Traps for Mac DyLibModule blocking iTunes

Reply
L3 Networker

Traps for Mac DyLibModule blocking iTunes

Hi,

 

I have a weird error on a manger's machine when he tries to start Itunes. It also happens on my macbook. It looks like the /Library/Application Support/PaloAltoNetworks/*/libmodule.dylib is blocking iTunes from opening. There is no Security Event reported to ESM.  He is running Mac OS 10.12.5 and im on 10.12.4

 

Is there a way to make an exception for this when there is no actual ESM traps alert? 

 

Process:               iTunes [14740]
Path:                  /Applications/iTunes.app/Contents/MacOS/iTunes
Identifier:            com.apple.iTunes
Version:               12.6.1 (12.6.1)
Build Info:            iTunes-1200012006001025~3
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           iTunes [14740]
User ID:               20925

Date/Time:             2017-05-16 10:21:54.280 -0500
OS Version:            Mac OS X 10.12.4 (16E195)
Report Version:        12
Anonymous UUID:        8FF28F2B-0356-56D9-F764-975399B8737A

Sleep/Wake UUID:       9B70AC37-2755-4929-8165-94D0CF1C8651

Time Awake Since Boot: 380000 seconds
Time Since Wake:       320000 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    DYLD, [0x5] Code Signature

Application Specific Information:
dyld: launch, loading dependent libraries

Dyld Error Message:
  Library not loaded: /Library/Application Support/PaloAltoNetworks/*/libmodule.dylib
  Referenced from: /Applications/iTunes.app/Contents/MacOS/iTunes
  Reason: no suitable image found.  Did find:
	/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib: code signature in (/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib) not valid for use in process using Library Validation: mapping process is a platform binary, but mapped file is not
	/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib: code signature in (/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib) not valid for use in process using Library Validation: mapping process is a platform binary, but mapped file is not

Binary Images:
       0x10c0cb000 -        0x10d9d6fef  com.apple.iTunes (12.6.1 - 12.6.1) <9FF40F8E-75C3-35DD-A7B2-FF7D5C85C625> /Applications/iTunes.app/Contents/MacOS/iTunes
       0x10ddc2000 -        0x10de46ff7  com.apple.iTunes.iPodUpdater (12.5.0 - 12.5.0) <6B0DDCFB-E2B9-3571-9367-4F3B051865D3> /Applications/iTunes.app/Contents/Frameworks/iPodUpdater.framework/Versions/A/iPodUpdater
       0x10ded1000 -        0x10ded6ff3  com.apple.PIP (1.0 - 50.2) <27DB5780-10CE-3CDA-A363-AB9BD02098DC> /System/Library/PrivateFrameworks/PIP.framework/Versions/A/PIP
       0x10dee3000 -        0x10e0a4fff +libgnsdk_dsp.3.06.1.dylib (3.6.1) <EC2BBC33-8463-3C4A-BFF7-3A66DDC8D2BF> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_dsp.3.06.1.dylib
       0x10e0bf000 -        0x10e217ff7 +libgnsdk_manager.3.06.1.dylib (3.6.1) <F71695A1-CB46-372F-A8DE-2EFCD9A06767> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_manager.3.06.1.dylib
       0x10e2d9000 -        0x10e325ff7 +libgnsdk_musicid.3.06.1.dylib (3.6.1) <2D7CA505-0F66-3528-AE7C-719B58B827F9> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_musicid.3.06.1.dylib
       0x10e3bd000 -        0x10e408fff +libgnsdk_submit.3.06.1.dylib (3.6.1) <D302DD68-8BB0-3FA1-8C16-75D4C08EABC2> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_submit.3.06.1.dylib
       0x110fd9000 -        0x111016dc7  dyld (433.5) <8239D0D7-66F6-3C44-A77F-586F74525DA3> /usr/lib/dyld
    0x7fff773de000 -     0x7fff773e2ffb  com.apple.agl (3.3.1 - AGL-3.3.1) <EEB77D74-9B6B-331F-B103-5A62A029BCE2> /System/Library/Frameworks/AGL.framework/Versions/A/AGL
    0x7fff773e3000 -     0x7fff775a4fff  com.apple.avfoundation (2.0 - 1187.36) <474E9FF4-4A97-3D48-8D4F-46FD3CADBBD6> /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation
    0x7fff77648000 -     0x7fff77711ff3  com.apple.AVKit (1.1 - 356.12) <BB0FC855-987B-3B02-8940-9CF13E862539> /System/Library/Frameworks/AVKit.framework/Versions/A/AVKit
    0x7fff77712000 -     0x7fff77712fff  com.apple.Accelerate (1.11 - Accelerate 1.11) <E559CE70-1A9A-3C5C-9FB7-C51FDF82F03C> /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
    0x7fff786f0000 -     0x7fff794c9ffb  com.apple.AppKit (6.9 - 1504.82.104) <C295FF09-9984-34C3-953B-B263EF2107AB> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
    0x7fff794db000 -     0x7fff794dbfff  com.apple.ApplicationServices (48 - 48) <847E54B5-DEA4-3B50-93CE-4FC67789F179> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
    0x7fff799fc000 -     0x7fff79c08fff  com.apple.audio.toolbox.AudioToolbox (1.14 - 1.14) <6EEF498D-8233-3622-B34B-49FDD9D4DF14> /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
    0x7fff79c09000 -     0x7fff79c09fff  com.apple.audio.units.AudioUnit (1.14 - 1.14) <3D374973-8632-3F15-982C-E0508E6E5B1A> /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
    0x7fff79d72000 -     0x7fff7a14cff7  com.apple.CFNetwork (811.4.18 - 811.4.18) <9CE329E8-6177-3474-976D-F5C63FC875CD> /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
    0x7fff7a166000 -     0x7fff7a166fff  com.apple.Carbon (154 - 157) <7F6DA3B9-CAE8-3F75-B06A-CC710244970F> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
    0x7fff7a61e000 -     0x7fff7a61efff  com.apple.Cocoa (6.11 - 22) <85EDFBE1-75F0-369E-8CA8-C6A639B98FA6> /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
    0x7fff7a768000 -     0x7fff7a7f5fff  com.apple.audio.CoreAudio (4.3.0 - 4.3.0) <184D9C49-248F-3374-944C-FD1A99A6B32E> /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
