Excessive Data Sent in Activity Monitor - Malware worry or AM error?

[Tezcatlipoca]

I've got a Mid 2011 iMac - it's my first ever Mac and I've only had it since July, when I finally moved away from Windows after many many years.

I noticed a strange value in Activity Monitor on Sunday evening, under Data Sent. It was over 2GB, which made no sense to me as there's no way that I uploaded that much data over the internet or the local network since I booted up my iMac on Sunday afternoon.

I use iCloud and iTunes Match. However... I don't have that much stuff on iCloud on my iMac, just a few small documents. And although I use iTunes Match it is fully up to date plus iTunes was not even running at the time.


I did stream ~600-700MB of video from my iMac over the local network earlier on Sunday afternoon, along with ~1.3GB on Saturday night, and probably another ~1GB on Saturday afternoon.


The data streamed on Saturday night and on Sunday afternoon could well add up to the value I saw on Sunday evening under Data Sent, but:

- I shut down my iMac on Saturday night, after streaming the ~1.3GB of video, and in my experience Data Sent resets with each boot (it certainly has each time since Sunday).

- The value seen on Sunday did not include the amount streamed earlier on Saturday afternoon, so if it *didn't* reset upon booting on Sunday why would it include the Saturday night data but not the Saturday afternoon data.


What could have caused this value?


Having used Windows for years, I've come to be quite paranoid regarding malware, plus I am generally rather paranoid anyway.

I know that many people claim that you do not need anti-virus/anti-malware software on a Mac as they claim the chance of infection is extremely low, but even if there are no Mac viruses in the wild the whole Flashback thing has shown that Mac malware does exist and can infect Macs easily (at least given the right circumstances).

So... I'm worried that if this is not simply a case of Activity Monitor screwing up somehow (likely?), it could be due to some sort of malware infection? Possible, impossible? Likely, unlikely?


I use Google Chrome as my browser. I do have Java installed (and up to date), but only use it for PS3MediaServer - Java is disabled within Chrome (and Safari).

Mountain Lion is up to date - 10.8.2.

Gatekeeper is set to the "medium" setting: "Mac App Store and identified developers". I do have some software installed that isn't signed, which I have installed via deliberately overruling Gatekeeper by right-clicking and hitting open, but it's genuine and legitimate software from trusted sources, that I always scan with ClamXav first and also verify checksums for if available.

I've tried out a few AV apps (in turn - never had more than one installed at a time) to try and reduce my paranoia, some free and some demos of paid versions: Sophos, Avast, MacScan, Kaspersky, Avira, Intego.

All have come up clean so far.

Sophos did later go funny and lose its real-time protection, but I think I've seen that before during a previous period I had it installed, and I think I've seen it do that on my iMac at work too - it doesn't always load properly.

Given whatever is built into 10.8.2, given my Gatekeeper setting, and given that the AV scans so far have been clean, can I be certain that my system is genuinely clean? There's nothing out there that could have infected me via browsing with Chrome, sent 2GB of data out, and then stayed hidden from every AV app or maybe even removed itself to prevent it being detected? OK, so Java is disabled, but can Javascript also be an attack vector? Chrome's built-in Flash? Could something install without me manually allowing it to do so?

I know I sound rather paranoid, but, well, that's how I am! I "ruminate and catastrophise" over things...

 

[nontroppo]

The excellent outbound firewall Little Snitch has a network monitor, showing your all historical data of any app using the network and what sites are being contacted. This will provide accurate data on which you can "ruminate and catastrophise" over to your hearts content

http://www.obdev.at/products/littlesnitch/index.html

 

[cyclotron451]

Hi Matt D,
well there are of course malware available to be deployed on OS X, both the 'amateur' variety and the 'pro' versions. Most people find that the AV products for Mac are more trouble than they are worth - I have run Sophos but I'm equally as good as/or better than AV at spotting phishing emails - and most if not all of the daily attacks have had win32 exe's. The last virus I saw on a Mac was on an OS7 virtual valerie 'trial version'

The true likelyhood of you being 'attacked' is purely and simply related to the perceived value of the information that you retain on your system.
If you have a stash of dubious MP3's then UK BISA or RIAssA Professionals could stuff a trojan at you via a fake Adobe Flash upgrade or an iTunes rollout, but its unlikely; if you have elbonian national secrets on your iMac then many agencies will already have your data having invested $10k to take your stuff.

If you're doing a Dyson (inventing amazingly expensive new stuff) then you ought to consider keeping your secrets on your iPad (but not on the cloud)(with encrypted backups to your iMac) As far as I can track - there is a single malware exploit available to governments for iPad attack - everything lesser budget is sofar blocked by its decent security!

