crsud process with security update 2013-001

You should have it in 10.6.8.

WZZZ wrote:

You should have it in 10.6.8.

That's really strange... Here's my screenshot:

My machine is a mid-2010 MBP 13". I didn't install this security update yet: it updates Security.prefPane from version 2.4 to 2.5. Are you sure you had this Automatically install important security updates thing before applying Security Update 2013-001?

I'm beginning to think that, since it supposedly doesn't happen when Automatically install important security updates is unchecked in Security, that crsud connecting to swscan (Software Update) is looking in from time to time to see if there are any Security Updates for maybe new silent updating. Although, if this is so, I'm not sure I'd be too trusting about something as huge as a Security Update being silently installed, especially since I've never seen a Security Update that didn't need a restart.

This was what the Security pane used to look like pre-update. Note the change from "Safe Downloads," which would have meant Safari only, to Important Security Updates.

And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

WZZZ wrote:

I'm beginning to think that, since it supposedly doesn't happen when Automatically install important security updates is unchecked in Security, that crsud connecting to swscan (Software Update) is looking in from time to time to see if there are any Security Updates for maybe new silent updating. Although, if this is so, I'm not sure I'd be too trusting about something as huge as a Security Update being silently installed, especially since I've never seen a Security Update that didn't need a restart.

I think your guess is correct and I too don't like silent (to say the least) updates. Even though someone calls this "paranoia" 😉 BTW, what should important mean?

And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

Thanks, I had already done; I had just forgotten to uncheck Automatically update safe downloads list too.

What I said is only a guess and quite tentative.

>>What I said is only a guess and quite tentative.

but a good one - especially given the strings suggesting that it looks for the sucatalog, runs only if xprotect is active; as well as other details.

If you find out what Codeginger is... (careful/cautious, since we're speculating 🙂 )

although looking at your screenshot above - it seems to check the validity/content of packages already downloaded; either its main purpose, or additionally.

WZZZ wrote:

This was what the Security pane used to look like pre-update. Note the change from "Safe Downloads," which would have meant Safari only, to Important Security Updates.

I think you may be confusing "Safe downloads list" with Google's "Safe browsing" which is Safari only. The Safe dowloads list is for XProtect updates. Recall that toggling the check box is the safe way to force an update. I wonder if that represents a change in the way XProtect is controlled now, i.e. perhaps it cannot be disabled any longer.

Message was edited by: MadMacs0 After further review, I see that the Safe downloads list option has been moved according to About file quarantine in OS Xat the bottom when you click on "Advanced Users Only." Except that I don't see an Advanced button on your screenshot, even though this says it applies to 10.6.8.

I wasn't confusing that with Google Safe Browsing, but yes I was getting that wrong. Completely forgot that was related to XProtect; was mistakenly thinking it was for updating Safari's list of "safe" downloads, which it never was. If that list exists, it may live in the CoreTypes safe file type list for ML and Lion. But I'm not seeing that in Snow anywhere, not at least in CoreTypes.

And in 10.6.8 I don't have a Security & Privacy pane, and no Advanced there either. Just what my screenshot shows, but now changed to Automatically install important security updates.

(This is why I was thinking Safari Safe Downloads, but I realize CoreTypes safe file type list might be something else entirely. From the latest About the security content....)

CoreTypes

Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

http://support.apple.com/kb/HT5672

WZZZ wrote:

I wasn't confusing that with Google Safe Browsing, but yes I was getting that wrong. Completely forgot that was related to XProtect; was mistakenly thinking it was for updating Safari's list of "safe" downloads, which it never was. If that list exists, it may live in the CoreTypes safe file type list for ML and Lion. But I'm not seeing that in Snow anywhere, not at least in CoreTypes.

And in 10.6.8 I don't have a Security & Privacy pane, and no Advanced there either. Just what my screenshot shows, but now changed to Automatically install important security updates.

Yes, well one thing is abundantly clear is that Apple has made some significant changes to security with this latest update, at least to Lion and above, and not fully documented them all. I guess we'll just have to continue to speculate and learn over time exactly what's going on here.

Although OT here, I do wonder what happened to the XProtect update system.

And like Yeehat, what constitutes "important security updates"?

MadMacs0 wrote:

Although OT here, I do wonder what happened to the XProtect update system.

And like Yeehat, what constitutes "important security updates"?

I'm very happy Apple paid attention to 10.6 and issued a Safari 5.1.8 update also. 🙂

This anti-malware scanner came up clean on my machine. Nothing to report.

I will of course still recommend and use ClamXav.

BTW ClamXav finds W32.Perelett.15399 on my Win 7 VM (Fusion) occassionally .

By using Little Snitch, I blocked Windows from making anything outbound, used a pristine snapshot, then only allowed time.windows.com and connection to Adobe's Akamai server I assume it's for Flash.

I ran a scan and got the malware. Microsoft Security Essentials, ClamWin, MalwareBytes didn't pick it up.

This has been going on for a few times now, I just roll back the snapshot and it's gone, allow the older one to connect online and it's there again.

Also the Cs2 download, once installed in Win 7, ClamWin picks up Ramnit.

So Adobe is hosting malware.

One more time. What makes you think crsud is a malware scanner?

From my logs:

andyBall_uk wrote: although looking at your screenshot above - it seems to check the validity/content of packages already downloaded; either its main purpose, or additionally.

Message was edited by: WZZZ

WZZZ wrote:

What makes you think crsud is a malware scanner?

Because Apple changed "Safe files" in System Preferences and they said they did install a anti-malware scanner.

So instead of Xprotect just stopping trojans, it's now looking for known malware and checking for updates for that with a new process on 10.6.

It only reports if it finds something, so until someone comes here with a infection or purposely infects their machine to see what it does, we don't know how it will react until then.

and they said they did install a anti-malware scanner.

No, AFAIK that was just a one time scan that came when running the security update. At least that's all we have to go on right now. Until we hear more, I think you're jumping to conclusions. Believe me, I would hope you're right, but you really have no support for that.

Malware removal

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found

http://support.apple.com/kb/HT5672

ds store wrote:

ClamXav finds W32.Perelett.15399 on my Win 7 VM (Fusion) occassionally .

...

I ran a scan and got the malware. Microsoft Security Essentials, ClamWin, MalwareBytes didn't pick it up.

This has been going on for a few times now, I just roll back the snapshot and it's gone, allow the older one to connect online and it's there again.

I can't explain what's going on. There have been several examples of issues when attempting to use ClamAav to keep look or watch for malware on a VM. Sometimes it's permissions, sometime apparent false alarms and although I don't recall an instance of non-detection, it is certainly possible.

So I've been recommending that the VM be excluded and that users install a separate Windows A-V package to cover the VM. Since ClamWin uses the same virus definitions database, one would expect them to have identical results as long as similar options have been selected.

As to W32.Perelett.15399, I guess I would have to suspect a false positive. I could only locate this analysis on VirusTotal, with just three of 46 scanners recognizing it, no comments and only one vote but on the "good" side. First seen about a year ago and last seen in February. The MD5 hash signature does on VT does not match the signature in the ClamAV database. It was added to that database a very long time ago 2003-09-26 with the following entry:

Submission: 362-web

Sender: Farit

Virus: Win32.Stepar.dr

Added: W32.Perelett.14919

Added: W32.Perelett.15399

Not much to go on.

Also the Cs2 download, once installed in Win 7, ClamWin picks up Ramnit.

So Adobe is hosting malware.

I found 814 Ramnit definitions, almost all hash definitions, and couldn't even begin to comment on that.