User profile for user: cbg2115
cbg2115 Author
User level: Level 1
38 points

Suspicious code - Sophos

Hi everyone,


I had a computer company check out my Macbook Pro for suspicious activity. They installed Sophos. Ever since then, I've been getting suspicious code in the console. Particular, the following:

3/26/16 3:38:37.941 PM SophosMcsAgentD[335]: [SMEMcsEventBroker.m:187] McsEventBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea3cd50 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/ev ents/endpoint/6d194780-9d23-64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/ev ents/endpoint/6d194780-9d23-64b5-397f-b261aab3023a}

3/26/16 3:38:37.941 PM SophosMcsAgentD[335]: [SMEMcsEventHandler.m:453] McsEventHandler: failed to send queued events; will retry (attempt 210)

3/26/16 3:38:40.658 PM Google Chrome Helper[734]: CGAffineTransformInvert: singular matrix.


What does it mean? What is the SophosMcsAgentD and the SMEMcsEventBroker? What are they trying to do? Also, what does "McsEventHandler: failed to send queued events; will retry (attempt 210)" mean? What queued events is the McsEventHandler failing to send? Furthermore, when I try to visit the url that's in the code, I get this message:

Your connection is not private

Attackers might be trying to steal your information from dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com (for example, passwords, messages, or credit cards).


NET::ERR_CERT_AUTHORITY_INVALID



Has anyone seen any code like this from Sophos before? Below is a longer version. The code just keeps repeating itself, taking up the majority of the commands in the console:


3/26/16 1:35:33.835 AM SophosMcsAgentD[335]: [SMEMcsEventHandler.m:453] McsEventHandler: failed to send queued events; will retry (attempt 126)

3/26/16 3:36:25.962 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7eb16f40 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:36:46.119 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7e8e76f0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:37:06.291 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7eb13240 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:37:26.054 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7eb15cb0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:37:46.598 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7e9e4da0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:38:06.093 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ce09f60 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:38:20.544 PM Google Chrome Helper[734]: CGAffineTransformInvert: singular matrix.

3/26/16 3:38:26.060 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea40bc0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:38:37.941 PM SophosMcsAgentD[335]: [SMEMcsEventBroker.m:187] McsEventBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea3cd50 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/ev ents/endpoint/6d194780-9d23-64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/ev ents/endpoint/6d194780-9d23-64b5-397f-b261aab3023a}

3/26/16 3:38:37.941 PM SophosMcsAgentD[335]: [SMEMcsEventHandler.m:453] McsEventHandler: failed to send queued events; will retry (attempt 210)

3/26/16 3:38:40.658 PM Google Chrome Helper[734]: CGAffineTransformInvert: singular matrix.

3/26/16 3:38:46.030 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea44f70 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:39:06.002 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea45590 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:39:25.955 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7eb184b0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:39:46.036 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7e9e3580 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:39:53.616 PM SophosMcsAgentD[335]: [SMEMcsStatusBroker.m:187] McsStatusBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea439d0 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/st atuses/endpoint/6d194780-9d23-64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/st atuses/endpoint/6d194780-9d23-64b5-397f-b261aab3023a}

3/26/16 3:39:53.616 PM SophosMcsAgentD[335]: [SMEMcsStatusHandler.m:316] McsStatusHandler: failed to send queued status; will retry (attempt 216)

3/26/16 3:39:59.188 PM GoogleSoftwareUpdateAgent[3635]: 2016-03-26 15:39:59.186 GoogleSoftwareUpdateAgent[3635/0xa08741d4] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: <KSAgentSettings:0x53d820 bundleID=com.google.Keystone.Agent lastCheck=2016-03-26 17:39:12 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users//Library/Google/GoogleSoftwareUpdate/TicketStore/Keyston e.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO>

3/26/16 3:40:06.108 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x7ea44340 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}

3/26/16 3:40:25.974 PM SophosMcsAgentD[335]: [SMEMcsCommandBroker.m:350] McsCommandBroker: connection error: Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo=0x79337710 {NSErrorFailingURLKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a, NSErrorFailingURLStringKey=https://dzr-mcs-amzn-us-east-1-h0m3.upe.p.hmr.sophos.com/sophos/management/ep/co mmands/applications/ALC;HBT;MCS;NTP;SAV;SHS;SWC;APPSPROXY/endpoint/6d194780-9d23 -64b5-397f-b261aab3023a}


Any idea what all of this means? Thank you for your help

MacBook Pro (Retina, 15-inch, Late 2013), OS X Yosemite (10.10.4), null

Posted on Mar 26, 2016 12:50 PM

Reply
5 replies
User profile for user: cbg2115
cbg2115 Author
User level: Level 1
38 points

Mar 26, 2016 2:13 PM in response to Grant Bennet-Alder

Grant - Sophos was installed on my Mac by the company that I paid to investigate it for suspicious activity. I'm not sure what else they did, but I know they installed Sophos. I'm wondering if the very own company I hired to investigate whether my computer was compromised actually compromised it. Wouldn't that be ironic. All Im asking now is if anything in the logs seems suspicious.


In addition, I was under the impression that Macs weren't immune to hackers, which seems to be the general consensus

Reply
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
140,795 points

Mar 26, 2016 2:25 PM in response to cbg2115

what Sophos checks for is strings on your Mac that look like the code for well-know Viruses. Since your Mac is already well protected from those attacks, everything Sophos does is for show. And everything it finds by scanning a False Alarm.


If by "Hackers", you mean attempts to modify your computer by sending it arbitrary stuff over the Internet, your Mac is essentially immune.


If by "Hackers" you mean attempt to get YOU to install funny stuff, and allow the Installation, then NO, your Mac is not immune because people are gullible.


If you have actual symptoms, you should be reporting what you see, not chasing "ghosts" with packages like Sophos.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Suspicious code - Sophos

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up