On the bright side, the NSA recently openly adopted the very reasonable security point of view of always assuming that their networks ARE compromised. If you don't have NSA level secrets, then you probably don't need to assume this yourself however in network security - a bit of paranoia is a good thing!

Specifically on "Data Sent" in Activity Monitor - my system is currently running around 250MB sent with 4.6GB received - I've not the faintest idea what this refers to and over which period! Google might know..?

Activity Monitor is unlikely to be faulty - you can access a command line version by opening a Terminal and typing "top" - the header of all the live running processes will similarly give the 'live' raw-data of your iMac:
Networks: packets: 4098220/4731M in, 2679284/252M out.
Disks: 1321020/23G read, 1055410/37G written.
In my case this matches completely with Activity Monitor.

Little snitch, as mentioned, is so good (but sometimes over the top with alerts) that some badware authors have checked if Little Snitch is installed on your Mac with malware allegedly aborting install having noticed the Litte Snitch folder.

 

[GGJstudios]

Sophos did later go funny and lose its real-time protection, but I think I've seen that before during a previous period I had it installed, and I think I've seen it do that on my iMac at work too - it doesn't always load properly.

I recommend that you avoid using Sophos, as it could actually increase your Mac's vulnerability, as described here and here. You don't need any 3rd party antivirus app to keep a Mac malware-free, as long as you practice safe computing. Read the What security steps should I take? section of the Mac Virus/Malware FAQ for tips on practicing safe computing.

If you still want to run antivirus for some reason, ClamXav (which is free) is one of the best choices, since it isn't a resource hog, detects both Mac and Windows malware and doesn't run with elevated privileges.

 

[Tezcatlipoca]

Thanks for the replies

I worked out what it was (although have since given myself something else to be paranoid about, see later):

When I used PS3 Media Server to stream the ~600-700MB video on the Sunday afternoon in question, the PS3 didn't like it for some reason so I had to use PS3 Media Server's "Transcode" function, which transcodes on-the-fly to MPEG2... which of course uses more bandwidth. I forgot all about that until late last week, when I suddenly remembered having to transcode the video.

I installed Little Snitch 3 and tested it again yesterday by repeating what I did the previous Sunday, streaming the same video file with the transcode option...

What was ~600-700MB on the HDD became over 2GB when streamed, due to the transcoding. Little Snitch confirmed that the data sent was by PS3 Media Server and that it went to the local network IP of my PS3.

Problem solved

Although, as mentioned, I've made myself worry about something else now (it comes from having such a long Windows background compared to only recently "going Mac"... plus of course is made even worse by being a paranoid obsessive compulsive ):

First thing:

Little Snitch kept asking for permission for Sophos Auto Update to connect to a wide variety of different domain names (although only actually a few different IP addresses) such as "goodhousekeeping.co.uk" and various others. I think that this is not an issue, though, as from what I can gather at the Sophos forums (e.g. here) this is actually due to Sophos using the Akamai content distribution network, and Little Snitch apparently does not always resolve the correct name for an IP. Sound reasonable?



Second thing:

As mentioned in my OP, I went a bit crazy with trying a variety of AV apps. One was Kaspersky. Some point after I'd moved from that to something else, I noticed that one website in particular was "broken" in Chrome. I realised it was due to some Kaspersky extension that had been left behind. Got rid of it: sorted. But, just to make sure that was definitely it and that it was definitely from Kaspersky, I installed Kaspersky again so I could check the extension and then properly uninstall the whole thing.

I had Finder open, so I could check the content of "/Library/Application Support/Google/Chrome/External Extensions" (as Kaspersky was sticking something there for its annoying URL Advisor).

At some point during Friday night, while going through the rigmarole of installing Kaspersky, rebooting, dealing with the extension, uninstalling Kaspersky, rebooting again... I noticed in Finder that the "Date Modified" for "/Library/Java/" had changed to a date and time for that night. The visible content of the folder had not changed, just the Date Modified for the folder. There was no change to "/System/Library/Java".

[NB I have Java 6 installed purely for PS3 Media Server. The Chrome and Safari plugins are disabled... And even if they weren't disabled, the recent Apple update removed them anyway I believe?]


So... Is it "normal" for the "Date Modified" to change like that? Is it anything to worry about? I'm a total newbie with Macs, so that coupled with my stupidly excessively paranoid nature really freaked me out when I saw that the date modified had changed (as why would that change for the Java folder, yet the content is unchanged?). NB: It's not changed again since then.


Being the paranoid fool that I am, it set me off on another scan-a-thon, installing, scanning, and uninstalling a variety of AV apps in turn once more

Avira (free), F-Secure (trial), MacScan (trial), BitDefender (on-demand-only free version from the Mac App Store), Kaspersky (trial, installed yet again), Intego VirusBarrier (trial), Avast (free), Sophos (free). All clean.


