What is shove? Legit activities?

Question

Level 1

8 points

What is shove? Legit activities?

Hi everybody,

Few weeks ago, a mac mini (Macmini7,1 - 10.12.5) started to act crazy, volume went up and down, spotlight appears, screenshots, symbols appears on the cells of a excel sheet...

After a little bit of panic and some search in the logs and on the internet, I was thinking it was just a SMC problem, likes random keyboard inputs. So i reset the SMC and to be sure that there is no "hack" on the computer i put the software called Blockblock to see if something gonna happen in the futur (Remote access).

This morning i had 3 blockblock windows (cf screenshot) talking about screen sharing stuffs...

Is there a way to know if everything is legit?

Thanks for your help.

Regards

Mac mini (Late 2012), macOS Sierra (10.12.5), null

Posted on Jun 22, 2017 2:43 AM

Reply

Answer 1

thomas_r.

Level 7

32,031 points

Jun 22, 2017 6:36 AM in response to itspw

The "shove" process is a legitimate part of macOS, as are the launch agents and daemons it's installing. Further, the folders where those launch agents and daemons are being installed are protected by System Integrity Protection (SIP), and cannot be modified by anyone other than Apple unless SIP has been disabled. (You'd have to manually disable SIP, which would involve rebooting into recovery mode and taking some very specific steps there... if you haven't done that, SIP is not disabled.)

This is not malicious. Undoubtedly it was simply part of a system update of some kind. BlockBlock is simply making you aware of this change, which is a good thing.

Reply

Answer 2

itspw Author

Level 1

8 points

Jun 22, 2017 3:22 AM in response to Luis Sequeira1

Here is the report, i just realized that it's in French, sorry about that:

EtreCheck version : 3.4 (420)

Rapport créé le 2017-06-22 12:12:28

Télécharger EtreCheck chez https://etrecheck.com

Temps d’exécution : 1:39

La vitesse : Excellente

Cliquez sur les liens [Rechercher] pour plus d’informations à partir des Communautés d’assistance Apple.

Cliquez sur les liens [Détails] pour plus d’informations sur cette ligne.

Problème : Autre problème

Informations matérielles : ⓘ

Mac mini (fin 2014)

[Les caractéristiques techniques] - [Le guide de l’utilisateur] - [Garantie & service]

Mac mini - modèle : Macmini7,1

1 2,6 GHz Intel Core i5 (i5-4278U) CPU: 2-core

8 GB RAM Pas extensible

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Bon - Handoff/Airdrop2 disponible

Wireless: Inconnu

Informations vidéo : ⓘ

Intel Iris - VRAM : 1536 Mo

VX2757 1920 x 1080 @ 60 Hz

Informations des disques : ⓘ

APPLE SSD SM0256G disk0: (251 Go) (SSD - TRIM: Oui)

[Afficher le rapport SMART]

EFI (disk0s1 - MS-DOS FAT32) <non monté> [EFI] : 210 Mo

(disk0s2) <non monté> [Conteneur CoreStorage]: 250.14 Go

Recovery HD (disk0s3 - HFS+ journalisé) <non monté> [Recovery] : 650 Mo

Informations USB : ⓘ

USB30Bus

Datalogic ADC, Inc. Handheld Barcode Scanner

Apple, Inc. IR Receiver

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Logitech USB Optical Mouse

Mitsumi Electric Hub in Apple Extended USB Keyboard

Mitsumi Electric Apple Extended USB Keyboard

Informations Thunderbolt : ⓘ

Apple Inc. thunderbolt_bus

Disques virtuels : ⓘ

Macintosh HD (disk1 - HFS+ journalisé) / [Startup] : 249.78 Go (215.47 Go libre)

Disque phsyique : disk0s2 250.14 Go Online

Logiciels du système : ⓘ

macOS Sierra 10.12.5 (16F73) - Temps depuis le démarrage : environ 3 heures

Fichiers de configuration : ⓘ

/etc/hosts - Nombre : 9

Gatekeeper : ⓘ

Mac App Store et développeurs identifiés

Extensions du noyau : ⓘ

/Library/Objective-See/BlockBlock/BlockBlock.app

[engagé] com.objectiveSee.kext.BlockBlock (0.9.7 - SDK 10.12) [Rechercher]

Agents de lancement systèmes : ⓘ

[désengagé] 7 tâches d’Apple

[engagé] 183 tâches d’Apple

[en marche] 92 tâches d’Apple

Daemons de lancement systèmes : ⓘ

[désengagé] 40 tâches d’Apple

[engagé] 173 tâches d’Apple

[en marche] 103 tâches d’Apple

Agents de lancement : ⓘ

[engagé] com.googlecode.munki.ManagedSoftwareCenter.plist (Shell Script fe54bd43 - installé 2016-10-17) [Rechercher]

[désengagé] com.googlecode.munki.MunkiStatus.plist (? 7062a790 b1c8fe78 - installé 2017-01-26) [Rechercher]

[désengagé] com.googlecode.munki.managedsoftwareupdate-loginwindow.plist (Shell Script 82e03ff8 - installé 2016-10-17) [Rechercher]

Daemons de lancements : ⓘ

[engagé] com.adobe.fpsaud.plist (? 2afb3af7 a0305b84 - installé 2017-06-15) [Rechercher]

