Any one using clean my mac 2 on OS X Mawerick? Is it worth?

R C-R wrote:

So far, there is no sign of anything containing the string "2045" in my install.log.Each time I click the button I get 20 or so new entries in system.log (now including one mentioning a single update found with an ID of 031-3414) but nothing is downloaded. And still no mention of anything with the "2045" string in it.

You will never see "2045" in the log, it's the "031-3414" ID. You will find 2045 in the meta.plist after it's installed or with any of the widgets/utilities that check that sort of thing.

WZZZ wrote:

Now this is strange. On my 10.6, when I first checked this morning, the latest update was still the 12/5 (only for the meta.plist Flash blocking). I then force updated, which did show a new time stamp for today, but when I check, the latest is still for OSX.Leverage.a. Nothing for the bitcoin thing. If there had been nothing to update, I would have expected to see "not an increase in version."

It should have increased to version 70 which contains a new OSX.Abk.A definition, but not the two BitCoin ones. I suspect that may mean that the latter two won't run with Snow Leopard?

MadMacs0 wrote:

You will never see "2045" in the log, it's the "031-3414" ID. You will find 2045 in the meta.plist after it's installed or with any of the widgets/utilities that check that sort of thing.

But as I said, this update has not been downloaded or installed on my system, even though the 031-3414 item appears in my system.log. The XProtect.meta.plist is still on version 2044. That update occurred on Feb 8, & then only because I manually downloaded & ran the previous update.

R C-R wrote:

But as I said, this update has not been downloaded or installed on my system, even though the 031-3414 item appears in my system.log.

That appears to be normal. I have no idea what even finally triggers either the download or installation. The previous update took over eleven hours from the time I logged into Maverics and saw the update until it was installed. The install.log last night shows a little under six hours:

Feb 12 16:43:29 Als-iMac-i7.local softwareupdated (200)[187]: Scan (f=0, d=0) found 2 updates: 031-3414, 031-3419(R) (plus 94 predicate-only)

Feb 12 16:56:46 Als-iMac-i7.local softwareupdated (200)[187]: Scan for changed products with previous 2 updates: 031-3414, 031-3419(R) (plus 94 predicate-only)

Feb 12 16:57:03 Als-iMac-i7.local softwareupdated (200)[187]: Scan (f=0, d=0) found 2 updates: 031-3414, 031-3419(R) (plus 94 predicate-only)

Feb 12 22:30:23 Als-iMac-i7.local softwareupdated (200)[186]: Scan (f=1, d=1) found 1 updates: 031-3414 (plus 94 predicate-only)

Feb 12 22:30:23 Als-iMac-i7.local softwareupdated (200)[186]: SoftwareUpdate: 1 enabled config-data product(s): 031-3414 (want active updates only)

Feb 12 22:30:23 Als-iMac-i7.local softwareupdated (200)[186]: SoftwareUpdate: starting download of 031-3414 (XProtectPlistConfigData-1.0)

Feb 12 22:30:24 Als-iMac-i7.local suhelperd (0)[188]: Verifying package at path: /Library/Updates/031-3414/XProtectPlistConfigData.pkg

Feb 12 22:30:25 Als-iMac-i7.local softwareupdated (200)[186]: SoftwareUpdate: finished download of 031-3414

"PKLeopardPackage <file:///Library/Updates/031-3414/XProtectPlistConfigData.pkg>"

Feb 12 22:30:26 Als-iMac-i7.local installd[8025]: PackageKit: Extracting file:///Library/Updates/031-3414/XProtectPlistConfigData.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxM anager/5BE1DDCA-D5D6-4C88-BACC-F272D4137CEC.activeSandbox/Root, uid=0)

Feb 12 22:32:17 Als-iMac-i7.local softwareupdated (200)[186]: SoftwareUpdate: finished install of 031-3414

Feb 12 22:32:17 Als-iMac-i7.local softwareupdated (200)[186]: Removing 031-3414

Feb 12 22:32:17 Als-iMac-i7.local softwareupdated (200)[186]: Remove local product for 031-3414 (1)

It will download into /Library/Updates/ and I have a folder action attached that alerts me when something new has been added.

MadMacs0 wrote:

It should have increased to version 70 which contains a new OSX.Abk.A definition, but not the two BitCoin ones. I suspect that may mean that the latter two won't run with Snow Leopard?

Nope. Latest is still OSX.Leverage.a. No sign anywhere of OSX.Abk.A. Could it have DLd, but not installed? Looked in /var/temp and /private/tmp. Nothing there. It definitely updated, but nothing changed. Where else to look?

Where do you see the version #?

WZZZ wrote:

Nope. Latest is still OSX.Leverage.a. No sign anywhere of OSX.Abk.A.

Maybe you are looking in the wrong place. Just to confuse everybody, they added everything at the beginning.

Could it have DLd, but not installed? Looked in /var/temp and /private/tmp. Nothing there.

With SL, Lion & ML, it doesn't do a standard install. The XProtectUpdater process reads a text file and files it away in CoreTypes.bundle/Contents/Resources as XProtect.meta.plist and XProtect.plist. I suppose it might put it in a temporary place in order to divide it up, but it probably gets a random name while there.

Where do you see the version #?

It's in the XProtect.meta.plist:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

...

<key>Version</key>

<integer>70</integer>

</dict>

</plist>

I used to know a Terminal command that would tell me that, but I'd have to look it up now.

There it is right in the beginning. As you said, just to confuse everyone. Thanks, never would have thought of looking there, they've always been added to the end.

