Don’t you just hate silent automatic updates? Sometimes you don’t realise that they have taken place until something misbehaves or crashes. And you know that, one day, that fresh and innocent-looking property list quietly tucked away in a LaunchAgents or LaunchDaemons folder could turn out to be malicious.

One reason that I have installed Hazel is to keep a close watch on changes in those LaunchAgents and LaunchDaemons folders which are so useful to malware. Yesterday, Hazel showed how useful it is, when it detected a silent update arranged by one of the few remaining Adobe products I have installed, Acrobat (Pro, as used to be before we went all silly and CC/DC).

Midway through the morning, up popped a notification that a new property list had been installed in my /Library/LaunchAgents folder. With the absurd name com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist it could only be genuine or malicious. Your guess is as good as mine.

A click on Hazel’s notification opened the folder, and displayed the offending file, which looked to be an addition to run the Acrobat Update Helper buried in Adobe’s support folders. I checked those, and although the Acrobat Update Helper app itself hadn’t been updated, its .dylib and uninstaller had been. All four signatures looked good when checked using Objective-See’s What’s Your Sign?, and those signatures hadn’t come from Denton Rublaiev or similar, but from Adobe itself.

Hazel’s log gave me a good estimate of the time that this had happened:
2018-02-14 10:23:24.813 hazelworker[64473] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist: Rule Newly added matched.
2018-02-14 10:23:24.814 hazelworker[64473] Hazel Alert: com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist was added to /Library/LaunchAgents at 10:23

The update had also passed through a legitimate installation process. It was listed in Installations in System Information, but the information given there is so thin as to be almost useless.

As a third-party update, it didn’t leave much useful information about the installation, and isn’t of course listed in my app SystHist. But tagged onto the end of /Library/Receipts/InstallHistory.plist was an entry which identified the installer package as com.adobe.armdc.app.pkg, and confirmed that it had been installed by Apple’s installer.

A fuller account was in /var/log/install.log, which remains browsable in Console, and gave a blow-by-blow account of the running of the update’s install scripts.

So that silent automatic update appeared genuine in every respect, and there is not the slightest suggestion that it could have been malicious in any way.

Setting this up in Hazel couldn’t have been simpler. I just added three LaunchAgents and LaunchDaemons folders to its list of watched folders.

For each, there is a simple action which checks whether an item in the folder was added since Hazel’s last check. If it was, then Hazel displays a custom notification which tells me the name of the file, which folder it was added to, and when.

Anti-malware products can of course do the same. Either way, it’s protection worth the very modest cost of the tool.