You may have noticed that yesterday, 8 November, your Mac installed a silent pushed ‘update’ from Apple, named macOS Installer Notification. In case you’re puzzled, this is the best explanation that I can give.
When your App Store pane is set to Install system data files and security updates, you normally expect it to receive security updates, such as those for Gatekeeper, XProtect, MRT, etc., which I announce here, and urgent system patches. Apple has used it in the past to distribute important fixes to bugs in various versions of macOS/OS X.
In this case, Apple appears to have used it to download what looks like promotional material, to nudge those not yet running High Sierra to install the upgrade. It only appears to have been pushed out to Macs running versions of macOS prior to High Sierra.
Although listed in Installations as macOS Installer Notification, that is not what is actually installed. Instead, it creates a new folder at /Library/Bundles, and installs a small bundle there named OSXNotification.bundle. This is signed by Apple using its system installation certificate.
OSXNotification.bundle (not macOSNotification!) contains no code, just some resources, including the above icon, and a bunch of strings to support a notification which is timed to occur every week into the New Year. Its notification is intended to persuade you to upgrade now to High Sierra. It does not appear to serve any other, more useful, purpose.
I don’t know whether removing that bundle and the Bundles folder containing it will remove the notification safely; it may be that each week you will see an error message instead.
I don’t know how you feel about Apple using this mechanism to push us marketing material, but I am not impressed.
If your security protection software has detected this tampering with your /Library folder, then award it top marks. It is evidence of our weak security protection that such a bundle can get installed – admittedly using an Apple mechanism, Apple installer, and Apple certificate – without most of us being any the wiser. After all, this is the sort of thing that malware does, isn’t it?
Many thanks to Ben Spector, who kindly adds the following:
What I observed after deleting OSXNotification.bundle was that the daily nudges continued, just missing the badge/icon. I had a hunch that these zombie nudges were arising from some kind of scheduling queue that had not been emptied when I deleted the .bundle.
Based on a Stack Overflow question about removing apps from the Notifications Center (stackoverflow.com/questions/11993145), I found the SQLite database for notifications, including future scheduled notifications. It comprises a set of files named “db”, “db-wal”, and “db-shm”, which can be located with the Terminal command “$(getconf DARWIN_USER_DIR)com.apple.notificationcenter/db” and opened with a SQLite database browsing tool or a text editor using the UTF-8 encoding.
Scrolling through the contents of “db-wal” in TextEdit, I found maybe a couple dozen instances of the strings “Upgrade to macOS High Sierra” and “Enjoy the latest technologies and refinements to your favorite apps.” Those presumably correspond to future scheduled nudges.
I blew my opportunity to do any further research by killing the active instance of usernoted via Activity Monitor while I still had one of the database files open in TextEdit, whereupon the successor instance flagged the database as corrupt and rebuilt it. The new files are significantly smaller and don’t mention High Sierra, though, so I am hopeful that my bungling has at least flushed the remaining nudges from the queue.