how to keep track of XProtect & friends

Over on Sqwarq, we’ve just released a new security and troubleshooting utility, the Critical Updates.app.

This little tool will help you keep track of when Apple make changes to system config data like XProtect, Gatekeeper and the Malware Removal Tool. It will also alert you if there is a Security update in the App Store that needs to be manually applied.

Critical Updates is free for home use. Organisations wishing to license it for commercial-scale use should contact me through Sqwarq support.

Advertisement

keep an eye on Console with ConsoleSpy

ConsoleSpy is a simple but powerful little app that offers a window into system.log and which can trap incoming messages meeting user-defined search criteria. It’s aimed at software testers, bug hunters, security researchers and anyone who needs to do analytical troubleshooting work on a mac.

Minimum system requirements: OS X 10.11. ConsoleSpy is currently free.

Here’s an intro to its features and how you can use ConsoleSpy to aid in analysing your mac and your software.

What does it do?
The best way to illustrate the use case for ConsoleSpy is to consider a couple of ‘based on a true story’ user problems I’ve encountered recently.

Case 1: In one case, a user was concerned that an attacker was logging into her computer remotely. Unaware of how that might be happening, the user searched the Console.app and found a number of suspicious remote login attempts. However, these always seemed to occur at times she wasn’t at the computer and sometimes weeks apart. It became a laborious job and anxious routine for her both to remember and to search through the Console logs every morning to see if anything suspicious had occurred.

Case 2: In the second case, a user realised that the Time Machine backups she’d been relying on had been silently failing to pass verification checks. There was no indication from Time Machine itself, and she only discovered the problem, weeks after it had began, by a fortuitous glance at the Console.app where she discovered multiple ‘Backup verification failed’ messages.

In both these cases, ConsoleSpy could have alerted the user to the problem as soon as it had occurred. ConsoleSpy allows you to set search terms to trap incoming messages. Both a Dock badge and a visual indicator in ConsoleSpy’s display indicate when a message has been trapped. By using the search term ‘sharing,’, our user worried about remote hacking would have instantly been able to see if a log in had been attempted and when. Our user with the failed backup problem would have likewise been alerted instantly the first time the problem occurred by using ‘backup,’ or ‘backup verification,’ (if she had only wanted to trap specific verification messages) as Alert strings.

ConsoleSpy becomes more useful the more accurately you know what you’re looking for. For bug hunters and software developers, simply setting an alert on your app or process id name will immediately funnel all incoming messages into ConsoleSpy’s ‘Alerts received’ box, allowing you to exercise your app in various conditions and immediately see the results. You can get as specific or as general as you want, but do see the help on Alert string syntax.

How do I use it?
After launching ConsoleSpy, you’ll be presented with an ‘always on top’ display of the most recent message into the Console. You can move the display around by clicking anywhere in the black part of the display and dragging. The four buttons on the right hand side offer you access to all of ConsoleSpy’s main functions, clockwise from top left:

Display
i. Freeze the display: in the event that you see something interesting and want more time to read it before the next message comes in, you can lock the display by clicking the little padlock button. When locked, the text in the display changes colour and a padlock appears at the end of the text. Note that when the display is locked, the View buttons in the Preferences window (See below) will have no effect. Click the padlock again to unlock the display.

ii. Hide ConsoleSpy: click the orange button to hide ConsoleSpy. Often, you won’t want the display visible but you will want ConsoleSpy to keep watching for alerts. You can also hide the app with ‘Command-H’.

iii. Open Console.app: the little ‘eye’ button immediately opens Console and takes you to the most recent message in system.log.

iv. Preferences: this is a toggle button that opens or closes the Preferences drawer. We’ll get to that next.

 

Preferences
The controls on the far left should be self-explanatory, but a couple of notes are in order.

View: As mentioned above the ‘View’ buttons are disabled when the display is locked, but otherwise they toggle the length of the display. The ‘Long’ view is particularly useful when reading multiple messages in the ‘Alerts received’ box.

Frequency: this controls the frequency at which ConsoleSpy updates the display. Note that ConsoleSpy continues to scan for messages that meet your Alert string criteria even between polls regardless of whether the app is visible or hidden, or the display is locked (see above). ConsoleSpy’s buffer can handle up to 40 messages between polls. If ConsoleSpy’s buffer is flooded with more than that, the display will show a ‘Flood’ warning.  For more information see ‘The Hoary Gory’ section below.

