System Integrity Protection

.ellelle wrote:

Please forgive my brevity and lack of context. Frustration is at its boiling point.

csrutail status returns "command not found"

I have been using Macs since 2002 and this is my first experience with anything virus related.

Is there a method to run Etrechek in terminal? All of my machines are currently in recovery mode.

There are no viruses for OS X.

Ok you will have to provide a bit more information. Did you or anybody else disable SIP? It can only be done when someone has access to your Mac. To find out if it is, open terminal and type:

csrutil status

to find out what the status of your SIP is. It can be easily enabled again.

You seem to have migrated from the scary world of Microsoft and their virus paranoia. OS X does run some scheduled maintenance tasks which might include moving and or removal/replacement of files.

Reading, to gain, strengthen or verify knowledge has no substitute and no equal. Apple's own documentation takes a lot of grinding and guidance to read and understand. Much easier to read, follow and understand are the three books of Reid Bondonis, although written for Server, the first one (titled 'Foundation Services') makes some very good reading material. You will also gain a lot by reading Apple's own 'Mac Integration Basic 10.x' into understanding some and more about the OS.

Finally, if you can run Etrecheck and post the result thereof, all of us will have an insight into what are the problems bugging your Mac, and offer you the advice required on a more factual basis to have you up and running quickly. (Etrecheck is available for download, and is written and maintained by a very well respected member of the Apple Service Community) If you do some searches for it, the results will speak for itself.

Leo

I am somewhat unclear around what you mean by your reference to not being administrator — is this system managed and supported by somebody else, or are you logged in as a standard user and not an admin user?

Related: what commands or errors were involved with your "I attempted a reset in terminal but I am not the administrator of my machine." sequence? Who is the administrator?

Bluetooth is short-range, which means something very local to your system. Bluetooth is separate from and does not involve Wi-Fi. Disconnecting Wi-Fi is ineffective against Bluetooth-based access. NVRAM and SMC resets and a reinstallation should clear any existing references to Bluetooth devices, in conjunction with a complete disk wipe.

Switch to wired connections for your keyboard, mouse and network. Disable Bluetooth. Disable Wi-Fi.

Are there any wired connections with these systems, or other devices on your wired or Wi-Fi network beyond the Macs and the ISP box? Any printers or other wired or Wi-Fi or Bluetooth network-connected devices on your local network? Have you checked all the cabling?

And to confirm: were all partitions erased as part of the installation, and the disk entirely repartitioned?

To confirm: all passwords were changed? Wi-Fi, gateway box, email servers, everything? All local and network connections were confirmed as or were switched to TLS connections, as well?

You mention the presence of a second partition similar to the recovery partition — it's entirely feasible to create your own recovery partition. Getting that onto an erased disk, however, is not nearly as easy. You mention similarities, which implies there are differences from the standard recovery partition. What's different about that, as compared with the standard recovery partition. Was there also a recovery partition present?

Who else has access to these computers? Anyone with keys to the area where these computers are kept, or any low-quality or easily-bypassed door locks, or any master keys around? (What you're describing could well involve physical access. So-called "black bagging". That'd make this entire sequence easily and quickly feasible, too.)

Any reasons for somebody without authorized access to these computers want to gain access to them and to your data? Are you a target of some sort?

Etrecheck output might help and its output might be useful here, but it's not intended to find partition-level shenanigans.

Based on what you're describing, this is headed toward a forensic dump of the systems involved, and a look at the physical security, and some other reviews.

It's: csrutil status

Not: csrutail status

pinkstones wrote:

There are no viruses for OS X.

There is malware for OS X. Whether the malware happens to be defined as a "virus", a "trojan" or a "worm", or whether it's some sort of blend, or something newer? For now, how the malware has gotten onto this system and how it is persisting or being reintroduced is (at least to me) more interesting. Now figuring that out, and getting rid of it, will help the OP. Yes, this could theoretically involve a Word macro virus for OS X. Or a trojan. Or it could well be some new virus, or some other sort of dreck, or something related to Bluetooth or Wi-Fi or something else.

.ellelle wrote:

As far as physical acces no one. Home is alarmed and cpu's that leave the home are in my possession at all times.

Obe machine goes to school with my daughter but they go from desk to locker and are regulated.

