I have been getting large amounts of notifications regarding "LaunchDaemon created for persistence Highly suspicious persistence created". After doing some digging it appears that the issues comes up when the newest version of Chrome installs. Also seems like users are blocked from opening Chrome once its updated.
Is anyone else seeing this? The install appears to be coming from Jamf as the binary says "/Applications/JamfAppInstallers/com.google.Chrome/finalize"
In protect the file is /Library/LaunchDaemons/com.google.Chrome.finalize.plist and the error is Error: code obiect is not signed at all (-67062), so is this an issue originating from Google or is it a custom installer that Jamf is pushing out?
@JKingsnorthwould you be able to post a sanitized JSON file of the Alert?
On a broader note, we've seen an influx of Alerts starting yesterday.
In this date, the Google Chrome package deployed via Jamf Pro App Installers has been modified to include a new LaunchDaemon called
Among other things, this new LaunchDaemon will help to better handle the application updates, making sure the app is not running before moving on.
Unfortunately, due to the name of this new LaunchDaemon starting with com.google this has been flagged by Protect. If we dig a little bit more on the JSON file of the Alerts that Protect has been firing up, if we notice those
"name": "ItemBinary", "value": "/Applications/JamfAppInstallers/com.google.Chrome/finalize", "valueType": "Binary"
In those specific cases, we can assume those are false positive as those are triggered by the new Jamf App Installer process.
We've been evaluating this new deployment of App Installers and decided to move forward renaming the LaunchDaemon so it will not interfere with Jamf Protect detection.