Alert Strings: this is the most important field you’re going to want to manage. When you first launch ConsoleSpy, you’ll see some default search strings are already included by way of example. You can remove or add to them by clicking the ‘Edit’ button at the bottom left of the text box. Search string syntax is fairly basic, but allows you to be as specific or as general as you wish. Ensure that each term is comma-separated and the entire list is comma-terminated (i.e, there should be a comma after the last search term in the list, too). Click the ‘?’ button to go to the support page giving examples of search string syntax. Drop us a line in the Comments if you need help or contact Sqwarq support.

Alerts received: this is the main display for your results. You can select and copy all or parts of the message to search in Console.app if you want to see the message in context. Using the date string without the seconds is a particularly useful way to search for messages in Console if you want to see what else was happening around the same time.

You can clear the ‘Alerts received’ box (and the Dock badge and the display alert symbol) by clicking the ‘-‘ minus button at the bottom left of the text box. We suggest regularly and promptly removing messages from the Alerts received box once you’ve read them as the messages are already archived in Console.app.

The Hoary Gory
ConsoleSpy polls the system log every 1, 2 or 5 seconds according to the Frequency setting in the Preferences, and displays the most recent message. Unless the system log is being flooded with more than 40 messages since the last poll, ConsoleSpy won’t miss a thing and you’ll get an alert if any message meets your search criteria, even if it wasn’t displayed in ConsoleSpy’s display. If ConsoleSpy’s buffer is flooded, a small ‘flooding’ alert symbol shows in the display. The start and end flood times can be displayed in the Alerts Received box by setting an alert string for ‘flood,’.

If you experience a lot of flood warnings (entirely possible in scenarios where you are beta testing software or even the operating system itself), try using a faster frequency (i.e, 1 sec). While this may seem counterintuitive, it is a consequence of ConsoleSpy’s fixed buffer size. The buffer can hold up to 40 new messages since the last poll, so the amount of messages ConsoleSpy can search between each poll is 40/(frequency). As we develop the app, we plan to include a choice of larger buffer sizes. The current buffer size is a conservative choice designed to ensure the app is usable even on smaller, less powerful macs.

If you’re already using the fastest poll time of 1 sec and flood warnings are occurring constantly, this is a good sign that some software is not behaving as intended. Of course, when testing beta software, especially a beta OS, there may be so many deliberate logs to the system log that ConsoleSpy reports flooding almost all the time. This is not a problem for ConsoleSpy; indeed, having ConsoleSpy alert you of flooding is one of its intended functions, so that you can see just when and how often something is happening. The main thing to be aware of during times of repeated or constant flooding is that ConsoleSpy may not be able to search every single message received against your search terms. You can, of course, turn Alerts off during such times, but a better solution is to leave Alerts on (ConsoleSpy will still return most if not all search hits, depending on how severe the flooding) and simply use the Console.app itself to do an historical search to see if any crucial messages you would have expected but which did not get spotted by ConsoleSpy are in the log.

Note that while Alert string searches begin as soon as ConsoleSpy is launched, flood detection is not enabled until 30 seconds after launch. This is due to the fact that ConsoleSpy’s buffer needs to be full before it can determine the rate of incoming messages.

That about rounds up our introduction to ConsoleSpy. We hope you find it useful, and if you have any questions, drop us a comment or email us at Sqwarq support.

Download ConsoleSpy

how to uninstall MacBooster

We are decidedly not impressed with MacBooster. Ok, we’ll put aside the general complaint that apps like this do very little if anything to improve performance (in fact, in our tests, we find almost always quite the opposite). We have a bigger beef with MacBooster.

Indeed, we rate it even more pesky than it’s obvious inspiration: MacKeeper… 😳

Aside from the fact that MacBooster’s uninstaller leaves a number of executables and other binary files hidden on the user’s system, there’s also the rather cheeky use of ‘com.apple.UninstallerAD” as a bundle identifier in their uninstaller app.

I really don’t think the folks at Cupertino are going to appreciate that, but more importantly the use of a misleading bundle identifier reveals a lot about the developers’ intentions.

