Jamf Nation Community

We do have Sophos Cloud AV the security admin who manages says he can't block it (which I doubt is true). I just want to cover all .pkg or .app with MacKeeper in the name.

Not sure what to tell you. Here is Sophos Cloud detecting MacKeeper on a machine this morning.

And I didn't do anything special in my Sophos Cloud console. It's been detecting (and blocking most) PUPs for awhile now.

Ok thanks I'll pass this on

also like Damien said. Why are you blocking the pkg?

I'd suggest downloading it and figuring out what the binary is inside the app bundle. Then block that. Or blocking MacKeeper* but unchecking restrict exact process name.

Don't forget the user education aspect: no, you can't stop them from doing every single &^$&%!&^%# thing, but you can always at least communicate best practices: if it looks sketchy, it probably is; don't install 3rd-party extensions if you don't absolutely need them; Adobe Flash will be maintained by IT and available via Self Service, etc etc. Malware is a teachable leadership moment.

Malwarebytes and DetectX Swift are also options for endpoint security, although DetectX is only remediation, not active threat protection. (The Swift version, when licensed, has a command-line tool.)

You can also check for "MacKeeper" results inside ~/Library/Caches/, ~/Library/LaunchAgents/ and ~/Library/LaunchDaemons/. That may only show you past installations, but that could still be a useful follow-up.

I second @boberito. We use a wildcard (with asterisks on both ends of MacKeeper) and uncheck "restrict exact process name" and haven't had any issues.

And right there is why I’m troubled at giving end users admin rights...MacKeeper and fake Flash Players!!

We keep Flash up to date but people install the garbage anyway.

Fake flash can sort of be installed without admin rights. I’ve seen it a lot at schools where kids aren’t admins. It doesn’t do much since it doesn’t have access to anything other than that account but still will deliver pop ups and ads and nonsense.