HT206230: About the OS X El Capitan v10.11.5 Update

Learn about About the OS X El Capitan v10.11.5 Update
jdip101

Q: Does anyone know what Citrix is and way did it load on my Mac after the latest upgrade?

Hello: I downloaded the OS X El Capitan update (10.11.5) and when I rebooted my Mac Pro I see a program called Citrix.  Can someone e tell me what Citrix is and how it works?

Mac Pro, iOS 8.1.3

Posted on May 17, 2016 3:28 PM

Close

Q: Does anyone know what Citrix is and way did it load on my Mac after the latest upgrade?

  • All replies
  • Helpful answers

Page 1 Next
  • by Barney-15E,Apple recommended

    Barney-15E Barney-15E May 17, 2016 3:58 PM in response to jdip101
    Level 9 (50,099 points)
    Mac OS X
    May 17, 2016 3:58 PM in response to jdip101

    Citrix makes network connectivity products. It is likely some corporate VPN software. It isn't part of OS X and didn't come from the update.

  • by macjack,

    macjack macjack May 17, 2016 4:02 PM in response to jdip101
    Level 9 (55,699 points)
    Mac OS X
    May 17, 2016 4:02 PM in response to jdip101

    Did you download the update from the App Store or another source?

  • by TTabby,Apple recommended

    TTabby TTabby May 18, 2016 3:21 AM in response to macjack
    Level 2 (225 points)
    Desktops
    May 18, 2016 3:21 AM in response to macjack

    Have you participated in any Network Conferences like "Go to Meeting?"

    I did that recently and suspect they somehow installed it for me.

    I was quite surprised when you mentioned it, as I have it too.

    It's in "my username/Applications/Utilities/ as CitrixOnlineLauncher (app)

    But just guessing, really.

  • by jdip101,

    jdip101 jdip101 May 18, 2016 3:26 AM in response to TTabby
    Level 1 (5 points)
    Apple Music
    May 18, 2016 3:26 AM in response to TTabby

    Hello:  I keep close tabs on what's on my MacPro; this definitely occured right after the upgrade to El Capitan.  Thanks to you I located the files and deleted them. 

  • by jdip101,

    jdip101 jdip101 May 18, 2016 3:29 AM in response to macjack
    Level 1 (5 points)
    Apple Music
    May 18, 2016 3:29 AM in response to macjack

    I downloaded the update for the Apple Store.  See my response to Tabby, and tell me what you think.

  • by jdip101,

    jdip101 jdip101 May 18, 2016 3:31 AM in response to Barney-15E
    Level 1 (5 points)
    Apple Music
    May 18, 2016 3:31 AM in response to Barney-15E

    Thanks, Take a look at my response to Tabby, and tell me what you think.

  • by TTabby,Helpful

    TTabby TTabby May 18, 2016 10:01 AM in response to jdip101
    Level 2 (225 points)
    Desktops
    May 18, 2016 10:01 AM in response to jdip101

    Thanks for the stars.

    Like I said, I was surprised.

     

    I simply attended a “Webinar” (for “LogicPro”) and am pretty sure that’s when it happened as the install dates coincide.

    It was amazing how many files were installed without me even knowing, and the process of which slid by Apple security on my system. This log file reveals a lot of what it did, just amazing.

    Do you still have this log file ?

     

    HD/Users/YourUserName/Library/Logs/com.citrixonline.WebDeployment/DownloaderApp. log

     

    It’s all done using javascript which, BTW, can be disabled in your browser if you like *Safari” ? …. whatever.

    A lot of cautious people disable it for higher web browsing security.

    Look into it, if it is something you think you need/want.

     

    Cheers and safe networking.

    TTab

  • by Barney-15E,

    Barney-15E Barney-15E May 20, 2016 12:55 PM in response to TTabby
    Level 9 (50,099 points)
    Mac OS X
    May 20, 2016 12:55 PM in response to TTabby

    It was amazing how many files were installed without me even knowing, and the process of which slid by Apple security on my system.

    It didn't "slide" by anything. You authorized it.

  • by TTabby,

    TTabby TTabby May 20, 2016 1:13 PM in response to Barney-15E
    Level 2 (225 points)
    Desktops
    May 20, 2016 1:13 PM in response to Barney-15E

    Barney, I am sure you are probably correct about that, as I vaguely recall having to verify something before the whole thing happened.

    It was careless of me to insinuate any fault of Apples' with the wording I used.

    Thanks for the follow up.