We’ve added MacBooster to DetectX (v.2.06) and it will be included in the next update to FastTasks 2.

Meanwhile, whether you use our apps or not, steer clear of MacBooster.

If you’d rather dig it out yourself than use DetectX, here’s the list of paths we have so far:

/Applications/MacBooster 3.app

/Users/Shared/MacBooster/FileData3

/Users/Shared/MacBooster/Boost3.plist

/Users/Shared/MacBooster

/Library/Caches/AMCExtractByte

/Library/Caches/AMCInstallTemp.txt

/Library/Application Support/AMC

/Library/LaunchDaemons/com.iobit.AMCDaemon.plist

~/Library/LaunchAgents/com.iobit.MacBoosterMini.plist

~/Library/Application Support/ErrorReporter

~/Library/Application Support/MacBooster

~/Library/Application Support/MacBooster 3.0

~/Library/Preferences/cryptFile3

~/Library/Preferences/com.iobit.Boost3.plist

~/Library/Preferences/com.iobit.MacBooster-3.plist

~/Library/Preferences/com.iobit.MacBooster-mini.plist

why is my mac running so slow?

UPDATE: Please also see How To Troubleshoot Your Mac with FT2.

There can be various reasons why your Mac starts running slowly. Some of these can be app-related – especially if you are making multiple changes in programs that have autosave enabled. Other problems could be due to running processor-heavy apps that need more RAM than you’ve presently got. Before you dash off to Crucial to check out your RAM upgrade options, here’s a few basics to run through:

1. Applications > Utilities > Disk Utility.app
How old is your HDD drive? Click on the top-most hard disk icon in the left column and check the S.M.A.R.T status at the bottom right of the window. Does it say ‘verified’? If it says anything else, back up all your important data and start thinking about buying a new hard disk. If the S.M.A.R.T status is verified, have a look at how much space you’ve got left. A nearly-full disk will slow you down. Generally, it is recommended that you have at least 10% free, but I’d work on getting that closer to 25% for optimum performance. If you have less than that, think about what can be archived onto a backup disk (or two..), such as photos, movies, and even your songs.

2. Applications > Utilities > Activity Monitor.app
What’s using all the CPU time? Is it something you need to be running? Select any obviously unnecessary resource hogs and hit ‘Quit Process’.

3.  > System Preferences > Users & Groups
How many apps are in your ‘Login Items’? Remove anything that is not absolutely necessary at start up time.

4. Have you downloaded MacKeeper or other Anti-virus software?
If so, remove it.

5. How recently did you upgrade to Lion and are you using Time Machine?
If you’ve only recently upgraded in the last day or so, or turned your Mac off not long after upgrading, perhaps Spotlight is still indexing (indicated by a dot in the middle of the ‘spyglass’, top right of your screen) or TM is still updating (indicated by the TM indicator spinning in the menubar). Either or these will eventually finish and return your system to (about) normal, but you should let your system run (leaving it in ‘Sleep’ mode will do the trick) for at least 24 hours if you’ve only just upgraded.

6. Did you repair system permissions after upgrading?
Even though the Lion installer should fix system permissions after an upgrade, if you then added any other 3-rd party apps or restore something from Time Machine, repairing permissions is always a good idea. Doing so is harmless, and rules out permissions as a possible factor of poor performance. Do Step 4 here. Unless any are indicted in red type, don’t panic about the permissions errors that come up in the ‘details’ window – many of these can be safely ignored.

7. Clear out your caches
Caches, in general, help to speed your computer up. However, if you’re a heavy internet browser and you’ve never cleared your caches or your history (I mean like in several months), then this is worth doing from time to time. You can clean out Internet caches in Safari or Firefox by choosing Safari > Empty Cache or Firefox > Tools > Clear Recent History > Everything. Your computer has other caches that can usefully be cleared out periodically, too: use OnyX to do so.

