Monthly Archives: December 2017

DetectXmas: get a free home registration key

veggies



From now till Boxing Day, Sqwarq is giving away DetectX home registration keys for anyone that joins the DetectX Swift beta Slack group and who answers a simple question about the beta version.

We’ll try to get keys to you within 24 hours of receiving your correct answer, but bear in mind, it is Xmas, so delays may be possible while we digest our roast potatoes, parsnips and carrots!



Enjoy! 🙂


scan for malware on the command line

Screen Shot 2017-12-20 at 19.23.50


DetectX Swift now has the ability to do command line searches for issues on your mac like malware, keyloggers, browser hijacks and potentially dangerous software, and there’s a number of extra options that are not available when using the user interface. In this post, I’m going to give you a quick tour of the CLI (Command Line Interface) tool with some examples of how to use it (if you haven’t yet grabbed a free copy of DetectX Swift you might want to do that first to play along).

1. Basic scan
Let’s start with a basic scan. To use the CLI search, you need to specify the full path to the app executable. In this example, let’s suppose that the app is in /Applications folder. In that case, you’d need to execute this on the command line:

/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift search

Since that’s a bit of a handful, even using tab completion, you might want to edit your .bash_profile to include a shortcut alias. Here’s mine:

sphil@sphils-iMac-5:~$ cat .bash_profile

alias sudo='sudo '

alias detectx='/Applications/DetectX\ Swift.app/Contents/MacOS/DetectX\ Swift'

Note the sudo line (and note the extra space in the value). We’re going to need that so that we can pass the alias to sudo when we want to pass certain options to the search. Like…

2. Scan other users
Probably the most important benefit you gain with scanning on the command line rather than from the app’s interface is the ability to scan all, or selected, other users. You can search all users by using sudo and the -a option:

sudo detectx search -a

If you want to restrict the search to one or more users, the -u option allows you to specify a list of shortuser names (comma-delimited):

sudo detectx search -u alice,bob

3. Go deep
If you’d like more verbose output, including how long the search took, try either the vsearch or vvvv commands:

sudo detectx vvvv -a

4. Save the results
You can specify a path to output the results, either in regular text:

sudo detectx vvvv -a ~/Desktop/searchtest.txt

or, by passing the extra -j option, in JSON format:

sudo detectx search -aj ~/Desktop/searchtest.json

Here’s an example of what the formatted JSON file looks like:

Screen Shot 2017-12-20 at 18.05.26

5. Anything else?
There’s a help command that will output the documentation to the command line, and also if you get into the habit of regularly running command line checks, don’t forget to launch the app from time to time in the Finder. Like its predecessor, DetectX, DetectX Swift does a lot of other stuff besides searching that can help track down and remediate problems with your mac, and a large part of that revolves around the way it tracks changes to your system every time you launch it. The CLI tool runs independently of that and won’t give you that kind of feedback or record those changes.

Enjoy! 🙂


how to remove MyCouponize adware





MyCouponize is an aggressive adware infection that simultaneously installs itself in Safari, Chrome and Firefox, It hijacks the user’s search and page loads, redirecting them to multiple web sites that advertise scamware and other unwanted junk.

You can remove it easily with DetectX Swift (a free/shareware utility written by myself) as shown in this video. If you prefer reading to watching, here’s the procedure:

1. Run the search in DetectX.







2. Click on the [X] button.
You’ll find this button just above the results table to the right, between the search count and the tick (whitelist) button. It will turn red when you hover over it. When it does so, click it.
Then hit ‘Delete’ to remove all the associated items.
You’ll need to enter a password as some of the items are outside of your user folder.
Press the esc key or click the ‘Cancel’ button on any pop up dialogs that appear.

3. Go to the Profiler
Here we’ll unload the launchd processes that belong to MyCouponize.

Navigate to the user launchd processes section and move the cursor over the item com.MyMacUpdater.agent







Click the ‘Remove x’ button that appears when the line is highlighted.
Wait for the profiler to refresh and then go back to the same section and remove the second process called com.MyCouponize.agent

4. Quit the mediaDownloader.app
This item has already been deleted in step 1, but its process may still be running in memory. If its icon appears in the Dock, right click on it and choose ‘Quit’ from the menu.







4. Finally, go to Safari Preferences’ Extensions tab
Click the uninstall button to remove the MyCouponize extension.







After that, Safari should be in good working order. If you have Chrome, Firefox or possibly other browsers installed, make sure you remove the extensions or Add Ons from those, too.

DetectX and DetectX Swift are shareware and can be used without payment, so go grab yourself a copy over at sqwarq.com.


what is rapportd?


Since early November, I’ve been seeing reports of High Sierra users being presented with a dialog box from the Firewall asking whether the user wants to accept incoming network connections to rapportd.

This is causing some confusion among troubleshooters as there’s a fairly notorious process with the same name associated with IBM’s (badly-performing) Trusteer software. This latter often causes system slow downs and the general recommendation is to remove it unless you absolutely can’t live without it.

However, the rapportd process responsible for the dialog has nothing to do with IBM’s Trusteer and is, in fact, an Apple daemon introduced in 10.12. According to the man page, Apple’s rapportd is a daemon providing support for the Rapport connectivity framework. Although rapportd is bundled with 10.12, it appears to have only become active in 10.13.

Issuing

lsof -i -P | grep -i rapport

at the command line doesn’t return any hits on my 10.12 machine, but High Sierra reveals that Apple’s rapportd process is listening for network connections on port 49158. Further investigations have found that rapportd is connected to Apple’s HomeKit framework, a home automation platform for controlling smart home products with iOS apps and Siri voice commands, and is likely related to Airplay 2.

To verify which rapportd process you’re dealing with, jump into Terminal and paste this command:

ps aux | grep rapportd

Alternatively, if you’re a DetectX Swift user, you can search for it in the Profiler view (Command-F evokes the Find inspector bar):

If the search or find reveals a process address as /usr/libexec/rapportd, that’s your Apple friend and you can safely allow the connection. Searches for rapportd also might produce any of the following paths, all of which are legitimate:

/System/Library/LaunchDaemons/com.apple.rapportd.plist
/System/Library/Sandbox/Profiles/com.apple.rapportd.sb
/usr/libexec/rapportd
/usr/share/man/man8/rapportd.8

On the other hand, if you see a path address for

/Library/Rapport/bin/rapportd.app/Contents/MacOS/rapportd

or searches reveal

/Library/LaunchAgents/trusteer.rapport.rapportd.plist

that’s the IBM app you’re looking at. Whether you want to allow that or uninstall that will depend on both your mac’s performance and whether you need the software or not.

Hope that helps to clear up some of the confusion!

🙂

%d bloggers like this: