One of the ways that Apple and third-party developers keep services running in OS X is to use launch agent and launch daemon scripts, which instruct the system launcher to run a specified program, script, or other routine at a designated time or after a specific system event.
For instance, if you use Activity Monitor to force-quit the “SystemUIServer” process responsible for handling the system menu extras (those items such as the wifi, volume, and battery status to the right of the menu bar), then this process will re-launch immediately and you will see your menus simply disappear and reappear.
This happens because the system launcher is instructed by a launch agent script (/System/Library/LaunchAgents/com.apple.SystemUIServer.plist) to detect this process is not running and then re-launch it immediately.
OS X contains two types of launcher scripts (launch agents and launch daemons), which are located in one of five potential directories in the system:
System launchers (for OS X services only):
Global launchers (for processes that affect all users):
User-specific launchers (optional, and for your user account only):
While the use of launcher scripts in these folders is convenient, unfortunately malware developers and those of other unwanted and intrusive software also use this approach to keep their software running on systems. They often install scripts in these folders that mimic the look of scripts from legitimate software companies.
Luckily the creation and installation of these scripts is primarily done when you purposefully install programs or update them, and neither OS X nor third-party programs will create them when running day-to-day tasks. Therefore, to help secure your system and inform you of potentially malicious installations of launcher scripts, you can set up a monitoring routine for the launcher script folders that lets you know when a script has been added.
This can be done using Apple’s own built-in AppleScript and Folder Actions:
Enable the AppleScript menu
Open the AppleScript Editor utility in the Applications > Utilities folder, and in this program’s preferences, check the box next to “Show Script Menu in menu bar.” The Applescript menu will look like a little curled document.
Enable Folder actions
Click the new AppleScript menu and choose “Configure Folder Actions” from the “Folder Actions” submenu. In the utility that opens, check the box to “Enable Folder Actions.”
Add a new-items folder action
In this same utility, click the plus button and then navigate to the folders mentioned above, and select them. When you do this, you will see the name of the folder listed in the left-hand column of the Folder Actions setup utility.
Note that the User-specific LaunchAgents folder does not exist by default; however, this can be created at any time, so to properly monitor it you should create an empty folder here. To do this, open the “Go” menu in the Finder and and choose “Library” (hold the Option key to reveal the library in this menu, if it is missing). Then create a new folder and name it “LaunchAgents” (all one word).
To add this new folder to the Folder Actions utility, when you click the plus button and bring up the box to select a folder, you can drag and drop the folder from a Finder window to this Open dialogue box, which will point the Open box to this folder’s location.
When finished adding folders, you should have five folders listed, three with the name “LaunchAgents” and two with the name “LaunchDaemons.”
Bind the “new item alert” to each folder
Click the first of the five folders in the column to the left, and then click the plus button under the column to the right. In the panel that appears, locate the script called “add – new item alert.scpt,” select it, and then click “Attach.”Repeat this last step for the remaining folders you added to the Folder Actions list.
When finished, if a new item is placed into one of the folders you have set to be monitors, the system will display an alert to inform you of the change. If you confirm to view the items, then the corresponding folder will be opened, with the new items selected. This will allow you to investigate the new items to determine if they are suspicious.
While I have discussed how to do this for the various LaunchAgents and LaunchDaemons folders on your system, you can also repeat these steps for other folders you would like to monitor as well. These can be more benign folders like the Fonts directories, or folders that contain more core-system features, such as the various Extensions folders to see if kernel extensions have been added to the system, or the StartupItems folder where some programs still make use of the system’s legacy startup items routines. A few of the full paths to these include the following:
Library folder roots:
CIRCL is a computer security group in Luxembourg. The initial version was released on 4/20/2012
Yes, CIRCL developed a program that sets this up, based on my initial publications of this routine. They credited me with the idea behind their work.
I noticed there are two different “add – new item…” scripts. Looking at the one without the additional “…without timeout” label shows that it will disappear/timeout in 30 seconds. Thus, if the action happens while I’m re-warming my coffee (60 seconds), I won’t see the dialog. Perhaps there will be a “Notification”? Perhaps I missed the reference to this in the article, which I’m too lazy to re-read…
Wait, I think one of my apps offered this “folder watching” option and I suspect it also added the “no timeout” script. It appears that it is only in ~/Library/Scripts/Folder Action Scripts! Probably the developer just deleted the ‘timeout’ property. Uhmn… no, they just removed “giving up after dialog_timeout” action in the script! Strange way to make it work, it wastes memory setting up a variable but never using it. Memory space is no longer a problem now that we all have more than 640K, right?! LOL!
Have been using this since you first wrote about it a few years ago.