8. Is the system slow with just one particular program or while trying to open some particular window?
A couple of things could be going on here. If its your browser, try killing some of those extensions/add-ons – every one of them slows you down just that little bit, and many slow you down a lot. Another possibility is a corrupt ‘plist’ or preference file associated with a particular app. Curing this is a bit more tricky and requires knowing your way around the hidden Library folder. If you think this is your problem, leave a comment below to get further instructions.

featured picture Speedo ©2011 Phil Stokes


Related Posts:
why is my mac running so hot?
FastTasks – download the free OS X utility app from Applehelpwriter

how to uninstall MacKeeper – updated

 

Lees dan dit artikel in het Nederlands 
Lire cet article en français

Last updated: June 16, 2018

If you’re unfamiliar with the reputation of MacKeeper but have come here because you downloaded it – or it downloaded itself after you were inadvertantly redirected to some unwanted website – and are now wondering whether you made a mistake, let me present you with a few facts.

MacKeeper is one of the most infamous pieces of software on the macOS platform. This post itself was first published in September 2011, and has since received over 2 million hits from people wishing to uninstall MacKeeper from their computers.

When I ran MacKeeper’s free trial version on a brand new clean install of macOS, it told me that my system was in ‘serious’ condition and that I needed to buy MacKeeper in order to solve all my problems.

It seems, then, that MacKeeper thinks macOS, freshly installed, is a poor piece of software engineering, but the feeling is mutual. macOS doesn’t like MacKeeper much either. macOS provides the following warning about MacKeeper:

MESSAGE FROM CONSOLE
12/05/2015 17:48:00.946 com.apple.xpc.launchd[1]: (com.mackeeper.MacKeeper.Helper) This service is defined to be constantly running and is inherently inefficient.

If you have installed MacKeeper and wish to remove it, read on.



Preparation:
i. If you have used MacKeeper’s encryption feature, be sure to unencrypt before you uninstall MacKeeper. You should also check whether any of your personal files are stored in /Documents/MacKeeper Backups.

Backups & other disks
ii. If you have any disks connected to your mac, including Time Machine, eject them before you start the uninstall procedure.

Trash
iii. If you have anything in the Trash, empty it now before you start.

You are now ready to uninstall MacKeeper.



The Easy Way

As I’ve been involved in helping people uninstall MacKeeper for over 5 years, I eventually got round to the task of automating the process so that folks who were not that technically proficient with computers could take advantage of the information on this page.

If that sounds like you, then the easiest way to uninstall MacKeeper is to use my app DetectX. This is a shareware that can be used for free 😀. You do not need to sign up to anything, subscribe to anything or give anyone your email address. Just download the app, run it, remove MacKeeper and be on your way.

After several years of testing and refining my app’s removal procedure, I now recommend using it even for proficient users as it is simply faster, more reliable and less prone to error than doing it any other way. The only people who should really consider the manual option are those that are running versions of macOS that are too old to run DetectX.

Please note also that the list of filepaths below is somewhat out of date. Follow the instructions, but consult my post here for the most recent update to the list of MacKeeper filepaths.



The Manual Way

If you need to remove MacKeeper manually then follow these instrutions carefully. They’ve been refined over the years by many people who contributed in the hundreds of comments that follow this post and have been proven to work without exception. However, bear in mind that the onus is on you to follow the instructions to the letter. For that reason, go slow, read carefully and don’t do anything if you’re not sure what you’re doing. If you have any doubts, post a question in the comments.

Here we go!

1. If MacKeeper is running, quit it. From the sidebar in any Finder window, choose your hard disk icon and go to your Library folder. Look in the Application Support folder for the folder inside it called ‘MacKeeper’:

/Library/Application Support/MacKeeper

Drag this folder to the Trash.

2. Still in Library, look for and trash any of these you find in the same way:

/Library/LaunchDaemons/com.zeobit.MacKeeper.AntiVirus

/Library/LaunchDaemons/com.zeobit.MacKeeper.plugin.AntiTheft.daemon

3. If you are using OS X Lion 10.7 or later, use the ‘Go’ menu in Finder’s menubar and hold down the ‘option’ key. Choose ‘Library’ from the menu (yes, this is a different Library folder from the one you were just in). If you are using Snow Leopard or Leopard, just click on the little ‘Home‘ icon in the Finder sidebar and navigate to the Library. Then trash any and all of these that you find:

~/Library/Caches/com.zeobit.MacKeeper

~/Library/Caches/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.Helper

~/Library/LaunchAgents/com.zeobit.MacKeeper.plugin.Backup.agent

~/Library/Preferences/com.zeobit.MacKeeper.plist

~/Library/Preferences/com.zeobit.MacKeeper.Helper.plist

Be careful not to delete the wrong files: only those that have got the words ‘zeobit’, ‘MacKeeper’, ‘911’ or ‘911bundle’ should be trashed.

