What extensions for Safari to stop this attack?

[Peter Franks]

I've not used Safari for an age, as I was on old OS, and have been using Chrome and occasionally Firefox, which was pretty decent for pop-ups and stopping stuff.

All I have on Safari is AdBlock, and today I got bombarded by a constant stream of attack dive-bombing my downloads folder with 100s of files, from a pop-up, then the printer window came up, I closed it, and then the assault continued. With fake Apple Support messages coming up on the page, and I've never in all my years on here ever had anything like that with Chrome. I had to delete hundreds of these files in my downloads folder. You could see the animation of them going in the folder at break neck speed, but assumed it was just a clever animated trick. Wrong, they were actually going in my Downloads folder.

After the update to Sierra, I wanted to give Safari another chance. Obviously, this doesn't fill me with confidence. I've not seen anything like that since I was on Windows, 10 plus years ago. And never experienced anything like that on Snow Leopard/Safari. So how has Safari got so easily penetrated. The irony is upgrading to a newer OS for 'security'. That backfired! Never had anything remotely like that on Snow Leopard in 7 years. Macs may not be able to get viruses, but what I witnessed on here today was pretty rampant, and didn't do it a lot of good!

So what should be on Safari, extension wise to combat that behaviour? Or is Safari just rubbish and you can't stop attacks like that?

 

[MBAir2010]

Adblock, bit defender will work well on my macbook and mini.
Avoid streaming websites will save you alot of troubles, those sites use bad code and worse tatics to infiltrate your mac, and really not worth the headaches.

Your welcome!

 

[S.B.G]

Pi-Hole

 

[Peter Franks]

Thanks guys, I do have AdBlock but it made no difference. I am surprised, but more surprised OS let all those downloads bombard me without being able to stop them, until I could get Force Quit open

Is there any chance all those folders that went in Downloads and brought up printer page can do any harm? I get the downloads but what gain getting printer page up, and why isn't Sierra safer than SL

 

[MBAir2010]

You need to clean out cookies, files and other things that made your mac corrupt.
Software wont do this.
Quit safari
Go to system prefences, erase flash files stored files in your computer.
Turn on safari, before launching clear cookies and history in prefences.
This should work.
The printer thing is just an image to scare people.

 

[DeltaMac]

I would be curious that you might have picked up some adware of some kind.
Have you run Malwarebytes since you had that incident?

 

[Ulenspiegel]

I share DeltaMac's opinion, you might try to run Malwarebytes first.
Then you might want to follow these steps:

1. Remove all website data (Preferences → Privacy).
2. Please check whether Block Pop-up Windows is checked (Prefernces → Security).
3. Try another adblocker, like Adguard (extension for Safari) and/or check the active filters (phishing and malware prtection).
4. Empty Cashes.
5. Restart Safari.

 

[Peter Franks]

You need to clean out cookies, files and other things that made your mac corrupt.
Software wont do this.
Quit safari
Go to system prefences, erase flash files stored files in your computer.
Turn on safari, before launching clear cookies and history in prefences.
This should work.
The printer thing is just an image to scare people.

Where in System Pref, can you erase flash files? Ah, I've found 'delete all site data in settings' in Flash..Assume that is what you meant, in 'Flash', but not the one under it 'audio and video license files'?

I would be curious that you might have picked up some adware of some kind.
Have you run Malwarebytes since you had that incident?

I did yeh thanks, and it didn't find anything.

I share DeltaMac's opinion, you might try to run Malwarebytes first.
Then you might want to follow these steps:

1. Remove all website data (Preferences → Privacy).
2. Please check whether Block Pop-up Windows is checked (Prefernces → Security).
3. Try another adblocker, like Adguard (extension for Safari) and/or check the active filters (phishing and malware prtection).
4. Empty Cashes.
5. Restart Safari.

Thanks, have done all of that now. And Block Pop-Up was ticked yes. Not effective is it?
Will try Adguard. Surprised AdBlock wouldn't stop that. I mean I assume AdBlock is for pop-ups mainly, but not so hot on trojan/malware etc. Are any of them? If Malwarebyes is live would it stop that. It happened lightning speed.

Thanks all for your invaluable help, ths history shows about 80 pages of 'Apple Support', and every one of those pages put a file in the Downloads folder. No idea what those files contained, but deleted straight away.

