeply into MacOS.

Reply

Answer 3

Oct 31, 2024 8:35 AM in response to craigcoxuk

MacOS shares a lot of the lock-down mechanisms developed for the iPhone. Applications are all sand-boxed with a list of the resources they require, and they cannot ask for anything outside their sandbox without crashing. Signed Applications are checked that they are from legitimate Developers, and Notarized Applications are delivered with the assurance that they have NOT been modified since their release by the Developer.

From MacOS 11 Big Sur onward, the system is on a Separate, crypto-locked System Volume, which is not writeable using ordinary means. Any unauthorized changes to the crypto-locked volume are quickly detected and you are alerted.

So you could store just about every malware known to mankind on your Mac, and your Mac would not get infected spontaneously. Scanning for virus-like patterns might make you feel a little better now, but non-stop scanning is outdated nonsense, and a tremendous waste of resources.

Nothing can become Executable Unless/Until you supply your Admin password to "make it so".

Effective defenses against malware and ot… - Apple Community

Reply

Answer 4

Oct 31, 2024 10:31 AM in response to Grant Bennet-Alder

Grant Bennet-Alder wrote:

...

There is no need to be running Cloudflare Warp. Simple DNS numbers are perfectly adequate for ordinary users.

The Apple version of Cloudflare Warp — enabling iCloud+ Private Relay, which is akin to a two-hop Tor connection, and with Oblivious DNS over HTTPS (ODoH) — works pretty well, if you're concerned about intermediate hosts (or VPN providers) collecting your network metadata, or the servers you're connecting into.

https://www.apple.com/privacy/docs/iCloud_Private_Relay_Overview_Dec2021.PDF

Reply

Answer 5

Oct 31, 2024 9:20 AM in response to Grant Bennet-Alder

Your Etrecheck report show some unfortunate choices you have made along the way.

The most flagrant is CleanMyMac. CleanMyMac has been reported to attempt to throw away important parts of macOS itself, in the name of "Cleaning". I hope you will not require a re-install to fix the problems it may have caused. your Mac does not accumulate filth that needs any external software to clean.

-------

Not only did you install this completely un-necessary package, but the version you installed is not fully signed with a valid Developer Certificate. EVERY serious developer of Mac software obtains a [revokable] Developer Certificate with which total their software. These is no excuse for this.

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.fing.service.plist

Command: /Applications/Fing.app/Contents/Resources/service/fing --servicemode com.fing.service.plist --agentroot /Applications/Fing.app/Contents/Resources/service

and it has been crashing:

2024-10-29 17:47:48 fingagent.bin - Crash (2 times)

Executable: /Applications/Fing.app

2024-10-27 13:40:45 fing.app - Hang

--------

although readers here have more respect for the Virus scanner inside MalwareBytes than many others, no senior contributors advocate leaving it running at all times, punishing performance. MalwareBytes has already accomplished everything it can do on its original pass through your files. The system volume is crypto-locked. There is nowhere for malware to hide.

________

There is no need to be running Cloudflare Warp. Simple DNS numbers are perfectly adequate for ordinary users.

If you are a high-profile person such as a Politician or International Activist, or part of the federal Witness Protection Program, consider invoking lockdown mode and using only Tor Browser.

Reply

Answer 6

etresoft

Level 9

53,248 points

Oct 31, 2024 10:21 AM in response to craigcoxuk

craigcoxuk wrote:

Disk Utility and EtreCheck indicate unusual and identical modification timestamps for several core system frameworks. These timestamps don't align with recent macOS updates, raising concerns about potential unauthorised alterations.

EtreCheck isn't concerned with timestamps. In fact, EtreCheck pretty much gives anything on the system volume a pass because all this data is stored on a snapshot of a read-only, cryptographically encrypted volume. There is no possibility of unauthorized alterations.

Many frameworks are listed with "Obtained from: Unknown," an unusual status for system components, suggesting possible issues with their authenticity or origin. Combined, these factors hint at potential tampering or unintended modifications to the core system.

See above.

Multiple errors were reported in the startup disk and pre-boot volumes, with Disk Utility’s First Aid identifying issues like file corruption and integrity anomalies across system volumes.

Ignore that. It's a complicated system and prone to bugs. If you go looking for problems, there are plenty to find. You can keep yourself busy for years researching and documenting these bugs. If that's what you want to do, I suppose that's fine. You aren't going to find anything real though - just the same old bugs that the other 100 million Mac users have.

EtreCheck reports frequent crashes and high CPU usage in various applications, particularly in core services like WindowServer and system background processes. High resource consumption in these areas has impacted performance and stability, raising concerns about software or potential background tasks straining the system.

The idea behind EtreCheck is to give you information to help you identify the cause of some problem that you are experiencing. But the key part is the problem you are experiencing. You have to be experiencing something first. Otherwise, the EtreCheck report is just noise. In rare cases, an EtreCheck report can highlight problems that you didn't know about. But as the person who wrote EtreCheck, I can assure you that isn't the case here.

With flagged unsigned files and specific issues with Fing.app, including unsigned LaunchDaemons, there are concerns about unauthorised access or malware.

When EtreCheck identifies an unsigned file, the most common causes are errors or poor design from the developers of that software. You should take this as a warning that this software is at risk of bugs or poor performance in the future. If the developers are struggling that much with one of the easiest tasks like signing and notarization, then there is a risk that some random system change in the future will break it.

Actual malware is very easy to spot. You have no malware installed.

Additionally, there are indications of network and background services exhibiting abnormal behaviour.

It all looks normal.

The full EtreCheck report is attached below for your reference. I would greatly appreciate guidance on any steps to reinforce system security and resolve these issues.

Your report looks fine. You didn't specify any real problem, so the report is pretty useless in helping resolve whatever problem you were experiencing. If the only problems that you were experiencing were those concerns that you mentioned in your EtreCheck report, then your EtreCheck report definitively proves that there are no problems in that area.

Reply

Quick Links

System Integrity and Security Concerns on M1 MacBook Pro — Persistent Framework, Disk, and Potential Malware Issues