True Exorcism Requires Deeper Incantations

[Alex continues with his tuneup of his MacBook Pro. The first installment is here, and continues with the second.

In this third installment, Alex tries to clear 4,000 viruses, finds hidden storage, and searches for OS clutter. Comments are welcomed at the end of this post. – Editor]

Last time, I thought the mysterious slow – downs of my MacBook Pro (MBP), running the latest version of MacOS (10.10.4) had been vanquished. Alas, no; the app – not – quite – hanging – but – not – responding and unkillable – app problems returned, prompting yet more investigation.

I was fairly sure I didn’t have a native MacOS virus problem; I don’t click on bad links, I don’t download doubtful software, I don’t visit sketchy parts of the Internet. Still, there are a lot of threats, as discussed here, and I was seeing glitches, like slow awaken – from – sleep, apps that suddenly didn’t respond, etc.

The Mac has some built – in protection: XProtect scans for certain malware, MacOS won’t run unsigned code without permission, and it’s UNIX under the covers so there are fewer attack surfaces. The Safari browser blocks known – bad plugins (Java and Flash have been particularly vulnerable, lately), too.

The Virus Hunt Continues

Still, it was time to resume the virus hunt, Just In Case. In its first run, Avast had scanned over 4 million files before complaining it couldn’t reach its malware engine and quitting the scan; I had put all 2,700 viruses, Trojans and other malware found in the “Virus Chest”, their name for quarantine.

Before consigning them, I checked as best I could that they were all in e – mails, bore only Windows – malicious code, and were therefore benign to the Mac. Avast’s “Infection Details” list is somewhat clunky:

clip_image002

As you can see, some lines show actual infection details; on others, you must click on the right – arrow to show them. I never did see any “status” information. You can’t sort the screen report, nor expand all of the “infection details” at once.

Since then, I’ve run Avast once again. Instead of claiming to be “100%” done after two hours, it topped out at “73%” after five, and kept going, through over 4.3 million files in 50 hours, finding over 4,000 viruses while still at “73%”. (The picture is from the results of the second scan.) An annoying ‘feature’: Avast doesn’t have a “pause scan” option, so you can’t park it while you run something else. I finally stopped the second scan, as I needed to reboot.

However, when I attempted to stash this second crop in the virus chest—all e – mail viruses again, and all apparently inoffensive to Macs—Avast skipped thousands of them. I couldn’t tell just how many, as there’s no consolidated reporting.

Last time I had a virus scare, I installed Sophos. So far I’m 0 – for – 2 on Mac anti – virus I like. I’d welcome recommendations from readers.

During my perusals of the virus record, I also realized that Avast was searching the “other” user login, and there’s another tale.

Looking Under the Covers

I inherited the computer from another user. I thought he’d removed all his files before he gave it to me, but it turns out not. It was time to investigate user accounts.

User accounts are managed in the Users & Groups panel (System Preferences | Users & Groups). Sure enough, there’s a second Admin – equivalent login, named “Alex Pournelle”, different from the primary one, named “Alexander Pournelle”. I discovered that right clicking on “Alex Pournelle” (Or shift – click, if you don’t have a two – button mouse) brings up the Advanced Options tab:

clip_image003

Note the dire warning: This is serious and deep voodoo, which should not be toyed with needlessly.

Viewing it, though—I was careful to click cancel when done—confirmed that PeterX (internal account name) and “Alex Pournelle” (displayed full account name and home directory) were one and the same.

Having confirmed that, I had to decide: Do I want to delete the user and everything in the account? I’d rather not; this is a second, admin – level user account which I could use to access the computer if need be. Better to delete the contents and not the user account.

User File Management

Go to Finder, open /Users. Another similarity between the Mac and Windows: Most common commands do have a keyboard equivalent, for those who prefer typing to clicking. Shift – Command – G brings up the “Go” dialog box (also available off the “Go” menu). Finder view of /Users shows the “Alex Pournelle” directory—red “X” in the lower right means it’s not viewable by me.

First, I had to give myself permission to view this directory. Under the covers, MacOS is still a UNIX variant, so I knew I could use the chown (Change Ownership) or chmod (Change Permissions) if I couldn’t do it another way. I’d rather not use such deep system oaths if I didn’t have to—memories of “rm *” deleting way, way more than I wanted to still rankle—so look for the GUI method.

The Get Info panel (Finder, click on the directory, File menu | Get Info—or just Command – I) shows most data about files and folders. It’s also where you set permissions, or in this case, add them. Sharing & Permissions, bottom of the Info panel, click on the “+”, add myself, then click on the gear drop – down menu, then “Apply to enclosed items…” Wait until all the red pluses on the subdirectories in “/Users/Alex Pournelle” disappear. I had to do this twice, before it took effect, for obscure reasons, but now I could see folders and files.

Astute Windows users will be comparing this to the “takeown” and “icacls” CLI commands, or to the Advance Security Settings tab, and you’d be right—they’re quite similar. Note: If you never use an Active Directory network in Windows, or install multiple users on a single computer, you may never see these settings, but they’re there, and they can still cause havoc.

I also discovered that Apple Finder doesn’t give accurate sizes if you don’t have permission to view a folder—after I had access to the directory, the 15 GB of storage turned out to be more like 8, much of which was in Apple Mail.

I don’t want those e – mail messages around—they don’t belong to me, anyway—so it was time to delete them. In Finder, it’s off to /Users/Alex Pournelle/Library. Gut check: Do I want to delete the Mail directory? Yep, they’re not my files. Double – check that I’m in the correct user directory. Send the folders “Mail” and “Mail Downloads” to the trash, empty the trash, another 5 GB of space available.

[Next time: Alex figures out how to save more space, and concludes with Lessons Learned. – Editor]

2 comments on “True Exorcism Requires Deeper Incantations

  1. It probably would have been faster to delete the account and recreate a second admin level account that’s “clean”

Comments are closed.