![]() Of course, this flag should only be able to be cleared by the OS itself, or by a user in recovery mode. Notice the lack of a restricted flag on the folder, indicating that it is no longer protected by SIP. ![]() ![]() However, on affected systems, it showed: 4 root wheel - 128 Nov 6 13:37. The output should show this for the StagedExtensions folder itself: 4 root wheel restricted 128 Nov 6 13:37. If you run the following command (where the -O switch shows the file flags): ls -alO /Library/StagedExtensions The symptom of the problem was pretty easy to spot, if you knew where to look. (This flag is an indication that an item is protected by SIP, and can be set via the chflags command, although only from recovery mode.) This interfered with activation of the kext, since macOS no longer considered StagedExtensions to be a secure location at which to stage the kext. Unfortunately, we were seeing that a number of users had a StagedExtensions folder that was lacking the restricted flag. By default, this folder is protected by SIP, so it can only be modified by the system. This folder is used by macOS in the process of activating a kext. We ultimately traced the initial problem to an issue with the /Library/StagedExtensions/ folder. Unfortunately, these worms all belong to macOS, and are affecting other kexts as well. This opened a can of worms that we’re still struggling with today… as soon as we think the worms are back in the can, we start finding new ones. Back in summer of 2018, customer support at Malwarebytes started seeing people with problems activating the kernel extension (kext) in Malwarebytes for Mac.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |