Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

teachmetosurf

macrumors newbie
Original poster
Feb 24, 2019
3
1
HI, I recently updated to Catalina (on a partition so I could try it out first) and after getting up and running (minimal apps installed so far) Avast kept popping up and warning me about a threat it had found, which I told it to delete.

Keeping an eye on my /tmp folder, I see the following:

Screen Shot 2020-02-22 at 12.39.40 PM.png


I'm not sure what the last two are.

There was also a locked folder (with the red symbol) named "proxy-(five random numbers), that would reappear if I deleted it (no programs running while doing so) So far it hasn't popped up today.

Is there a way to find the source of unknown items placed in tmp? I've run a few cleaning programs and they come back all clear, just wanna be vigilant and keep things clean. I'd like to find what program (malicious or otherwise) is putting things in there.

Thanks for any help.
 
Seems like your system may have been compromised? (A “threat” is pretty generic) I would nuke it personally. Any idea what might have happened? Messing with warez or something? if you want to be vigilant, wipe and restore from back up. I wouldn’t worry about tracking down who wrote what where. Forensics sounds cool but it’s a lot of boring work.
And once you’ve wiped and reinstalled, skip the AV next time and just run clean.
 
  • Haha
Reactions: Mr_Brightside_@
The PowerLog files in /tmp aren't malware. They're part of normal OS functionality.
[automerge]1582559867[/automerge]
HI, I recently updated to Catalina (on a partition so I could try it out first) and after getting up and running (minimal apps installed so far) Avast kept popping up and warning me about a threat it had found, which I told it to delete.

Keeping an eye on my /tmp folder, I see the following:

View attachment 895611

I'm not sure what the last two are.

There was also a locked folder (with the red symbol) named "proxy-(five random numbers), that would reappear if I deleted it (no programs running while doing so) So far it hasn't popped up today.

Is there a way to find the source of unknown items placed in tmp? I've run a few cleaning programs and they come back all clear, just wanna be vigilant and keep things clean. I'd like to find what program (malicious or otherwise) is putting things in there.

Thanks for any help.
There's really no need to do anything with what you find in /tmp. The things you see there are normal- many (most?) applications will put things in that directory, and they'll get cleaned out from time to time, automatically.
 
/tmp is world-writable; any program can put something there. I have /tmp/dumps and /tmp/powerlog too. As far as I know, dumps is created by Chromium (not just the browser or Google Chrome, but any app that bundles the Chromium framework). /tmp/powerlog and /tmp/com.apple.launchd are created by the system.
 
The PowerLog files in /tmp aren't malware. They're part of normal OS functionality.
[automerge]1582559867[/automerge]

There's really no need to do anything with what you find in /tmp. The things you see there are normal- many (most?) applications will put things in that directory, and they'll get cleaned out from time to time, automatically.

In linux it is every time you restart the machine that /tmp get cleared for certain. Apple may do similar.
 
In linux it is every time you restart the machine that /tmp get cleared for certain. Apple may do similar.
macOS does it at least on every reboot; I've never paid attention to see if it clears out /tmp more often than that.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.