Can EtreCheck find a Rootkit on an Apple Mac?

[Brawdy14]

Hello

Here's an extract from a local scan of a machine using EtreCheck.

Does everything appear to be in order?

The owner is using macOS Catalina Version 10.15.4 on a 27 inch iMac. There is a Time Machine backup to a WD 2TB ‘My Book’ external hard disk. A scan with EtreCheck showed the following detail. Does this extract from the scan report appear to be just as one might expect?

Drives:
disk0 – APPLE SSD SM0128L 121.33 GB (Solid State – TRIM: Yes)
Internal PCI-Express 8.0 GT/s x4 NVM Express
disk0s1 – EFI [EFI] 315 MB
disk0s2 [APFS Fusion Drive] 121.02 GB
disk2 [APFS Virtual drive] 2.12 TB (Shared by 5 volumes)
disk2s1 – M************ Data (APFS) [APFS Virtual drive] (Shared – 90.64 GB used)
disk2s2 – Preboot (APFS) [APFS Preboot] (Shared)
disk2s3 – Recovery (APFS) [Recovery] (Shared)
disk2s4 – VM (APFS) [APFS VM] (Shared – 4.30 GB used)
disk2s5 – Macintosh HD (APFS) (Shared – 11.13 GB used)

disk1 – APPLE HDD ST2000DM001 2.00 TB (Mechanical – 7200 RPM)
Internal SATA 6 Gigabit Serial ATA
disk1s1 – EFI (MS-DOS FAT32) [EFI] 210 MB
disk1s2 [APFS Fusion Drive] 2.00 TB
disk2 [APFS Virtual drive] 2.12 TB (Shared by 5 volumes)
disk2s1 – M************ Data (APFS) [APFS Virtual drive] (Shared – 90.64 GB used)
disk2s2 – Preboot (APFS) [APFS Preboot] (Shared)
disk2s3 – Recovery (APFS) [Recovery] (Shared)
disk2s4 – VM (APFS) [APFS VM] (Shared – 4.30 GB used)
disk2s5 – Macintosh HD (APFS) (Shared – 11.13 GB used)

disk3 – WDC WD10 EZEX-08WN4A0 1.00 TB
External USB 480 Mbit/s USB
disk3s1 – EFI (MS-DOS FAT32) [EFI] 210 MB
disk3s2 – M******2 (Journaled HFS+) 999.86 GB (746.38 GB used)

Mounted Volumes:
disk2s1 – M************ Data [APFS Virtual drive]
2.12 TB (Shared – 90.64 GB used, 2.02 TB available, 2.01 TB free)
APFS
Mount point: /System/Volumes/Data

disk2s4 – VM [APFS VM]
2.12 TB (Shared – 4.30 GB used, 2.01 TB free)
APFS
Mount point: /private/var/vm

disk2s5 – Macintosh HD
2.12 TB (Shared – 11.13 GB used, 2.02 TB available, 2.01 TB free)
APFS
Mount point: /
Read-only: Yes

disk3s2 – M******2
999.86 GB (746.38 GB used, 253.54 GB available, 253.48 GB free)
Journaled HFS+
Mount point: /Volumes/M********1

=

My thanks in advance for any helpful advice.

 

[chrfr]

Hello

Here's an extract from a local scan of a machine using EtreCheck.

Does everything appear to be in order?

The owner is using macOS Catalina Version 10.15.4 on a 27 inch iMac. There is a Time Machine backup to a WD 2TB ‘My Book’ external hard disk. A scan with EtreCheck showed the following detail. Does this extract from the scan report appear to be just as one might expect?