    Tab

  • by Barney-15E,

    Barney-15E Barney-15E May 20, 2016 1:28 PM in response to TTabby
    Level 9 (50,099 points)
    Mac OS X
    May 20, 2016 1:28 PM in response to TTabby

    My comment was meant as a defense of Apple, but to highlight the myriad of things that can happen when you authenticate any seemingly innocuous software install. You seem to have arrived at that conclusion which is the most important lesson here.

    Much of the Adware that gets installed these days happens for the very same reason--additional payloads are installed along with the legitimate one you wanted.

     

    With Adware they are attempting to put something past you, but in your case, they were just installing the necessary software to complete the requested task. They likely should present more information to you during the install to let you know what is being installed and why and also provide instructions on how to uninstall it when you are done.

  • by TTabby,

    TTabby TTabby May 20, 2016 2:37 PM in response to Barney-15E
    Level 2 (225 points)
    Desktops
    May 20, 2016 2:37 PM in response to Barney-15E

    Yes indeed.

    Actually, I had just stumbled across that Citrix Installer Application and upon further inspection found that it must have been left behind after that Webinar.

    Also, they (GoToMeeting) left behind 3 or 4 different versions of there Web Casting software App. which, was my initial discovery. Another thing(s) they had installed.

     

    There was a serious interruption mid-way through the Webinar and they seemed to be desperately trying anything to get it working again. This could have contributed to the mess they left behind.

     

    I don’t suspect anything malicious about what they did, and I have not noticed any problems here but, it just seemed a bit sloppy.

     

    The thing that scares me is Java, and JavaScript. It’s a real software powerhouse.

    It can take over your whole system and seemingly do what ever it wants, and all you have to do is NOT enable it. Yet, it seems to be enabled by default in most browsers.

    I am anxious to find out if you have any comments about it.

    Am I wrong ? I hope I am actually.

    TTab

  • by Barney-15E,

    Barney-15E Barney-15E May 20, 2016 3:10 PM in response to TTabby
    Level 9 (50,099 points)
    Mac OS X
    May 20, 2016 3:10 PM in response to TTabby

    JavaScript isn't a threat. Java can be exploited. They are entirely different things despite have "Java" in both names.

    Java is not enabled in Safari, nor installed with OS X, now.

  • by TTabby,

    TTabby TTabby May 20, 2016 4:39 PM in response to Barney-15E
    Level 2 (225 points)
    Desktops
    May 20, 2016 4:39 PM in response to Barney-15E

    OK, yes, Java itself, is the Bad Boy, or can be, and has been exiled by Apple.

     

    It’s just that, I have a log file of what they were doing inside my system using a JavaScript.

    The name of the Log file is “DownloaderApp.log” which they also downloaded (uploaded?) and ran for me.

    I hesitate to upload all of it here, but I will, if need be.

    It clearly reports completing some activities like these excerpts; code is between quotes “…”

     

    “20160321 13:57:56.458 I: [7245] <1607> sending request for 'https://download.citrixonline.com/launcher2/telemetry/helper?token=e0-nQgYbn8YxW MxTRumxhi_0v19-RreCNM9kEHXTp5OFTJWFnuEwStkYiKLBXsxI9vut4v6wKRCB7vNf0Xf-tv1_XMmch Xw_MvWqoSYcIKk6bQROMHamv40VjTyoGjl7eJQbpos1PHVkpv86DESflXJ2&downloadTrigger=java script'   “

     

    -and-

     

    “this is the remove-dmg script.

      script: /private/var/tmp/4F9BED7C-5856-4059-9807-702257A5E8C9.sh

    vol path: /Volumes/Citrix Online Launcher

    dmg path: /Users/xxxxxxxxxxx/Downloads/Citrix Online Launcher.dmg

    wait pid: 7245

    detaching volume

    "disk2" unmounted.

    "disk2" ejected.

    deleting disk image file

    deleting script”

    End of the Log file here.

     

    So, here is a Java script, downloading, installing and executing files, and without me knowing it.

    This seems like JavaScript can be a possible threat also.

    Am I wrong about this ?

    I don’t proclaim to be an expert, at all, I’m just hoping to understand things a bit better really.

  • by Barney-15E,

    Barney-15E Barney-15E May 20, 2016 4:47 PM in response to TTabby
    Level 9 (50,099 points)
    Mac OS X
    May 20, 2016 4:47 PM in response to TTabby

    That's not a JavaScript. Script is a generic term for code of some sort.

    The first is a normal URL requesting something from the web. In this case it is the download that contains the installer for the webinar software.

    The line that starts with "script" is a shell script (.sh). A shell is a unix command line environment.

    Again, none of that is JavaScript.

Page 1 Next