So... Anyone able to sooth my latest nonsensical worries? Or are they not nonsense!

 

[GGJstudios]

Little Snitch kept asking for permission for Sophos Auto Update to connect to a wide variety of different domain names

As I stated earlier, I recommend you uninstall Sophos completely. You don't need it and it could make your Mac more vulnerable.

As mentioned in my OP, I went a bit crazy with trying a variety of AV apps. One was Kaspersky.

You should never have more than one antivirus app installed at the same time. They can conflict with each other and cause false readings. I recommend you uninstall ALL of them, as they're not necessary to keep your Mac malware-free, as long as you practice safe computing, by following the tips in the FAQ I posted earlier. Also, as I stated earlier, use ClamXAV if you need to occasionally scan.

 

[Tezcatlipoca]

As I stated earlier, I recommend you uninstall Sophos completely. You don't need it and it could make your Mac more vulnerable.

This was all before I read your post

You should never have more than one antivirus app installed at the same time. They can conflict with each other and cause false readings. I recommend you uninstall ALL of them, as they're not necessary to keep your Mac malware-free, as long as you practice safe computing, by following the tips in the FAQ I posted earlier. Also, as I stated earlier, use ClamXAV if you need to occasionally scan.

I only had one installed at any one time - I know not to have multiple ones installed

I now just have ClamXav (MAS version) for on-demand scanning.


Can you help with my latest fears?

 

[GGJstudios]

I only had one installed at any one time - I know not to have multiple ones installed

It sounds like you may have files/folders left over from some of the apps you uninstalled. The most effective method for complete app removal is manual deletion. You can use this process to search for apps you've already uninstalled, to remove remnants that may remain.

Best way to FULLY DELETE a program​

Can you help with my latest fears?

I recommend you learn to relax and not stress about everything your Mac does that you don't fully understand. Malware is quite rare for a typical Mac user to encounter, if ever. When something happens with your Mac, malware is usually the last thing to suspect, not the first.

 

[Tezcatlipoca]

It sounds like you may have files/folders left over from some of the apps you uninstalled. The most effective method for complete app removal is manual deletion. You can use this process to search for apps you've already uninstalled, to remove remnants that may remain.

Best way to FULLY DELETE a program​

Cheers for the link

I'll have a look to see what may have been left behind.

Why would the Java folder's "Date Modified" have changed though during Friday night's "Kaspersky session" and not since?

I recommend you learn to relax and not stress about everything your Mac does that you don't fully understand. Malware is quite rare for a typical Mac user to encounter, if ever. When something happens with your Mac, malware is usually the last thing to suspect, not the first.

Oh, I'd love to relax and not stress out! Some of the stuff I worry about is even more ridiculous than you'd consider this thread to be!

 

[GGJstudios]

Why would the Java folder's "Date Modified" have changed though during Friday night's "Kaspersky session" and not since?

Because it hasn't been modified since then.

Oh, I'd love to relax and not stress out! Some of the stuff I worry about is even more ridiculous than you'd consider this thread to be!

Make sure you keep a current backup of your drive at all times. That way even if you drive crashes, you can quickly restore. After that, there's absolutely no reason to stress or worry about anything. It's just a computer. Nothing that can happen is significant enough to warrant undue worrying.

 

[Mojo1]

I think that anti virus software on a Mac is unnecessary and a source of potential problems. If you must use AV software for peace of mind disable automatic scanning and use it to manually scan individual files that you download. That will prevent most of the problems associated with AV software.

The Trojan/malware problems that have affected Mac users have usually been associated with downloading pirated software and visiting certain porn websites. If you don't visit those kinds of websites you are in good shape...

I have used LittleSnitch in the past but I now use HandsOff! It offers more control than LittleSnitch and has generally been more reliable. Both apps can be initially bothersome when you begin using them but that is the nature of the beast. You can speed up the process by giving the OK to all incoming/outgoing data transfers for the apps that you know you can trust such as OS X processes.

The nice thing about either LittleSnitch and HandsOff! is that you can easily monitor connection requests and see the destination. If something doesn't look right then simply deny the connection temporarily or permanently. If it winds up breaking an app and you have ascertained that it is OK it is a simple thing to delete the rule.

I visit a lot of different websites (I have over 8,000 bookmarked...) and in 17 years I have never been infected with a virus or malware. Before OS X Mac viruses were a little more troublesome but since 10.0 was released Mac viruses have only been a distant memory. E-mail phishing attempts have become more sophisticated in recent years but all it takes is being careful, expand and check the headers when in doubt and if you still feel uncomfortable about a message trash it. Just be sure to never click a link in any message that is suspect.