Drives:
disk0 – APPLE SSD SM0128L 121.33 GB (Solid State – TRIM: Yes)
Internal PCI-Express 8.0 GT/s x4 NVM Express
disk0s1 – EFI [EFI] 315 MB
disk0s2 [APFS Fusion Drive] 121.02 GB
disk2 [APFS Virtual drive] 2.12 TB (Shared by 5 volumes)
disk2s1 – M************ Data (APFS) [APFS Virtual drive] (Shared – 90.64 GB used)
disk2s2 – Preboot (APFS) [APFS Preboot] (Shared)
disk2s3 – Recovery (APFS) [Recovery] (Shared)
disk2s4 – VM (APFS) [APFS VM] (Shared – 4.30 GB used)
disk2s5 – Macintosh HD (APFS) (Shared – 11.13 GB used)

disk1 – APPLE HDD ST2000DM001 2.00 TB (Mechanical – 7200 RPM)
Internal SATA 6 Gigabit Serial ATA
disk1s1 – EFI (MS-DOS FAT32) [EFI] 210 MB
disk1s2 [APFS Fusion Drive] 2.00 TB
disk2 [APFS Virtual drive] 2.12 TB (Shared by 5 volumes)
disk2s1 – M************ Data (APFS) [APFS Virtual drive] (Shared – 90.64 GB used)
disk2s2 – Preboot (APFS) [APFS Preboot] (Shared)
disk2s3 – Recovery (APFS) [Recovery] (Shared)
disk2s4 – VM (APFS) [APFS VM] (Shared – 4.30 GB used)
disk2s5 – Macintosh HD (APFS) (Shared – 11.13 GB used)

disk3 – WDC WD10 EZEX-08WN4A0 1.00 TB
External USB 480 Mbit/s USB
disk3s1 – EFI (MS-DOS FAT32) [EFI] 210 MB
disk3s2 – M******2 (Journaled HFS+) 999.86 GB (746.38 GB used)

Mounted Volumes:
disk2s1 – M************ Data [APFS Virtual drive]
2.12 TB (Shared – 90.64 GB used, 2.02 TB available, 2.01 TB free)
APFS
Mount point: /System/Volumes/Data

disk2s4 – VM [APFS VM]
2.12 TB (Shared – 4.30 GB used, 2.01 TB free)
APFS
Mount point: /private/var/vm

disk2s5 – Macintosh HD
2.12 TB (Shared – 11.13 GB used, 2.02 TB available, 2.01 TB free)
APFS
Mount point: /
Read-only: Yes

disk3s2 – M******2
999.86 GB (746.38 GB used, 253.54 GB available, 253.48 GB free)
Journaled HFS+
Mount point: /Volumes/M********1

=

My thanks in advance for any helpful advice.

That report shows nothing but information about the disks on the computer. There's no software information at all, so no possibility of finding any sort of malware that might be installed.

 

[Brawdy14]

I much appreciate your response 'chrfr'. At this stage, I simply want to know if the disc set-up appears normal.

Someone reading here MAY know the answer to the question in the thread header, viz:-

Can EtreCheck find a Rootkit on an Apple Mac?

 

[satcomer]

Try the free version of MalwareBytes.com Mac (thirty day trial that will only do manual scans) !

 

[chrfr]

I much appreciate your response 'chrfr'. At this stage, I simply want to know if the disc set-up appears normal.

Someone reading here MAY know the answer to the question in the thread header, viz:-

Can EtreCheck find a Rootkit on an Apple Mac?

There's no solid answer. EtreCheck is good at reporting startup processes and installed software and sometimes that information can be used to determine whether there is some sort of malware installed on the computer. There is nothing in the list of disks and partitions you posted that looks abnormal but that is no assurance whatsoever that malware isn't installed on the computer.

 

[Brawdy14]

Try the free version of MalwareBytes.com Mac (thirty day trial that will only do manual scans) !

Sadly, that doesn't answer my question.
[automerge]1590515255[/automerge]

There's no solid answer. EtreCheck is good at reporting startup processes and installed software and sometimes that information can be used to determine whether there is some sort of malware installed on the computer. There is nothing in the list of disks and partitions you posted that looks abnormal but that is no assurance whatsoever that malware isn't installed on the computer.

It's good to know that all appears to be in order with regard to the disks and partitions.
I understand your stated reservation. Thank you.

Do you have any idea why there are asterisks after the letters M? e.g. M************

 

[bogdanw]

Can EtreCheck find a Rootkit on an Apple Mac?

