Concerned about spyware and drive-by downloads on my Macbook Pro

mckaze wrote:

Given my (likely misplaced) concerns about the legitimacy of the file, knowing its function is reassuring. The only thing I am still curious about is why it is unnamed in the activity monitor? (It shows up as a blank entry.)

Is that out of the ordinary?

It's just a bug in the OS. Apple's "FollowUpUI" program (located at /System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Resources/F ollowUpUI.app) has an error in one of its metadata files. Apps are able to adjust their metadata for various reasons. A common reason is to display differently in different languages. For example, if you change your language to French, your Applications directory will suddenly look a whole lot different:

Take "Aperçu" for example. That's French for "Preview". There is a "display name" in the French metadata for Preview that makes it display that way in French. If you switch your language back to English, it goes back to "Preview" as if nothing happened.

For whatever reason, the FollowUpUI app from Apple has a "display name" in the language-independent metadata file - and it is blank. Therefore, it shows up in Activity Monitor as a phantom process with no name. Someone else mentioned this issue a while back so that is how I know about it. I wasn't able to find the thread where it was discussed.

To clarify how Safari works, it is possible to do "drive-by" downloads of files. That is how the whole web works in the first place. When you came to this site, you didn't specifically request to download 2 HTML files, 35 images, 25 Javascript files, and 17 stylesheet files, but that's what it did. Safari silently handled most of those files without issue. But sometimes, there can be a bug in the software of the web server and some of those files might get downloaded to your Downloads folder. And sometimes, true malware can attempt a drive-by download too.

But the important thing to remember about a Mac is that your Downloads folder can be stuffed to the brim with real, live malware and it won't hurt a thing. Just having files sitting on disk can't hurt you. They would have to be installed and executed before they could cause any harm. That is where Apple's malware protection that leroydouglas so nicely described above will kick in.

That is also where most antivirus companies try to fool people. They try to make people think that those files are harmful. Maybe you could figure out how to disable all of those layers of Apple security protection (hint - it's not easy). Maybe you would feel a sudden urge to e-mail those Windows viruses in your downloads folder to all your friends using Windows. That is why they want to scan your whole disk. They always find something. But most often is is some critical index file deep within your Mail or Photos database and it quarantines the file, thereby corrupting your Mail or Photos data.

I can't claim that Apple is perfect. After all, I just described a silly bug that would take 2 minutes to fix. But generally, someone's Mac is the most secure they day they open the box. Humans are always the weakest link. Cracking through Apple's defences is hard. Most savvy hackers just display a fake "you've been infected with 3 viruses" pop-up or a pop-up that says "Flash Player outdated - download update to watch Avengers: Infinity Wars for free!". Sadly, too many people will click through, bypass Apple's security, and install the malware. On a Mac, you have to make an effort to install malware.

Hello mckaze,

Unless you have disabled the Mac's built-in security protection, then it is not possible to have any "drive-by" installs. Any software you download from the internet will alert you that it was downloaded. If the software isn't signed, as most malware and adware isn't, then you will be blocked from installing it. If you force the OS to bypass that and attempt to install known malware, then the OS will still block it.

Apple uses its Software Update service (which also drives the system software updates that show in the App Store or via the softwareupdate command-line tool) as a mechanism for installing “background and critical” updates that are installed silently in the background with no notifications to the user.

You are not going to find detailed information on GateKeeper, XProtect, MRT, SIP outside the walled garden of Apple. This would give all hackerware/malware a leg up.

The macOS uses these to combat malware:

Gatekeeper mechanism, central to security services, which tries to ensure that any code loaded is ‘safe’. Code signatures are only part of this.

XProtect checks the security and integrity of files in broader ways too. Vulnerable document types, such as JPEG images, are also screened to ensure that they’re not malicious.

Apple’s Malware Removal Tool an app which often complements XProtect’s signature-based screening, and can automatically remove all traces of many different species of malware.

System Integrity Protection which ensures that nothing can tamper with key system files, or even Apple’s bundled apps.

The key philosophy behind what MacOS does is that bit-patterns, even patterns that are the same as known viruses, and not inherently malicious. Feel free download known Viruses onto your Mac all day long.

The real threat is allowing those patterns to become executable, or be stored in system directories, or to modify anything in system directories.

MacOS built-in protections are built around that choke-point.

"Downloaded something bad to my Mac..." -- not to worry. Unless you give permission, it cannot be installed, and it can not hide in System Directories.

that this means I have very little, if anything, to worry about, correct?

yes, BUT: this does not excuse you from being Vigilant.

If you get a Flash Player update that tells you it came from flash.MalwareWorks.net and you install it anyway, then you will have malware installed.

ElCapitan implemented System Integrity Protection, which locked the System Directories and put away the Root user. If you defeat that, you can "catch" spontaneous infections.

MalwareBytes was written by a member of these forums a few years ago. It was called AdwareMedic then. MalwareBytes bought him out and now he jets back and forth to security conferences and doesn't post much here anymore.

DetectX is also written by a member of these forums. This fellow hasn't cracked the big time yet, but is trying. He also hasn't posted here for a long time.

To date, no one has made any offers for EtreCheck. I am continually working on the next great EtreCheck version, so I don't much much anymore either.

We are all more or less reputable, some more and some less. Obviously I'm biased towards EtreCheck, but both MalwareBytes and DetectX are also legitimate apps. It is good to be vigilant though. There are many other apps, with bigger marketing budgets than all of us combined, that are far less legitimate. When in doubt, do a search on Apple Support Communities and look for a consensus. There are a handful of other honest forums you could search too. But a general web search will return mostly scams.

mckaze wrote:

One more thing I found notable;

"/System/Library/PrivateFrameworks/CoreFollowUp.framework/Versions/A/Resources/F ollowUpUI.app/Contents/MacOS/FollowUpUI"

There will literally be 100's if not 1000's of things you are going to see in Activity monitor you will have no idea about.

your ".../FollowUpUI" loads MapKit, CoreFoundation, AppKit, CoreLocation, and Maps etc.

I suppose if you use Xcode you could open the .NIB files to examine the GUI and then you can tell me.

having one anti-malware program on the computer is already more than enough.

If you try running two third-paty anti-malware Apps, anything the first one does look like malware to the second one, and vice versa. They can quickly wrestle your computer Into a completely non-productive state.

mckaze wrote:

Is the Software Update Service apple's only means of installing programs silently?

Apple, true to form barely mentions these crucial systems in its documentation, and as far as I know never publicly announces pushing these security updates.

Yes the only means—the Software Update Service is how you stay up to date, current and protected.

You can see the current version of XProtect on your machine, the last XProtect update was version 2099.

If you are familiar with running terminal commands, copy and paste:

defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version