 

[Ulenspiegel]

Malwarebytes free version is on-demand, the paid version provides real-time protection.
In Adguard under Browsing Security you can set "Phishing and Malware protection", plus numerous possibilities are at your disposable in setting different filter rules (Spyware filter, Malware domains etc.). Adblockers do more than just block pop-ups, they can block whole pages, trackers, cookie warnings etc.

P.S.: If you'd like I can help setting the needed filters in Adguard. PM me in this case.

 

[MBAir2010]

ad block blocks ads not bad files
get rid of the bad file
you have an "cut".
and ned to stitch the wound
ad block and malware and adgaurd are just "bandaids"

I'm finished !

 

[Fishrrman]

In Safari:
- go to the history menu
- chose "clear history"
- in the popup window, choose "clear all history"
- click the "clear history" button
- quit Safari and REBOOT the mac
- you may need to re-enter some passwords.

What version of the OS are you using?

 

[DeltaMac]

"Apple Support" sounds like a typical "phishing expedition"
I get those occasionally, along with text similar to "your computer is in danger - Call this number now for help" There's often a link that will "help" you by giving you the opportunity to download and install some kind of "protective utility", such as the wonderful (?) MacKeeper app.
I have not yet seen anything that downloads dozens of files, all in a rush like that.

Just curious now if you thought that those dozens of files seemed to be identical copies - maybe with same name, but a number added to each file name?

 

[Peter Franks]

Malwarebytes free version is on-demand, the paid version provides real-time protection.
In Adguard under Browsing Security you can set "Phishing and Malware protection", plus numerous possibilities are at your disposable in setting different filter rules (Spyware filter, Malware domains etc.). Adblockers do more than just block pop-ups, they can block whole pages, trackers, cookie warnings etc.

P.S.: If you'd like I can help setting the needed filters in Adguard. PM me in this case.

Very decent of you, thank you! The first 30 day trial does offer the real time protection, then it's paid yes

ad block blocks ads not bad files
get rid of the bad file
you have an "cut".
and ned to stitch the wound
ad block and malware and adgaurd are just "bandaids"

I'm finished !

OK... I think I understand that

In Safari:
- go to the history menu
- chose "clear history"
- in the popup window, choose "clear all history"
- click the "clear history" button
- quit Safari and REBOOT the mac
- you may need to re-enter some passwords.

What version of the OS are you using?

Sierra, buggy like I've never experienced on an OS before, doing very odd things. I don't get it. Stupid things that SL didn't do. Booting up, Email in dock right hand side of Downloads as if its' open and I've minimised it. Initially, it 'opened' on start up, but managed to stop the auto log ins. Even though there is nothing in start up other than iTunes helper when booting, and never had the 'reopen windows when logging in' ticked ever. Fan coming on the second it boot up is a bit off too, Just a few examples of things that make no sense, not a smooth experience. Silly little things. Similar to my very limited time on EC.

"Apple Support" sounds like a typical "phishing expedition"
I get those occasionally, along with text similar to "your computer is in danger - Call this number now for help" There's often a link that will "help" you by giving you the opportunity to download and install some kind of "protective utility", such as the wonderful (?) MacKeeper app.
I have not yet seen anything that downloads dozens of files, all in a rush like that.

Just curious now if you thought that those dozens of files seemed to be identical copies - maybe with same name, but a number added to each file name?

I didn't take screen grab of files, should have done, there was none of that MacKeeper stuff or ransom notes for unlock. It was much more active than that. I think every folder it dropped was only 2KB though. That I do remember. There's obviously lots of files and folders that have to ask for permission before it's opened, Sadly not all. If it was, then it might be a safer experience. As a side note, I don't want to be pining for Snow Leopard for the rest of time because it was so 'faultless', to me anyway. Do the majority of you guys use Safari. In the Apple store, I used Safari while I was there, is the High Sierra Safari different, or is the latest version the latest version. For example, Prevent cross site tracking, is it native to High Sierra, as it's not on Sierra Safari? It felt different when I was on it, you know when you click on a link it opens the smaller version/preview of it not the actual page? The 3 finger data enabler thing, Well on HS it does that when I clicked on any link/page with just one finger, and wouldn't open full page. Is that just a setting I've not got on or is it a HS thing? .... just wondered.

 

[hobowankenobi]

Please keep in mind that adware and malware have exploded in the last couple years, on all platforms. Too simple to blame the OS or Safari (any version). Getting full-fledged industry write ups.

