Skip to main content

AGENT FIXES IN MAC BUILD 9.0.1.31 - May 9th 2016


http://sw.nohold.net/Webroot/Images/wsab_endpoint_logo_v2.png

 

When we release a version update, it is load balanced across our global user base. As such, it can take up to 72 hours to apply to all endpoints.

 

Fixed

  • Bug fixes.
"Bug Fixes" is a bit vague.

 

Have they fixed detecting all sorts of plist entries as malware?

 
@ wrote:

"Bug Fixes" is a bit vague.

 

Have they fixed detecting all sorts of plist entries as malware?

 

We detect plist files on purpose, i am curious what you mean.
Here is one example:

 

Info.plist, Keylogger.SpectorPro.r, VolumesTime Machine BackupsBackups.backupdbSimon's MBP2016-04-06-025514.inProgress7051187E-C23D-40FD-8A68-4FB40DB72C30Macintosh HDSystemLibraryExtensionsAppleKextExcludeList.kextContents,  00000000000000000000000000000000, 6 hours 30 mins 29 secs This continuously breaks the Time Machine backups to an external drive.   
@ wrote:

Here is one example:

 

Info.plist, Keylogger.SpectorPro.r, VolumesTime Machine BackupsBackups.backupdbSimon's MBP2016-04-06-025514.inProgress7051187E-C23D-40FD-8A68-4FB40DB72C30Macintosh HDSystemLibraryExtensionsAppleKextExcludeList.kextContents,  00000000000000000000000000000000, 6 hours 30 mins 29 secs This continuously breaks the Time Machine backups to an external drive.   

There are some exceptions in place to resove this but there isnt much that we can do about it because Apple thought it was a good idea to put a list of puas and keyloggers in plain text for the system to read.  The detection that you posted should no longer happen.  One other thing to consider is not scanning your time machine as there isnt anything that can be done with any file found in it by WSA.  The files located on Time Machine are locked by the os and require much more to remove.  Best setup for scanning on a Mac is to not scan mounted drives as the Real Time Shield will catch anything trying to run anyway. 
If scanning the Time Machine backup is not a good idea, then shouldn't the agent just not do that by default instead of having to turn off something?

 

My clients expect the agent to sit there and do it's job. And so do I, as I'm managing thousands of endpoints and I shouldn't have to log in locally on MAC systems to turn something like that off as I have no real policy control from the GSM.

 

This really turns people off the product/service and I certainly hope that the development team can really get the MAC product up to snuff. It really seems half baked.
John,

Scanning external drives is completely up to you.  By default the Agent does its job and scans external drives, however we are unable to determine what every customer that uses our client will name their backup.  For instance my backups are not called Time Machine but it will react in the same manner.  I am sorry that you feel that the product is not up to the par you would like, we are building out changes and advances for it everyday.  In certain instances such as this, where Apple builds out a list of known puas and keyloggers, that we are going to have to work with them in order to address it.  The detection that you posted was corrected six days after your client detected it.  I was able to work out a way to stop detecting that file and future updates of that file without the clients having to make adjustments.   These kinds of fixes are what we are trying to deliver.   As part of our Mac team I promise that we are listening to the feedback from our clients and building from that.  We are currently working on a 9.0.2 build that will help protect our clients even better.  I have been running it against sample feeds that our competitors are not able to detect and we are catching them everytime.  If you ever have feedback or ideas for the client please do not hesitate to message me directly and I will be happy to provided you with any information I can.  I am not only the Threat Research analyst but I assist with QA and the Development process to help build out a better product and provide feedback from the field to our team.

Regards,
Really appreciate the responses.

 

I absolutely love the SecureAnywhere as a whole, and I do hope that the OS X agent versions and their interaction with the console and it's policies come into par with the PC version.

 

What is the reason you think why apple builds out the list of known puas and keyloggers in plain text?

 

 
The AppleKextExcludeList.kext is a list of files/kernals that Apple allows to run without being signed.  (We are actually on the list as well)  Apple has never been one to take on PUAs and Keyloggers and therefore doesnt really care if they are on your system.  They actually have a built in app that is suppose to prevent malware from getting on the machine which is call MRT.app (MalwareRemovalTool.app) but they also left thier entire def base unencrypted. Any intelligent malware researcher or malware writer can just open it and see what they are looking for and adjust accordingly.  When I got into threat research, this was one of the things that I laughed about the most.  
OH WOW.

 

I'm very interested in knowing more about this as will another one of our company admins. Is there more explanation or documentation on this somewhere regarding this?

 

I got a feeling one of my company admins would like to hear/know more about this.
here is a copy of the exclude list ( I had to change the file type to .pdf to attach it but just change it back to .plist), if you open it on windows then you will need something like notepad++ or the word wrap will be all over the place.  I dont know of anything that calls Apple for this process, Im sure I could write something but noone really wants to be the one poking the bear.
as for the MRT.app, if you go to /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT and open that macho file with a hex editor then go down about half way you will see why I thought it was funny...
Wow. Looking at that, it'd be super easy for people to muck around in there.

 

Anyway, thanks so much for all the explanations and your time. Really appreciated.

Reply