User profile for user: Charles Belov
Charles Belov Author
User level: Level 2
150 points

"Installer is trying to install new software" safety

While running Microsoft AutoUpdate (MAU), I got the dialog "Installer is trying to install new software. Type an administrator's name and password to allow this."


The message does seem to be related to MAU. That is, if I click cancel, then in MAU click instal software again, the dialog pops up again.


On the other hand, the wording is awfully anonymous for my comfort. In theory, a piece of malware could watch for another program about to be installed, then throw up that dialog so that I give it permission to install other malware.


How can I tell exactly what software Installer is trying to install?

Mac mini, OS X Yosemite (10.10.5), 4 GB RAM

Posted on Aug 18, 2015 12:16 AM

Reply
10 replies
User profile for user: Charles Belov
Charles Belov Author
User level: Level 2
150 points

Aug 23, 2015 12:16 AM in response to Charles Belov

Linc, actually, your suggestion of Safe Mode pointed me in the right direction. The safest way - not 100% guaranteed but safer than any other method for apps like Microsoft Office, Java, and Flash not available in the app store - would seem to be to safe boot and do any downloading and installing there, one program at a time. So that's what I did.

Reply
User profile for user: Charles Belov
Charles Belov Author
User level: Level 2
150 points

Aug 18, 2015 11:37 PM in response to Linc Davis

Linc, thank you for the offer of assistance. While I do have an anti-virus, I don't intentionally depend on it (in terms of a sense of security, false or otherwise). It's more of a double-check than a first check. That said, Adobe doesn't make SHA512 hashes available for me to check those when I update Flash. In theory, I'd install everything from the App Store. But LibreOffice, Microsoft Office, Citrix, Flash, Chrome, Firefox, etc., aren't available from the App Store. (At least LibreOffice and Firefox make hashes available. And Chrome handles it's own updates, assuming it wasn't infected the first time I installed it.)


While I don't see any hidden files in these folders, I do have my Mac set to show hidden files, and see .DS_Store grayed out in other folders.


Step 1

User uploaded file

Step 2

User uploaded file

Step 3

User uploaded file

Step 4

I have Safari Extensions set to Off


Step 5

User uploaded file

Let me choose when to run plug-in content

Ask when a site wants to use a plug-in to access your computer


Firefox


User uploaded file

User uploaded file

The rest are set to Never Activate. I've just set Java, which is out of date, to that, but I have Java set to disabled in the browser. I also have it set to never install applications.

And while we're at it, here's the Installer pop-up, which appears to be unrelated to my browsers. At least, closing Firefox and Safari doesn't get rid of it. (And yes, their active dots are gone from my desktop taskbar.) I still have Chrome open, but need it for this post. Once I've posted, I'll quit all my other apps besides Installer as well and make a new post if something else makes it go away.

Oh, and when I try to install the upgraded Java from the Java control panel, I get the same request from the finish_installation dialog.

User uploaded file

If I cancel finish_installation, I can quit the Java Install app.

If I cancel the Installer dialog, it goes back to the Install Office dialog.

User uploaded file

As you can see, it sure looks like these are legitimate installations, but the dialog box wording is generic for that.

Hope this is all you were looking for.

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Aug 19, 2015 7:04 AM in response to Charles Belov

You don't have any malware. It looks like the Oracle Java updater isn't working. "Sophos" may be interfering with it, or there may be some other reason. I suggest you download the update manually from java.com. I also suggest that you get rid of "Sophos," even if it isn't causing this problem. Like all "anti-virus" or "anti-malware" products, it's worse than useless. Back up all data before making any changes.

Reply
User profile for user: Charles Belov
Charles Belov Author
User level: Level 2
150 points

Aug 18, 2015 9:57 AM in response to Barney-15E

Well, there is some logic to that. For that matter, if I download any program not served over SFTP, how do I know that Adobe Flash or Oracle Java or whatever hasn't been tampered with since it's not signed, and they don't publish a 512-bit signature for me to check.


The original question stands: At the very minimum, how can I determine what is trying to be installed by this uninformative dialog box?

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Aug 18, 2015 2:34 PM in response to Charles Belov

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Some of the most common types of adware can be removed by following Apple's instructions. If those instructions don't work for you, or if you have trouble following them, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure that doesn't involve downloading anything.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

"Installer is trying to install new software" safety

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up