Pop-up window: Apple wants to make changes

I'm having the same problem on my Mac Pro with High Sierra 10.13.6. It occurs every 2 or 3 days and goes away after exactly 3 pop-ups and 3 cancels. I believe that it is malware mainly because I trust that Apple would not do this. Also, the use of "Apple" vs. "Finder" or some other system component is troubling. I'm using a WatchGuard Firebox T-70 security appliance with network anti-virus and I thought that I was immune from this stuff... apparently not. I listened to the "security now" podcast suggested by macfrombrampton and although possible, that vulnerability sounds like a bit of a stretch. I would appreciate an update if anyone finds out anything else. Otherwise, I'll sit and wait for Mojave and hope that no damage is done.

Check Safari > Preferences > Websites > then the Plug-Ins panel on the bottom left corner. Look and see if you have anything there you don't recognize. I suggest too actually running Malwarebytes and see if it detects it. This one is pretty solid of at least finding a part of a file tied to any form of malware. The wording is definitely off as someone pointed out Apple Vs Finder. It's definitely something installed or piece of something attached to a program or file.

Prior to this happening do you remember if you downloaded or were prompted to update anything that wasn't done directly through the Mac App Store.

I have the same problem. Called APPLE Support. They had me run Malweare bytes. It found 9 issues. And cleaned them out. Apple had me delete them, and empty the trash so I don't have a list. I will post again in a couple of days with the results.

will show what installs were made on the date that an actual password was provided to this pop up?

If the person clicked cancel, the software wasn't install so I doubt macOS took note.

Run etrecheck. It lists the software installed in the last month. Not sure were it gets the dates.

etrecheck

Download etrecheck. Click on the download link at the bottom of the screen. http://etrecheck.com/

Run etrecheck. The first five runs are free.

How to post etrecheck findings:

1) click on "Share report"

2) click on "Copy report"

3) Paste the information into an ASC forum reply.

Using EtreCheck by etresoft, the author https://discussions.apple.com/docs/DOC-11591

Stamp of approval https://discussions.apple.com/docs/DOC-8181

I though we determined it was fake. I don't think that is the wording used in macOS.

Dang, now I'm not sure. The messages change depending on what you're installing. Here's what I got in Mojave while installing a Flash Player update.

Nothing about "Type your password to allow this.", and a different confirmation button. With this admin box open, I ran Activity Monitor to see what was generating the message.

According to that, the OS was genuinely creating the box via the SystemAppearance drawing routines. But then, the scam app could easily be calling for the same resources. I have no way of checking without having the malware to run.

It would seem to me the OS is indeed calling for the admin confirmation, prompted by the malware. Otherwise, why show it at all? Any malware would prefer you didn't even know it was installed. This only draws your attention to it and they have to goad the user into allowing its full installation in order to do what the malware app intends.

Whichever is correct, we definitely know users shouldn't allow it.

The restart of Malwarebytes detects something is fairly normal. It does that because when macOS reboots it actually pulls in the parts of Gatekeeper that were designed to fight against malware and the restart also searches the purpose of stopping anything actively running to remove it. Go ahead and log back in and run another scan and also check your Applications list and make sure you recognize every program listed. https://support.apple.com/guide/mac-help/apps-included-on-your-mac-mchl110b00b7/ mac

That link is a list of what’s built in so you know how to recognize what should be there that you didn’t install yoirs

I also have had this pop-up "Apple wants to make changes". After reading everyone's experience of this problem, I contacted Apple Support. They guided me through the process of changing Safari preferences to turn off pop-ups. They also had me delete extensions that I didn't use or recognize. Both of these were found with the Safari browser open under the "Safari" menu item. The block pop-up setting was a check box under "Security". And the extensions were listed and able to be deleted under "Extensions" in preferences. An article on this is at How to block pop-ups in Safari - Apple Support.

It doesn't make sense.

Sure it does. Don't run McAfee. Just another example of why people don't recommend running antivirus software on the mac.

Simple put, Apple attempts to provide all the malware detection and removal you need in Mac OS X.

"Effective defenses against malware and other threats" by John Galt

https://discussions.apple.com/docs/DOC-8841

"Avoid phishing emails, fake 'virus' alerts, phony support calls, and other scams"

https://support.apple.com/en-ca/HT204759

"MalwareBytes Anti-Malware for Mac Removes adware and malware Revives your Mac." MalwareBytes has a more restrictive filter for adware than Apple. MalwareBytes has come to be accepted as the only malware detector you should consider. For those pestered by browser attacks consider MalwareBytes.

https://www.malwarebytes.org/antimalware/mac/

etrecheck

Run etrecheck. The first five runs are free. Provided a report on your machines hardware and software. Great for diagnosing your system. Click on the download link at the bottom of the screen.

http://etrecheck.com/

Well, you have to trust someone.

Do a google search on the proposed solution and see what other people are saying.

site:discussions.apple.com malwarebytes

site:discussions.apple.com etrecheck

There are lots of etrecheck reports around here. Just go through and manually look where etrecheck looks.

example:

Etrecheck - BIG problems.

R

This same message has been showing up on my iMac mid 2011 with OS 10.12.6 for about 2 weeks. As stated it takes three cancels for it to go away. Very suspicious. The only recent updates were Affinity Photo 1.6.7 and WiFi Explorer 2.4.2 both updated on the 7th of August which is about when this started showing up.

This just happened to me as well. I was working in Safari and it crashed. Then the message popped up. I installed malwarebytes and it said it detected something. When Iclicked to read the results, my computer restarted. Did not want to log in again because don’t want to give my password. Any suggestions?

Followed your instructions, found 'Citrix Online Web Deployment Plugin 1.0.0.105'. Looks like it is something related to GoToMeeting, GoToWebinar etc. Not sure if it is the culprit but the only other Plug-ins are Adobe Reader adn SharePoint Browser which I use for work.

Whatever is producing this message has nothing to do with Apple. The OS already has 100% control over the system, all the way down to root level. It doesn't need the user's permission to do anything, or even ask.

Apple can't protect every single user from themselves. You installed adware, or some form of malware from a download you installed. It's up to you to either figure out how to remove it, or restore you Mac from a backup that doesn't contain whatever you installed.

I had this problem. Actually, Apple support was very helpful in guiding me through the process of deleting offending extensions and turning off pop-ups in Safari's preferences. See my comment above for more info.