Beyond using Malwarebytes, killing all unknown extensions and plug-ins, it is also common to to have to check default search engine (changed to something that points you at adware/malware every time you search). Have also seen (much less common) DNS settings changed by malware too.

Just cleaned out a malware thing called Encrypted Search on the latest version of Firefox on a family Mac yesterday. Kept changing the default search engine, and pointing at crap. Nobody knows how it got there, obliviously a nefarious drive-by install or a fraudulent "updater" to something like Flash that tricked a user.

Other things to consider (any browser, any OS):

1. backup any important bookmarks/history/other stuff and completely reset the browser completely to kill all cache, history, cookies, etc.
2. Verify your DNS settings, and consider something other than your ISP. OpenDNS and Cloudflare that are well liked, and add a level of protection from known dangerous URLs.

 

[Peter Franks]

Please keep in mind that adware and malware have exploded in the last couple years, on all platforms. Too simple to blame the OS or Safari (any version). Getting full-fledged industry write ups.

Beyond using Malwarebytes, killing all unknown extensions and plug-ins, it is also common to to have to check default search engine (changed to something that points you at adware/malware every time you search). Have also seen (much less common) DNS settings changed by malware too.

Just cleaned out a malware thing called Encrypted Search on the latest version of Firefox on a family Mac yesterday. Kept changing the default search engine, and pointing at crap. Nobody knows how it got there, obliviously a nefarious drive-by install or a fraudulent "updater" to something like Flash that tricked a user.

Other things to consider (any browser, any OS):

1. backup any important bookmarks/history/other stuff and completely reset the browser completely to kill all cache, history, cookies, etc.
2. Verify your DNS settings, and consider something other than your ISP. OpenDNS and Cloudflare that are well liked, and add a level of protection from known dangerous URLs.

Thanks Hobo, The fan kills the battery life, and makes everything harder to listen to with YouTube, because the internal speakers on old MBP have next to nothing volume.

My only reasoning for blaming Sierra/Safari is only based on all the years of 10.6.8 that was trouble free, apart from Chrome eating CPU/fan with it's horrendous 'helper'. Just not had so many minutes in the day where the fan runs so often, since updating to Sierra. Seems over the top. And I like YouTube and watch it a lot, It's a glitchy nightmare in Safari. Open to full screen and it returns to small screen, every single time I click full screen. Comments and sidebar take an age to download, and click page back it does weird things and shows desktop and other pages before it does go back. It's really bad for watching YouTube so fan on for Chrome instead. Not just a few problems on YT, but many.

Just googled rtprotectiondaemon which is using 98% CPU every few minutes and aggravating fan, but it tells me it's related to Malwarebytes. I turned off their Real Time Protection, but it still would appear to be running, if that's on? Tempted to bin Malwarebytes now

 

[MBAir2010]

rtprotectiondaemon only works on computers that were manufacture in Milwaukee, Wisconsin.

 

[Ulenspiegel]

...Just googled rtprotectiondaemon which is using 98% CPU every few minutes and aggravating fan, but it tells me it's related to Malwarebytes. I turned off their Real Time Protection, but it still would appear to be running, if that's on? Tempted to bin Malwarebytes now

A good read in Malwarebytes Forum about the problem you have mentioned.
I use strictly the on-demand version of Malwarebytes for Mac.

 

[Peter Franks]

rtprotectiondaemon only works on computers that were manufacture in Milwaukee, Wisconsin.

That's gone over this limey's head... sorry

A good read in Malwarebytes Forum about the problem you have mentioned.
I use strictly the on-demand version of Malwarebytes for Mac.

Thanks, I saw that on the search of it, and that's from 2017. I turned off Real Time from day one, and it was fine, only got MB a few weeks ago, I think this kicked in after their new update this week. It's still turned off, but they're obviously ignoring my settings. May be responsible for slowing down the browsers too. When you say 'on demand' version, I take it you mean you just switched off real time protection, as I've done? I'm going to delete it anyway because it's overly intrusive on CPU.

 

[MacMan988]

Pi-Hole

Can you add custom blocking rules with Pi-Hole? Do you use it with OpenVPN?

 

[DeltaMac]

If you have not purchased Malwarebytes, it works in the premium (real-time) mode for 30 days, then automatically reverts to the on-demand version (which remains free). That does not use any system resources, unless you actually run a scan.