No, it can not. Most of the times, EtreCheck tries to scare users with meaningless warnings into buying their "Power User Package"

 

[chrfr]

Do you have any idea why there are asterisks after the letters M? e.g. M************

It's just for "privacy" in case the disk name might reveal something about the user.

 

[Taz Mangus]

No, it can not. Most of the times, EtreCheck tries to scare users with meaningless warnings into buying their "Power User Package"
View attachment 918880

Wow! Good to know.
[automerge]1590516513[/automerge]

Try the free version of MalwareBytes.com Mac (thirty day trial that will only do manual scans) !

Sadly, that doesn't answer my question.

I thought @satcomer suggestion was a really good one.

 

[Brawdy14]

Wow! Good to know.
[automerge]1590516513[/automerge]
That didn't sound too good, did it!

I thought @satcomer suggestion was a really good one.

There is no connection between Malwarebytes (I'm familiar with the product and do use it) and the question I asked!

Can EtreCheck find a Rootkit on an Apple Mac?
[automerge]1590518660[/automerge]

It's just for "privacy" in case the disk name might reveal something about the user.

Does the letter "M" not have ANY significance?

 

[chrfr]

There is no connection between Malwarebytes (I'm familiar with the product and do use it) and the question I asked!

Your question has been answered several times, but you can't dictate the way a thread evolves, either.
You also need to understand that the data you provided cannot be used to answer your question whatsoever.

 

[KALLT]

Does the letter "M" not have ANY significance?

99,9% sure that “M************ Data” is just the “Macintosh HD – Data” volume, which is the data volume that accompanies the “Macintosh HD” volume on macOS Catalina. I do not see a reason why this should be redacted when the accompanying volume name is clearly visible; this is something the developer of Etrecheck chose to do for some reason.

In any case, chrfr answered your question. There isn’t anything abnormal in that output you showed; if that proves anything at all. EtreCheck can detect some known mal-/adware as well as programs that launch automatically, but without more information (full report, hardware info, version info etc), nobody can give any assurances here.

 

[Brawdy14]

It's just for "privacy" in case the disk name might reveal something about the user.

Thank you. Understood.

 

[etresoft]

99,9% sure that “M************ Data” is just the “Macintosh HD – Data” volume, which is the data volume that accompanies the “Macintosh HD” volume on macOS Catalina. I do not see a reason why this should be redacted when the accompanying volume name is clearly visible; this is something the developer of Etrecheck chose to do for some reason.

It's just a bug. I forgot to exempt "Macintosh HD Data" from the redaction exemption list due to Catalina's new behaviour and didn't notice it until a couple of weeks ago.

No, it can not. Most of the times, EtreCheck tries to scare users with meaningless warnings into buying their "Power User Package"
View attachment 918880

The major and minor issues are certainly not designed to "scare users" into purchasing the Power User package. Any features related to security issues, such as those listed above, are available for for free.

Many of the features and content of EtreCheck are designed for people who have no knowledge of computers. They often have no idea what software is installed and running 24x7 on their computers. Those are the people that EtreCheck is designed to help. As the screenshot above suggests, the ideal response to these issues is to post a question on Apple Support Communities and include a copy of an EtreCheck report. This functionality is also available for free.

The Power User package is designed for those people that want to run EtreCheck on a regular basis and review the report on their own. The free report for posting on the internet is a wall of undecipherable text for most people. The Power User package breaks that up into digestible chunks with lots of supporting information and links. And because of problems from people like Brawdy14, it also provides an option for people who don't want to post anything on the internet. For more advanced users like on this forum, the Power User package also has a very powerful Analytics display that is unavailable in any other app.

