1 2 3 4 5 Previous Next 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 Go to original post
  • 30. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,725 points)

    ds store wrote:

     

    ClamXav finds W32.Perelett.15399 on my Win 7 VM (Fusion) occassionally .

    ...

    I ran a scan and got the malware. Microsoft Security Essentials, ClamWin, MalwareBytes didn't pick it up.

     

    This has been going on for a few times now, I just roll back the snapshot and it's gone, allow the older one to connect online and it's there again.

    I can't explain what's going on. There have been several examples of issues when attempting to use ClamAav to keep look or watch for malware on a VM. Sometimes it's permissions, sometime apparent false alarms and although I don't recall an instance of non-detection, it is certainly possible.

     

    So I've been recommending that the VM be excluded and that users install a separate Windows A-V package to cover the VM. Since ClamWin uses the same virus definitions database, one would expect them to have identical results as long as similar options have been selected.

     

    As to W32.Perelett.15399, I guess I would have to suspect a false positive. I could only locate this analysis on VirusTotal, with just three of 46 scanners recognizing it, no comments and only one vote but on the "good" side. First seen about a year ago and last seen in February. The MD5 hash signature does on VT does not match the signature in the ClamAV database. It was added to that database a very long time ago 2003-09-26 with the following entry:

    Submission: 362-web

    Sender: Farit

    Virus: Win32.Stepar.dr

    Added: W32.Perelett.14919

    Added: W32.Perelett.15399

    Not much to go on.

    Also the Cs2 download, once installed in Win 7, ClamWin picks up Ramnit.

     

    So Adobe is hosting malware.

    I found 814 Ramnit definitions, almost all hash definitions, and couldn't even begin to comment on that.

  • 31. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,725 points)

    ds store wrote:

     

    Because Apple ... said they did install a anti-malware scanner.

    But they have been saying that since MacDefender days and from the looks of the installer, it still has the same MRT elements that have always been there. It certainly sounds like the same thing that has been distributed with every Security and Java update over the past year that runs once and then deletes itself.

  • 32. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    crsud looks at

    https://swscan.apple.com/content/catalogs/others/index-cr-lion-1.sucatalog.gz

    (change lion for snowleopard)

     

    and finds details of any 'critical' updates… for now, just a SecUpdBase2013-001Test.pkg

    these are then downloaded & installed - in the case of this 'test' package, installing an invisible 2 byte payload at /var/.emptypayload

    the test package also contains a post-install action, which looks at

    https://swscan.apple.com/content/catalogs/others/index-mountainlionseed-1.sucatalog.gz

    and searches for a particular 'part number' , downloading it if found… The one looked for by the test package does not exist currently.

     

    So -looking at WZZZ's screenshot earlier - he's already had that test update silently installed - as did I, on first boot to Lion following the 2013-0001 update

  • 33. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    as  might be expected - the .pkm file for the update contains a section

    content-type="critical-update"

    in addition to all the usual stuff - so it would be possible to have a single Software Update catalog URL, although that's not currently the case from what I've seen.

  • 34. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,220 points)

    That's really impressive Andy. I wouldn't know how to begin to get in and find all that stuff and then examine it. Way above my pay grade. That's great information. Thanks. (Sometime, when you have nothing better to do, I'd love to know how you did that.)

     

    This is interesting:

     

    /private/var/.emptypayload

     

    2 bytes with a created and modified of 5/29/12

     

    I wonder how that arrived, since it pre-dates this current update by many months.

     

    Message was edited by: WZZZ

  • 35. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    >>/private/var/.emptypayload

    >>2 bytes with a created and modified of 5/29/12

    >>I wonder how that arrived, since it pre-dates this current update by many months.

     

    my check was in Lion, which apparently changed the modified date to last night, although the creation date is also May 2012 - either Snow does something slightly different (the test package from cr-snowleopard is the same one) or some other difference between the way it ran on our two systems.

     

    It was there on your pre-update backup ? likely not, just un-modified during/after install.

  • 36. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,220 points)

    Yep, not there on pre-update clone.

  • 37. Re: crsud process with security update 2013-001
    baltwo Level 9 Level 9 (60,115 points)

    FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

  • 38. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    >Sometime, when you have nothing better to do, I'd love to know how you did that

    a passing knowledge of software update & the catalog format / url's -

    then strings command on crsud, as I suggested to you on the other side,

    then did nothing about it since I figured you or ds would be all over it using Little Snitch.

     

    saw your screeny showing the test pkg, but carelessly thought was a rename for testing.

    noticed the crsud.plist for root was altered after Lion update, containing an entry mentioning the same test pkg as your screenshot... so I looked more closely at Strings output & found that for now, at least, there's a different URL for critical updates (previously checked the main catalog for 'critical' or anything likely-sounding)

  • 39. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    Hi Baltwo

    is xprotect disabled on the 10.6.8 mac ? - the  strings suggest that crsud won't run if that's so. otherwise check the crsud plist & cache + console for ideas.

    re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

  • 40. Re: crsud process with security update 2013-001
    billcole Level 1 Level 1 (30 points)

    MadMacs0 wrote:

    curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

    So why keep using Little Snitch at all?

    There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

  • 41. Re: crsud process with security update 2013-001
    baltwo Level 9 Level 9 (60,115 points)

    andyBall_uk wrote:

     

    …is xprotect disabled on the 10.6.8 mac ?

    Not as far as know. At least I've not disabled it. Do note that both Java and Flash Player are totally up to date.

    re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

    I'm not aware of anything except XProtect, which doesn't do any updating, but turns those off. I never do autoupdates of anything, but do keep up to date and manually install all updates.

  • 42. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,725 points)

    baltwo wrote:

     

    FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

    Did you check the box for "Automatically install important security updates"? I realize that's not something you would normally do, but it didn't sound like you would get the test package installation unless it was.

  • 43. Re: crsud process with security update 2013-001
    baltwo Level 9 Level 9 (60,115 points)

    Did you check the box for "Automatically install important security updates"?

    Never and don't expect to experiment with that.

  • 44. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,320 points)

    good idea - also the crsud.plist should have a last run successfully entry

    the 10.6.8 update here installed emptypayload on first boot - the automatic checkbox was already checked when first seen.

     

    WZZZ - my 10.6.8 one wasn't modified - showed May 2012  like yours. Something different on Lion, or just this system

1 2 3 4 5 Previous Next