    0x7fff7abb3000 -     0x7fff7b04cff7  com.apple.CoreFoundation (6.9 - 1349.65) <F79384D1-FA3F-38CA-A847-B2625EBB790E> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7fff7b04d000 -     0x7fff7b6cffff  com.apple.CoreGraphics (2.0 - 1070.22) <3C0EEAC8-2475-38BD-81DC-C1F7F6C8E82F> /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
    0x7fff7ba78000 -     0x7fff7ba78fff  com.apple.CoreServices (775.19 - 775.19) <8AA95E32-AB13-3792-B248-FA150D8E6583> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
    0x7fff7c1a1000 -     0x7fff7c2edff3  com.apple.CoreText (352.0 - 544.12) <1ED17C4A-9E2D-3537-8C5F-FB675492A002> /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText
    0x7fff7c2ee000 -     0x7fff7c323ff3  com.apple.CoreVideo (1.8 - 235.3) <AC11D5FB-C77B-34F5-B942-F698E84C229F> /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
    0x7fff7c3d4000 -     0x7fff7c492ff7  com.apple.DiscRecording (9.0.3 - 9030.4.5) <88544E99-217A-33D9-8AC7-F54D2716658D> /System/Library/Frameworks/DiscRecording.framework/Versions/A/DiscRecording
    0x7fff7c493000 -     0x7fff7c498fff  com.apple.DiskArbitration (2.7 - 2.7) <A4DCD470-D8EA-37E9-BDCA-A2B469754C12> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
    0x7fff7c62a000 -     0x7fff7c9d0ff3  com.apple.Foundation (6.9 - 1349.64) <49C8DA40-9E5B-33F9-B092-F50115B59E95> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    0x7fff7c9d1000 -     0x7fff7c9fbff7  com.apple.GLKit (1.0 - 87) <1BB39C18-D067-3468-B01E-7099F98DF8D7> /System/Library/Frameworks/GLKit.framework/Versions/A/GLKit
    0x7fff7cb91000 -     0x7fff7cc26fff  com.apple.framework.IOKit (2.0.2 - 1324.50.21) <BA7DC917-35A9-3D1B-BBEC-ADF4495A166D> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
    0x7fff7cc80000 -     0x7fff7cddffe7  com.apple.ImageIO.framework (3.3.0 - 1599.7) <2BDE099C-94BA-390E-9CB5-6BE969532EB6> /System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO
    0x7fff7d0d1000 -     0x7fff7dcd9ff3  com.apple.JavaScriptCore (12603 - 12603.1.30.0.34) <42993DA4-E18A-3A41-86F8-23A6656273F9> /System/Library/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore
    0x7fff7fbf2000 -     0x7fff7fc00fff  com.apple.opengl (14.0.16 - 14.0.16) <2970D284-D6BD-3727-AA74-2697AE676952> /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
    0x7fff7fc9d000 -     0x7fff7fde4fff  com.apple.QTKit (7.7.3 - 2978.7) <4A9519EF-54D5-3537-86A9-329FAC6AB067> /System/Library/Frameworks/QTKit.framework/Versions/A/QTKit
    0x7fff7fde5000 -     0x7fff8004fff7  com.apple.imageKit (3.0 - 1023) <412DD8C9-16DE-3715-9E60-76E30A9DB009> /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/ImageKit.framework/Versions/A/ImageKit
    0x7fff80751000 -     0x7fff80751fff  com.apple.quartzframework (1.5 - 21) <09455972-8A33-3D61-B193-BA7E7CF984CA> /System/Library/Frameworks/Quartz.framework/Versions/A/Quartz
    0x7fff80752000 -     0x7fff80952fff  com.apple.QuartzCore (1.11 - 453.38) <8B771CD0-F78A-30EA-AD88-F65960528A5B> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
    0x7fff80eb9000 -     0x7fff811bafff  com.apple.security (7.0 - 57740.51.3) <E8E40839-4F2C-3954-9870-9F9BA185BC81> /System/Library/Frameworks/Security.framework/Versions/A/Security
    0x7fff815e5000 -     0x7fff81654ff7  com.apple.SystemConfiguration (1.14 - 1.14) <A4B97859-CB45-3910-9785-0CAF015B46BC> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