I realize that some people don't like it when developers charge money for features. Consumer software, with free content, is just a beast. Of course everyone loves free. But without some means of support, there is no software at all. If anyone has a good idea to crack that problem, I would love to hear it. I tried adding powerful, one-of-a-kind features like the Analytics display. What did I get from that? Tumbleweeds and crickets. Another idea is heavy marketing, which I'm not willing to do. I know what EtreCheck can and can't do. In spite of my many efforts, like this one, to educate people about what EtreCheck is and what it really does, people sometimes still don't get it. So I don't want to do that either, yet people still accuse me of "fear mongering". <big sigh>

 

[bogdanw]

...

Labeling “No Time Machine backup” as a major issue is misleading. Other backup software exists, not to mention copy-pasting to an external drive.

“Unsigned files” shows a list of Launch Agents and Launch Daemons from Microsoft, Google, VirtualBox. How do you sign plist Launch Agents and Launch Daemons? More, it doesn’t compare hashes, just the names to announce: “Exact match found in the whitelist – probably OK”

I haven’t heard of malware that tries to disable SIP. It doesn’t need to, as it can gain root access through simpler means, most often by politely asking the user for the password.

“Apple security disabled” seems to be triggered again by SIP being disabled and “Antivirus software None!” It isn’t clear if that refers to third party antivirus software or to Gatekeeper, which was actually enabled on the system.

 

[etresoft]

Labeling “No Time Machine backup” as a major issue is misleading. Other backup software exists, not to mention copy-pasting to an external drive.

You certainly aren't the first person to make that complaint. EtreCheck is for people who don't know about backups at all. I regularly see people on Apple Support Communities who only learn about backups after they realize they need them. My own aggregate data from EtreCheck reports says that only 39% of people have up-to-date Time Machine backups. I'm pretty sure that few of that other 61% are using SuperDuper! or Carbon Copy Cloner. (I can give you exact numbers on that if you want. Come to think of it, that wouldn't be a bad idea. Thanks!) I realize this annoys some people, but I'm standing by it.

“Unsigned files” shows a list of Launch Agents and Launch Daemons from Microsoft, Google, VirtualBox. How do you sign plist Launch Agents and Launch Daemons? More, it doesn’t compare hashes, just the names to announce: “Exact match found in the whitelist – probably OK”

EtreCheck is looking for a signature in the executable file that the plist (or its in-memory representation) references. All of those apps should be signed. You may be using old versions. Sometimes auto-updaters like Sparkle can break signatures too.

There is no way I can track hashes for all apps. The whitelist just looks at the file names. That's why it says "probably".

Apple has said that unsigned software will not run by default in a future version of the operating system. Earlier versions of EtreCheck did use a bit of fear-mongering by raising the "adware" possibility in the note. The current version now references Apple's statement about unsigned software. However, if you have unsigned software that isn't in the whitelist, you'll still get the "could be adware" warning.

This is a big topic with a lot of valid criticisms of EtreCheck's approach. Ultimately, it's just me and I do what I can. I can't manage a huge amount of research, hashes, or the cutesy malware codes like "OSX.Fruitfly". I can barely manage the whitelist. People who see files purportedly from "Microsoft" flagged as adware do complain. But they are only complaining because they see the word "Microsoft". There really isn't a true signature there that identifies it. That's a complicated concept for most people and a regular annoyance. But then again, EtreCheck does catch a lot of adware and malware. In many cases, because of EtreCheck's design based on signatures, it will catch these files before any popular "antivirus" tool can do it. I wish I could do a better job of managing this. It has always bothered me. But it is effective for the vast majority of people and only annoys a few. It is one of many issues that EtreCheck has to deal with.

I haven’t heard of malware that tries to disable SIP. It doesn’t need to, as it can gain root access through simpler means, most often by politely asking the user for the password.

Malware doesn't disable SIP and couldn't. This is a problem for people following bad advice they read on the internet. There are valid reasons to disable SIP. But in most cases, you can just re-enable it afterwards. If you need to do something really complicated, you can just disable the parts that you need and keep the rest in place. EtreCheck will still flag that, but it is far better than just disabling SIP.

“Apple security disabled” seems to be triggered again by SIP being disabled and “Antivirus software None!” It isn’t clear if that refers to third party antivirus software or to Gatekeeper, which was actually enabled on the system.