Update May 2015:

Due to recent changes in MacKeeper, the following files should also be searched for and removed:

~/Library/Application Support/MacKeeper Helper

~/Library/Caches/com.mackeeper.MacKeeper

~/Library/Caches/com.mackeeper.MacKeeper.Helper

~/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.Helper.plist

~/Library/Preferences/com.mackeeper.MacKeeper.plist

~/Documents/MacKeeper Backups

~/Library/Logs/MacKeeper.log

~/Library/Logs/MacKeeper.log.signed

/private/tmp/com.mackeeper.MacKeeper.Installer.config

/Library/Preferences/.3FAD0F65-FC6E-4889-B975-B96CBF807B78

The last item above will require removal in Terminal or turning on of invisible files in the GUI (various 3rd party apps can do this, including my own DetectX and FastTasks 2).

4. Go to Applications > Utilities > Keychain Access.app and double click on it. Notice the padlock in the window is up there on the left, rather than down the bottom. Click on it and enter your admin password. Now go through all the items in the ‘Keychains‘ list (such as Login, System, Root) with ‘All items’ selected in the ‘Category’ list. Anything you find related to ‘MacKeeper’ or ‘zeobit’, click on it, then choose Edit > Delete from the menu.
(Thanks to Al for also mentioning this point in the Comments below! 🙂 ).

5. Open the Activity Monitor utility (Applications>Utilities>Activity Monitor.app). In 10.10 Yosemite or later, select the View menu and choose ‘All Processes’. For earlier versions of macOS, select ‘All Processes from the drop down menu just over on the right of the dialogue box. Next, scroll down the list of items shown and see if any processes called ‘MacKeeper’, ‘zeobit’ or ‘911 bundle’ are still running. Older versions of MacKeeper may have a ‘WINE’ process running, so also look for ‘wine’. Anything you find, click on it and hit the ‘Quit Process’ or ‘X’ button (Yosemite) in the top left corner.

6. Go to your Applications folder from a Finder window and select MacKeeper. Then, hold down ‘command’ and press ‘delete’ once. If you assigned MacKeeper to be pinned in the Dock, be sure to also drag the icon off the Dock and release it anywhere over the desktop. It will, satisfyingly, disappear in the ‘poof’ of a cloud. 😀

7. When you’re done filling up your trash can with all this junk, click on the Finder> Empty Trash.

8. Go to

 > System Preferences > Users & Groups (or ‘Accounts’ for Snow Leopard) | Login Items

If you see anything to do with MacKeeper in the list of items there, highlight it, then click the little minus ‘-‘ button near the bottom of the list.

9. Restart your Mac. Everything should be back to normal, but check the Activity Monitor one last time to be sure.

Supplementary: If you have a problem with MacKeeper pop-ups while using your browser, try clearing out the caches, like this:

In Safari menubar, choose ‘Safari > Reset Safari’. Make sure all the options are checked.
This will not only clear out your caches, but everything else stored by the browser. Don’t worry, it won’t affect your bookmarks, but it will reset your ‘top sites’ and history.

In Firefox menubar, choose ‘Tools > Clear Recent History…’ and choose ‘Everything’. Again, it’ll clear everything out but won’t delete your bookmarks.

Obviously, if you use any other browsers like Opera or something you’ll have to find the same options for those too.

Related Posts
Terminal tricks for defeating adware
block MacKeeper and other browser ads
protect your mac from malware viruses and other threats
FastTasks 2 – get Applehelpwriter’s free utility app from Sqwarq.com

NOTES
1. If you have any problems carrying out the steps, try starting your Mac up in Safe mode, and then running the procedure.
2. You can safely ignore any MacKeeper files that are in the BOM or Receipts folders.
3. If you have only downloaded the MacKeeper package but not ran the installer, you only need to send the .pkg file in your Downloads folder to the Trash. That’s it!

4. If you are seeing ads on this site, we recommend that you use an adblocker!

Acknowledgements
This post has been refined and improved over time thanks to suggestions and replies made in the Comments and on Apple Support Communities. Thanks especially to Al, Lyndon and Jack.