Nine41 Consulting | How to Recover from “Redirect-AVScanner.com” or Other Malware Highjacking Safari on Mac OS X
apple, device management, dep, vpp, systems management, landesk, ivanti, lanrev, absolute, heat, mdm,
89
post-template-default,single,single-post,postid-89,single-format-standard,qode-quick-links-1.0,ajax_fade,page_not_loaded,,columns-3,qode-child-theme-ver-1.0.0,qode-theme-ver-11.0,qode-theme-bridge,wpb-js-composer js-comp-ver-5.1.1,vc_responsive
 

How to Recover from “Redirect-AVScanner.com” or Other Malware Highjacking Safari on Mac OS X

How to Recover from “Redirect-AVScanner.com” or Other Malware Highjacking Safari on Mac OS X

Over the weekend I was troubleshooting a machine in which Safari was being highjacked by a visual pop up and audible voice indicating the machine had a MAC iOS Alert.  

The malware was completely taking over Safari and wouldn’t allow any other tab to open.  The message on the screen essentially said there was a security update to fix an SSL connection and said I just had to call the “Apple Support” number.  Even if you hit the OK button, you were stuck.  The only thing that could be done was a Force Quit on Safari.  

Red flag alert!  Don’t call the number. 

I know those of you who are LANDESK admins won’t do it, but for anyone else that may stumble upon this article, DO NOT call the number on the screen and DO NOT pay them any money.

For information on how to remove Mac Defender, I looked at Apple’s article on removing Mac Defender but it was for 10.6 and earlier and didn’t help much.  My machine was on 10.10 so I kept searching and ended up using this article on StackExchange. 

Basically, I deleted the following files:

  • ~/Library/Saved\ Application\ State/com.apple.Safari.savedState
  • ~/Library/Safari/LastSession.plist
  • ~/Library/Cookies (all cookies in the folder)

I then relaunched Safari and all was well, Safari was back to normal. 

If you’re a LANDESK customer and want to deploy a script to remediate more than one machine, copy the code below into a shell script.  Just set the execute permissions on it and copy it to your distribution repository.

[code language=”bash”]
#!/bin/sh
#<span class=”Apple-converted-space”>  </span>Redirect-AVScanner Malware Removal.sh
#August 3, 2015
rm -rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState
rm -rf ~/Library/Safari/LastSession.plist
rm -rfv ~/Library/Cookies/*
[/code]

Since these folder locations are inside the user’s profile, creating a deploy package may be a bit more difficult if multiple profiles exist on a single machine.  It may be best to create an optional package and publish into Workspaces.

To create your Workspace package, use the following steps:

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menubar, press the New Package button and select New Macintosh Package.
  5. Give the package a name, I used #1 MacDefender Removal
  6. Provide a description if desired
  7. Set the primary file to the zip file you previously transferred to your software distribution folder
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

With the malware removal package created, just schedule a task for deployment.

  1. Right click on the malware removal package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push.
  5. Set the radio button in the Portal Settings to either Recommended or Optional.  You’ll also want to check the box for “Allow users to run as desired (keep in portal after selected) so they can execute the script multiple times if need be.
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time
LANDESK Workspace MacDefenderRemoval Screenshot

LANDESK Workspace MacDefenderRemoval Screenshot

1Comment

Post A Comment

ARE YOU READY TO GET STARTED?
Please fill out your information, and a specialist will reach out to discuss our services in more details.
Your Information will never be shared with any third party.
        
Free Training Videos
Register to gain access to all of our free content.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Additional Questions?
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
        
Pay by PO?
Provide us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Pay by PO
Send us your contact information and we will reach out to help you sign up by PO.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Additional Questions?
Send us your contact information and your questions and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
YOUR QUESTIONS
Get Started
Provide us your contact information and we will reach out as quickly as possible.
YOUR PHONE
YOUR NAME
YOUR EMAIL
Free Training Videos
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL
Subscribe Now
Subscribing to our site gives you access to our Apple Admin 101 training videos as well as allowing us to notify you of each new blog post we release.
FIRST NAME
LAST NAME
PHONE
EMAIL