[engagé] com.googlecode.munki.logouthelper.plist (Shell Script 602fb6d0 - installé 2016-10-17) [Rechercher]

[en marche] com.googlecode.munki.managedsoftwareupdate-check.plist (? aa8df4b2 b5cea94e - installé 2016-10-17) [Rechercher]

[engagé] com.googlecode.munki.managedsoftwareupdate-install.plist (? 3e127259 b5cea94e - installé 2016-10-17) [Rechercher]

[engagé] com.googlecode.munki.managedsoftwareupdate-manualcheck.plist (? 673e506d b5cea94e - installé 2016-10-17) [Rechercher]

[engagé] com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installé 2017-06-08) [Rechercher]

[désengagé] com.microsoft.OneDriveUpdaterDaemon.plist (? 0 ? - installé 2017-02-23) [Rechercher]

[engagé] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installé 2017-06-14) [Rechercher]

[engagé] com.microsoft.office.licensing.helper.plist (? 6d8cb30e 7ca9944 - installé 2015-06-04) [Rechercher]

[en marche] com.objectiveSee.blockblock.plist (Objective-See, LLC - installé 2017-06-08) [Rechercher]

[engagé] com.skype.skypeinstaller.plist (Skype - installé 2017-05-16) [Rechercher]

Agents de lancement pour l’utilisateur : ⓘ

[en marche] com.objectiveSee.blockblock.plist (Objective-See, LLC - installé 2017-06-08) [Rechercher]

[engagé] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installé 2017-06-22) [Rechercher]

Éléments Ouverture : ⓘ

Microsoft Lync Application - Masqué

(/Applications/Microsoft Lync.app)

Microsoft Outlook Application - Masqué

(/Applications/Microsoft Office 2011/Microsoft Outlook.app)

Skype Application - Masqué

(/Applications/Skype.app)

Modules internets : ⓘ

SharePointBrowserPlugin: 14.7.5 (installé 2017-06-14) [Rechercher]

FlashPlayer-10.6: 26.0.0.131 (installé 2017-06-19) [Rechercher]

QuickTime Plugin: 7.7.3 (installé 2017-05-16)

Flash Player: 26.0.0.131 (installé 2017-06-19) [Rechercher]

MeetingJoinPlugin: Inconnu (installé 2017-03-20) [Rechercher]

Panneaux de préférences tiers : ⓘ

Flash Player (installé 2017-06-15) [Rechercher]

Time Machine : ⓘ

Time Machine n’est pas configuré !

Utilisation du processeur par opération : ⓘ

4% mdworker

4% WindowServer

3% mdworker

1% kernel_task

1% mds

Utilisation de la RAM par opération : ⓘ

1.11 Go softwareupdated

639 Mo kernel_task

325 Mo Microsoft Excel

235 Mo com.apple.WebKit.WebContent

233 Mo com.apple.WebKit.WebContent

Utilisation du réseau par opération : ⓘ

Entrée Sortie Nom de l’opération

16 Mo 10 Mo kernel_task

7 Mo 123 Ko mDNSResponder

634 Ko 2 Ko netbiosd

21 Ko 280 Ko sshd: root@ttys000

105 Ko 164 Ko Skype

Utilisation de l’énergie par opération : ⓘ

5.52 WindowServer

4.08 Microsoft Lync

0.14 mDNSResponder

0.10 Microsoft Database Daemon

Informations de la mémoire virtuelle : ⓘ

3.47 Go RAM disponible

1.80 Go RAM libre

4.53 Go RAM utilisé

1.67 Go Fichiers en cache

0 o Fichier d’échange utilisé

Installations de logiciel : ⓘ

Microsoft AutoUpdate: (installé 2017-06-08)

Office 2011 14.7.4 Update: (installé 2017-06-08)

Bitdefender Virus Scanner: 3.8 (installé 2017-06-08)

Microsoft Remote Desktop: 8.0.27287 (installé 2017-06-12)

Microsoft AutoUpdate: (installé 2017-06-14)

Adobe Flash Player: (installé 2017-06-14)

Office 2011 14.7.5 Update: (installé 2017-06-14)

Firefox: 54.0 (installé 2017-06-16)

Adobe Flash Player: (installé 2017-06-19)

Microsoft Remote Desktop: 8.0.27310 (installé 2017-06-19)

La liste des installations peut ne pas être complète.

Reply

Answer 3

itspw Author

Level 1

8 points

Jun 22, 2017 6:34 AM in response to thomas_r.

Ok, thanks for your answer.

In fact when the system acted like crazy the SIP was disabled. I re-enable it after but i was afraid that those files could be already compromised.

I gonna keep an eye on it.

Thx

Reply

Answer 4

thomas_r.

Level 7

32,031 points

Jun 22, 2017 7:38 AM in response to itspw

There is no known malware that tampers with those files, and in light of SIP, no reason to write one. Further, the binaries that are loaded by those launch agents & daemons are legitimate Apple binaries. If malware were involved, it would have to replace several Apple binaries, as well as launch agents & daemons, all in a secure location that cannot be touched on most computers.

No hacker is going to waste their time on writing such malware when there are so many easier ways to do it.

Reply