@abuehler thanks, all sorted now. Did a test on my own MacBook and it reported back and the smart group alerted! Great script thanks everyone

I'm interested in the real world infection totals. Assuming most here are running at least some sort of Anti Virus and Malware solution.

Yesterday, I used the touch command to create one of the suspect files. The EA and Smart group reported it. Today that file is gone. Could it be the result of the releases of MRT 1.66 and XProtect 2129? I haven't check the logging from our security agents to determine whom is responsible.
Has anyone else observed the files are being deleted?
EDITED - Ignore my statements above. I the test file is in place on my test device.

@jhalvorson Any chance your file that was deleted was in /tmp?

@julhs the file I created was /Users/testusername/Library/Application Support/verx_updater

Hi All - Script work great for me. Can someone share steps how to delete those files through policy?

Will the script be like below?

!/bin/zsh

rm -R /Applications/tasker.app
rm -R/tmp/agent.sh
rm -R/tmp/version.json
and so on..... "/tmp/version.plist" "/tmp/agent" "/tmp/verx" "/Users/$user/Library/._insu" "/Users/$user/Library/Application Support/agent_updater/agent.sh" "/Users/$user/Library/Application Support/verx_updater/verx.sh" "/Users/$user/Library/Application Support/verx_updater" "/Users/$user/Library/Launchagents/agent.plist" "/Users/$user/Library/Launchagents/init_agent.plist" "/Users/$user/Library/Launchagents/verx.plist" "/Users/$user/Library/Launchagents/init_verx.plist"

Quick & d... modified EA and Removal Script to include all existing user accounts:
Removal Script scoped on infected clients:

#!/bin/bash

# Created 20210222 by Nathan Worster
# edited 20210304 by Rémi Brinckmann
# Portions adapted from @ehemmete 
# Last modified: 20210222

###############
# Variables   #
###############

useraccounts=$(ls /Users/ | grep -v Shared)
result=()
filesFound=0
exitCode=0

for user in $useraccounts
do
suspiciousFiles=(
    "/Applications/tasker.app"
    "/tmp/agent.sh"
    "/tmp/version.json"
    "/tmp/version.plist"
    "/tmp/agent"
    "/tmp/verx"
    "/Users/$user/Library/._insu"
    "/Users/$user/Library/Application Support/agent_updater/agent.sh"
    "/Users/$user/Library/Application Support/verx_updater/verx.sh"
    "/Users/$user/Library/Application Support/verx_updater"
    "/Users/$user/Library/Launchagents/agent.plist"
    "/Users/$user/Library/Launchagents/init_agent.plist"
    "/Users/$user/Library/Launchagents/verx.plist"
    "/Users/$user/Library/Launchagents/init_verx.plist"
)

###############
# Script      #
###############

for suspiciousFile in "${suspiciousFiles[@]}"; do
#echo "Looking for $suspiciousFile in User Profile of $user"
if [ -e "$suspiciousFile" ]; then
    filesFound=$(expr $filesFound + 1)
    infected+=("$suspiciousFile")
    echo "Found $suspiciousFile - trying to remove it"
    rm -rf "$suspiciousFile"
     if [[ $? -gt 0 ]]; then
        echo "ERROR: Could not remove $suspiciousFile"
        exitCode=1
        infected+=("$suspiciousFile")
     else
        echo "SUCCESS: Removed $suspiciousFile"
        cleaned+=("$suspiciousFile")
     fi
fi
done
done

if [ $exitCode -ne 0 ]; then
    echo "Files that could not be deleted: ${infected[@]}"
else
    echo "All Files removed: ${cleaned[@]}"
fi

exit $exitCode

Modified EA:

#!/bin/bash

# Created 20210222 by Nathan Worster
# edited 20210304 by Rémi Brinckmann
# Portions adapted from @ehemmete 
# Last modified: 20210222

###############
# Variables   #
###############

useraccounts=$(ls /Users/ | grep -v Shared)
result=()
filesFound=0

for user in $useraccounts
do
suspiciousFiles=(
    "/Applications/tasker.app"
    "/tmp/agent.sh"
    "/tmp/version.json"
    "/tmp/version.plist"
    "/tmp/agent"
    "/tmp/verx"
    "/Users/$user/Library/._insu"
    "/Users/$user/Library/Application Support/agent_updater/agent.sh"
    "/Users/$user/Library/Application Support/verx_updater/verx.sh"
    "/Users/$user/Library/Application Support/verx_updater"
    "/Users/$user/Library/Launchagents/agent.plist"
    "/Users/$user/Library/Launchagents/init_agent.plist"
    "/Users/$user/Library/Launchagents/verx.plist"
    "/Users/$user/Library/Launchagents/init_verx.plist"
)

###############
# Script      #
###############

for suspiciousFile in "${suspiciousFiles[@]}"; do
#echo "Looking for $suspiciousFile in User Profile of $user"
if [ -e "$suspiciousFile" ]; then
    filesFound=$(expr $filesFound + 1)
    result+=("$suspiciousFile")
    fi
done
done

if [ $filesFound -ne 0 ]; then
    echo "<result>"Yes: "${result[@]}</result>"
else
    echo "<result>No</result>"
fi

exit 0

How many people actually found infections?

So far I've found five, while our AV has detected one. Manually searching through each, I ended up edited the above to include the following directories:

~/Library/Application Support/com.tasks.updater/
~/Library/Application Support/com.hello.tasker/

5 out of 2,400 macs
Seen on 10.14.x-10.15.x

It would probably be useful to know fleet size also. I currently have not seen any infections out of about 300 machines.

@maristchris Using a script to detect I've seen zero. We also have SentinelOne so I don't know if that might have found something and dealt with it. I don't have access to that side of things to know.

Nothing here. About 150 Macs. Nothing in the McAfee EP either. Thanks for the scripts and EA above!

Appreciate the scripts.

Hi @rbrinckmann I used your Modified EA and now it is showing my whole Computers numbers that are enrolled... I think I have messed up something.. I tried to use the earlier EA @ncworster mentioned and it is still showing numbers of all enrolled machines. Any advice?

@agakhan_admin How is your Smart Group setup?

Try: name of your Extension Attribute

Operator: Like

Value: Yes

@atomczynski Thank you, Value was missing. I put it.
Further, now there were 2 MacBook that was detected earlier with the suspect files, the count it detected is "0" now. They are gone, not sure how. Any idea?