Free download (of Malwarebytes for Mac) comes with a 30-day trial of Premium.

 

[Ulenspiegel]

That's gone over this limey's head... sorry
Thanks, I saw that on the search of it, and that's from 2017. I turned off Real Time from day one, and it was fine, only got MB a few weeks ago, I think this kicked in after their new update this week. It's still turned off, but they're obviously ignoring my settings. May be responsible for slowing down the browsers too. When you say 'on demand' version, I take it you mean you just switched off real time protection, as I've done? I'm going to delete it anyway because it's overly intrusive on CPU.

I have an older version, the first one for Mac which is on-demand by default.
(This part deleted).
Real-time AV protection can cause problems, so I am not fond of it either.
Have you checked Adguard?

Update: Just saw DeltaMac's post.

 

[Peter Franks]

Can you add custom blocking rules with Pi-Hole? Do you use it with OpenVPN?

Sorry, that is beyond my sphere, not sure what that mean, OpenVPN, although heard of it, no idea what it means

If you have not purchased Malwarebytes, it works in the premium (real-time) mode for 30 days, then automatically reverts to the on-demand version (which remains free). That does not use any system resources, unless you actually run a scan.

Yeh, I saw that real time was free for first 30 days, but I stupidly assumed turning it off meant it's off. It even warns on the app it doesn't recommend that real time protect shouldn't be switched off, so I therefore thought it was off, as I have turned it off... So they're not being very honest

I have an older version, the first one for Mac which is on-demand by default.
(This part deleted).
Real-time AV protection can cause problems, so I am not fond of it either.
Have you checked Adguard?

Update: Just saw DeltaMac's post.

I've only just updated to Sierra from 10.6.8 after several years and most stuff on SL was pretty faultless. Finding Sierra laggy in every which way, Mail/Safari, YouTube on ALL browsers, and most apps and progs are slower than SL was on a SSD, so any real time stuff is something I'd avoid yes. I've only just started looking because of this attack. Only wanted it for manual scans. Only ever used old ClamXav before, which takes forever, and I don't know how accurate that one is. It still updates definitions, but it's very old version.

In fairness to Apple, not just Safari, even the latest Chrome is really laggy compared to the one I used on SL.

 

[Fishrrman]

Peter Franks wrote:
"Just googled rtprotectiondaemon which is using 98% CPU every few minutes and aggravating fan, but it tells me it's related to Malwarebytes. I turned off their Real Time Protection, but it still would appear to be running, if that's on? Tempted to bin Malwarebytes now"

You don't need ANYTHING MORE THAN MalwareByte's "on demand" -- that is, it only checks things when you run it.
You DON'T want any kind of virus/malware detection that is "always on, running in the background".
That can casue more problems than it's worth.

My advice:
DELETE your current install of MalwareBytes.
Use "AppCleaner" (small, free app) to find all associated files, then move them to the trash and empty the trash.

Then...
Download MalwareBytes AGAIN, and THIS TIME, DON'T tinker with the defaults.
Just click the "scan now" button and nothing else.
That's all you need to do.

 

[Peter Franks]

Peter Franks wrote:
"Just googled rtprotectiondaemon which is using 98% CPU every few minutes and aggravating fan, but it tells me it's related to Malwarebytes. I turned off their Real Time Protection, but it still would appear to be running, if that's on? Tempted to bin Malwarebytes now"

You don't need ANYTHING MORE THAN MalwareByte's "on demand" -- that is, it only checks things when you run it.
You DON'T want any kind of virus/malware detection that is "always on, running in the background".
That can casue more problems than it's worth.

My advice:
DELETE your current install of MalwareBytes.
Use "AppCleaner" (small, free app) to find all associated files, then move them to the trash and empty the trash.

Then...
Download MalwareBytes AGAIN, and THIS TIME, DON'T tinker with the defaults.
Just click the "scan now" button and nothing else.
That's all you need to do.

Honestly, that is all I did.
When you download it, the FREE 30 days Real Time protection is already on, and all I did was turn it off, BEFORE it was hogging CPU.
But despite it saying it's off, It's clearly on if that is hogging CPU?
I think I'll just download it when I need it.

 

[DeltaMac]

Before you do that, just let the 30 day trial expire - - - and you still get to use Malwarebytes. It then stops using you (your system resources, that is)