This message could be triggered by disabling SIP, disabling security updates, or disabling Gatekeeper. There is a lot of "social engineering" in this section. Again, people sometimes follow bad advice and disable security updates when they just mean to disable automatic OS updates. And many software developers recommend disabling Gatekeeper completely instead of just overriding it for their own apps so they can save $99.

Also, I am trying to communicate to people that Apple does provide multiple layers of malware protection. Many people don't know that. And yes, there is a huge debate over how much protection from adware Apple provides - short answer, virtually none. The irony here is that this isn't even about "adware" or "malware" per se. The big problem here is scam-ware. There actually isn't very much Mac adware and virtually no malware. The goal here is to get people to research what software they are using. When they do that, hopefully they will realize if they have installed scam ware or one of the more problematic, albeit still legitimate, security packages.

 

[Brawdy14]

Also, I am trying to communicate to people that Apple does provide multiple layers of malware protection. Many people don't know that. And yes, there is a huge debate over how much protection from adware Apple provides - short answer, virtually none. The irony here is that this isn't even about "adware" or "malware" per se. The big problem here is scam-ware. There actually isn't very much Mac adware and virtually no malware. The goal here is to get people to research what software they are using. When they do that, hopefully, they will realize if they have installed scam ware or one of the more problematic, albeit still legitimate, security packages.

Is there ANY need, ever, to download and install ClamXAV onto an Apple Computer?

If you do think so - please explain WHY.

Is there anything which Linc Davis said here https://discussions.apple.com/thread/6460085 with which you disagree?

FWIW, Apple Support has told me during telephone conversations that the ONLY external AV software which they support is Malwarebytes.

 

[chrfr]

Is there ANY need, ever, to download and install ClamXAV onto an Apple Computer?

If you do think so - please explain WHY.

Is there anything which Linc Davis said here https://discussions.apple.com/thread/6460085 with which you disagree?

FWIW, Apple Support has told me during telephone conversations that the ONLY external AV software which they support is Malwarebytes.

Why is it the responsibility of the EtreCheck developer to explain why someone might install an antivirus product on a Mac?

 

[kohlson]

Is there ANY need, ever,

Absolutely. Not.

 

[Brawdy14]

Why is it the responsibility of the EtreCheck developer to explain why someone might install an antivirus product on a Mac?

The EtreCheck developer and some other 'guru's posting on the ASC forums, actively support the use of ClamXAV on Apple computers.

Not just ANY AV - just the ClamXAV product in particular. What is so special about such a tiny operation? It has few supporters. https://www.facebook.com/clamxav/

I have NEVER seen the developer of ClamXAV post questions or answer questions in the ASC forums yet, at some time in the past, I believe ClamXAV was available from the Apple App Store. What changed? Why was the product expelled?

 

[chrfr]

I believe ClamXAV was available from the Apple App Store. What changed? Why was the product expelled?

How do you know it was "expelled?" Because of the sandbox restrictions in App Store apps, no antivirus product made available there can work very effectively. It makes sense that it's no longer offered through there.

ClamXAV | Leaving the App Store

Why we decided to remove ClamXAV from the Mac App Store

www.clamxav.com

ClamXAV, at least in the past, is nothing more than a more polished Mac front end to the open source ClamAV product. I don't know if that's changed.

I have to say that your repeated pursuit of Etrecheck and ClamXAV in these forums is a bit strange.
What's to be learned in this thread vs. your earlier one here: https://forums.macrumors.com/thread...velopers.2167908/?post=27059397#post-27059397
or here

Is Etrecheck safe to use and is this safe place to download?

Hello! I wanted to check my system and heard about EtreCheck. 1) Is it safe app to use? 2) Is this safe place to download it from?

forums.macrumors.com

Is this thread actually about whether or not Etrecheck can find a rootkit, or is it about something else entirely?

 

[Weaselboy]

Moderator Note:

Looks like OP's original Etrecheck question has been answered and the thread has drifted off into an unrelated debate about ClamXAV. Thread closed.