EDIT: But

<key>Version</key>

<integer>70</integer>

or just

<key>Version</key>

by itself doesn't appear anywhere. Using TextWrangler>Search

MadMacs0 wrote:

That appears to be normal. I have no idea what even finally triggers either the download or installation. The previous update took over eleven hours from the time I logged into Maverics and saw the update until it was installed.

But like I said, on my system there were no changes to the XProtect plist files between Nov. 3, 2013 & Feb 8, 2014, & the only reason they were updated on Feb 8 was because I manually downloaded & installed the last (Version 2044) update.

So until a few days ago, XProtect would not have prevented way out-of-date versions of the Flash & other "PluginBlacklist" items in the XProtect.meta.plist file from being used.

That cannot be normal!

R C-R wrote:

So until a few days ago, XProtect would not have prevented way out-of-date versions of the Flash & other "PluginBlacklist" items in the XProtect.meta.plist file from being used.

I'm in a real rush to get my wife to here Dr. appointment to look all this up, but there were no in-the-wild, zero-day threats from Flash or other Plug-ins from October until Feb 4 and IIRC, the update was available that same day.

WZZZ wrote:

EDIT: But {...} by itself doesn't appear anywhere. Using TextWrangler>Search

I have mentioned it before somewhere but you might want to take a look at Pref Setter. It produces nicely formatted plist file outputs & its search function works well.

BTW, speaking of confusion, it might be reduced somewhat if everyone was clear about which OS version they were referring to, at least when it is something other than the one in this <ahem> OS X Mavericks forum. 😉

MadMacs0 wrote:

I'm in a real rush to get my wife to here Dr. appointment to look all this up, but there were no in-the-wild, zero-day threats from Flash or other Plug-ins from October until Feb 4 and IIRC, the update was available that same day.

I don't know about in-the-wild threats, but Flash has been updated many times since Oct 2013 to patch assorted vulnerabilities (none of which would technically be zero-day ones after the public release of the update).

I just dug out a clone of my startup drive I had made a few weeks ago & checked its XProtect.meta.plist file. Here is what it says for com.macromedia.Flash Player.plugin:

<dict>

<key>MinimumPlugInBundleVersion</key>

<string>11.8.800.94</string>

<key>PlugInUpdateAvailable</key>

<true/>

</dict>

As you can see, that is a very old minimum version (released on 7/9/2013 according to this Adobe document). Moreover, I never saw any "blocked plug-in" messages or dialog boxes like those shown in http://support.apple.com/kb/ht5655 on or after Nov 3. Maybe that's because I periodically check for Flash updates using the System Preferences > Flash Player > Advanced "Check now" button, but it is not very reassuring that my XProtect.meta,plist (& XProtect.plist) files were not being updated for the last three months.

I hope all the CleanMyMac folks have unsbcribed and gone home by now as I'm sure we have bored them to tears and spammed theri inboxes with all this OT stuff.

R C-R wrote:

I have mentioned it before somewhere but you might want to take a look at Pref Setter. It produces nicely formatted plist file outputs & its search function works well.

Didn't reacall the it was still around. I've been using XCode for some time now.

BTW, speaking of confusion, it might be reduced somewhat if everyone was clear about which OS version they were referring to, at least when it is something other than the one in this <ahem> OS X Mavericks forum. 😉

I was about to bring up the same thing. We've been bouncing around quite a bit lately.

R C-R wrote:

I don't know about in-the-wild threats, but Flash has been updated many times since Oct 2013 to patch assorted vulnerabilities (none of which would technically be zero-day ones after the public release of the update).

I can't prove anything, but I think Apple has been pretty consistent with this. If we were to ban everything from Adobe, Microsoft, Oracle and to some extent Apple and others with less notoriety, we wouldn't have much software to use. Seems to me that the only thing that matters is that there is an OS X vulnerability for which an exploit has been developed and the details are publicly available. Once the vulnerability has reached that point and hopefully been dealt with by the developer, then it's at least time to watch to see if it turns into a malware threat.

Yes, Flash has been patched several times since 7/9/2013, but how many of those vulnerabilities were able to impact OS X?

And were there publicly available exploits that took advantage of these OS X vulnerabilities?

And finally, had anybody managed to turn one of those exploits into an in-the-wild threat to OS X?

I think the second level might eventually be worth an update, but clearly the third level should be acted on immediately. I'll leave it as an exercise to figure out the threat level imposed to OS X by Flash Player 11.8.800.94 through January.

One other factor that should be considered is that in Mavericks, Apple has the ability to sandbox Flash, which clearly lessens the danger presented by an exploited, vulnerable plug-in.

MadMacs0 wrote:

Yes, Flash has been patched several times since 7/9/2013, but how many of those vulnerabilities were able to impact OS X?

I don't know. I just know that until I manually downloaded & installed the Version 2044 update on Feb 8th, neither of my XProtect plist files had been updated since last November, when I first upgraded to Mavericks.

I have no reason to believe that had I not done the manual update, XProtect would not block any vulnerabilities that have appeared since last November, including the "critical" one in the Flash version prior to 12.0.0.44 the Version 2044 XProtect update addressed.

I have the same concern for the latest update (for version 2045), which still has not been downloaded to my system, & for any subsequent XProtect updates Apple releases in the future.

As simply as I can put it, if I don't when -- or even if -- XProtect will be updated on my system, how can I trust it? 😟

Thanks for the link to Pref Setter. I've been hearing about it for ages, but never got it, since I have other programs for this, including Text W and XCode (Prop List Editor), but will check it out.

For searching, even the Find function in TextEdit seems very reliable.