Then that system is physically easy for folks to access, particularly when in a locker. The locks issued by and/or the locks used at most schools are utter junk.

Once the systems are cleaned off and reloaded, FileVault can help with some of the common paths for access, as can a firmware password. For a somewhat more paranoid approach, maybe some factory seal tape or — less reliable — an unusual color of nail polish applied on the screws, too.

Kids — most people using computers, for that matter – can swap software around, and can occasionally reveal passwords, and that occasionally doesn't end very well. And I include myself in those lists, BTW.

But with physical access to that system apparently available, all bets are off.

The only wired connection available is a direct connection from the external firewall to the Ethernet port. Originally used a few times to come to speed OSx downloads. No printers etc.

I'd have a look at the gateway box you're using, and at its particular capabilities and logging abilities. Specifically, whether that can log inbound and outbound connections. Also a look at what ports are open, too. If the gateway is not capable of some basic security operations and is not capable of implementing outbound traffic blocks, I'd consider a replacement or an upgrade.

The recovery partition indicates removable disks. File names are close to system files but 1 or 2 letters off. I have photos but can not upload from iPhone

I don't know what you mean by "indicates removable disks". You're going to want or need to get that disk examined forensically. Photos are a pain to deal with, as they can't be easily searched. Somebody to take a very close look at that partition, at what the stuff is and is or is not doing, whether it's malware or some cache or such, whether it's actively contacting some host and/or probing the local network, etc. That's not going to happen here in the forums, in other words.

MrHoffman wrote:

pinkstones wrote:

There are no viruses for OS X.

There is malware for OS X.

I'm aware of that. I didn't say there was no malware, though. There are no viruses currently in the wild that can do any damage to OS X, hence why anti-virus programs are not currently necessary on Apple computers. They can't actually protect you from anything. The malware/adware that affects Macs has to be downloaded and installed by you for it to do any damage, and no program on Earth can keep you from downloading something you shouldn't from some place you shouldn't. Only common sense can do that.

If you are no longer administrator, then you're going to have to access a different administrator account, become administrator, or reinstall.

What other administrative users are still present? If any. If there are other administrative users, then use the password reset mechanism on one of those users.

Failing that, here's a sequence that can purportedly create an administrator account but — if you've lost administrative access — then enabling SIP isn't going to help, and I'd make a disk backup or two, and nuke and pave the system.

In addition to what MrHoffman has said above, here are the options for the usage of csrutil. Note that enabling, disabling and to clear could only be done from the Recovery OS. That means that someone has to physically start the Mac in Recovery, and start the Terminal from there afaik.

usage: csrutil <command>

Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.

Available commands:

clear

Clear the existing configuration. Only available in Recovery OS.

disable

Disable the protection on the machine. Only available in Recovery OS.

enable

Enable the protection on the machine. Only available in Recovery OS.

status

Display the current configuration.

netboot

add <address>

Insert a new IPv4 address in the list of allowed NetBoot sources.

list

Print the list of allowed NetBoot sources.

remove <address>

Remove an IPv4 address from the list of allowed NetBoot sources.

.

Leo

I think virus has become a generic term for something happening that should not be.

You can probably still find it on news sites -- Apple had to pull some Applications from its App store because they had malware in them. Probably was in december - hope they informed people who purchased the App.

The OP may also have an issue with WI-Fi integrity/security. Depends on the installers ability to secure it.

Leopardus wrote:

In addition to what MrHoffman has said above, here are the options for the usage of csrutil. Note that enabling, disabling and to clear could only be done from the Recovery OS. That means that someone has to physically start the Mac in Recovery, and start the Terminal from there afaik.

it's possible to disable system integrity protection dynamically, if you have kernel access.

But again — if SIP has been disabled via the recovery boot or otherwise — none of what is installed can be trusted.

You may have an issue with your wireless network - it may not be properly secured.

Another area I would look at -- if you are using Safari -- clean up TOP-Sites. Also look at email RSS feeds and any RSS feeds you may have book marked. Same goes for any open this page when I connect setups -- Both RSS sites and Tops sites refresh.

If you are using other web browsers with fast load options - check that those pages are valid.

The App Store did pull a few apps because they had malware in them (heard on the News) don't know which ones but guess it was 3rd party approved.