    0x7fff82f78000 -     0x7fff83323ffb  com.apple.WebKit (12603 - 12603.1.30.0.34) <3D972E7D-1BC6-37CB-9ACA-AB1D81D468A0> /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
    0x7fff83324000 -     0x7fff8336fff7  com.apple.AOSAccounts (1.3.1 - 63.0.6) <8597759B-0A89-32D0-8A9D-2EAD956D2A1E> /System/Library/PrivateFrameworks/AOSAccounts.framework/Versions/A/AOSAccounts
    0x7fff83b2c000 -     0x7fff83b5fffb  com.apple.avfoundationcf (2.0 - 247.1) <F84668A7-D090-3440-8B1D-6DB42289D8EB> /System/Library/PrivateFrameworks/AVFoundationCF.framework/Versions/A/AVFoundationCF
    0x7fff8408e000 -     0x7fff840a9fff  com.apple.aps.framework (4.0 - 4.0) <6CA07CDF-1E35-34E9-95BF-BD565FF42BAD> /System/Library/PrivateFrameworks/ApplePushService.framework/Versions/A/ApplePushService
    0x7fff8453e000 -     0x7fff84553ff7  com.apple.BiometricKit (1.0 - 100.99) <FF3B4FA5-CE9F-31D4-81A0-3618DDE68F0F> /System/Library/PrivateFrameworks/BiometricKit.framework/Versions/A/BiometricKit
    0x7fff868ee000 -     0x7fff86a2dfe7  com.apple.coreui (2.1 - 431.3) <2E8FEC10-FC5B-3782-92DA-A85C24B7BF7C> /System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI
    0x7fff8a3d6000 -     0x7fff8a536ffb  com.apple.MediaRemote (1.0 - 1) <5D7E9985-FB99-3F6C-87A1-73282D674590> /System/Library/PrivateFrameworks/MediaRemote.framework/Versions/A/MediaRemote
    0x7fff8c6ab000 -     0x7fff8c911ff3  com.apple.SkyLight (1.600.0 - 160.40) <BA7B7ACC-1B91-3E87-92EC-1C2969EF7088> /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight
    0x7fff8cdc1000 -     0x7fff8ce2cff3  com.apple.StoreFoundation (1.0 - 582.5) <FB02BCFA-BBE3-39A8-9EA5-718D3F3E7CAE> /System/Library/PrivateFrameworks/StoreFoundation.framework/Versions/A/StoreFoundation
    0x7fff8e4c4000 -     0x7fff8e584ff7  com.apple.ViewBridge (282 - 282) <71C6F456-E63F-3465-BCC7-377D29CF817D> /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/ViewBridge
    0x7fff8eaa1000 -     0x7fff8eaa5fff  com.apple.iPod (1.7 - 20) <ECAAB770-8181-3B50-97DC-1F10D094B7EF> /System/Library/PrivateFrameworks/iPod.framework/Versions/A/iPod
    0x7fff8edf5000 -     0x7fff8edf6ffb  libSystem.B.dylib (1238.51.1) <D9B20A4F-87BC-36CB-9405-80E105666725> /usr/lib/libSystem.B.dylib
    0x7fff8ef2f000 -     0x7fff8ef85ff7  libc++.1.dylib (307.5) <0B43BB5D-E6EB-3464-8DE9-B41AC8ED9D1C> /usr/lib/libc++.1.dylib
    0x7fff8f4ef000 -     0x7fff8f714ffb  libicucore.A.dylib (57163.0.1) <325E1C97-1C45-3A7E-9AFB-D1328E31D879> /usr/lib/libicucore.A.dylib
    0x7fff8faa3000 -     0x7fff8fe75047  libobjc.A.dylib (709) <DC77AA6E-A4E4-326D-8D7F-82D63AA88F99> /usr/lib/libobjc.A.dylib
    0x7fff902a1000 -     0x7fff902b2ff3  libz.1.dylib (67) <46E3FFA2-4328-327A-8D34-A03E20BFFB8E> /usr/lib/libz.1.dylib

Model: MacBookPro12,1, BootROM MBP121.0167.B24, 2 processors, Intel Core i7, 3.1 GHz, 16 GB, SMC 2.28f7
Graphics: Intel Iris Graphics 6100, Intel Iris Graphics 6100, Built-In
Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1867 MHz, 0x02FE, 0x4544464232333241314D412D4A442D460000
Memory Module: BANK 1/DIMM0, 8 GB, DDR3, 1867 MHz, 0x02FE, 0x4544464232333241314D412D4A442D460000
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x133), Broadcom BCM43xx 1.0 (7.21.171.124.1a2)
Bluetooth: Version 5.0.4f18, 3 services, 27 devices, 1 incoming serial ports
Network Service: Display Ethernet, Ethernet, en5
Network Service: Wi-Fi, AirPort, en0
PCI Card: pci11c1,5901, IEEE 1394 Open HCI, Thunderbolt@190,0,0
PCI Card: Apple 57761-B0, Ethernet Controller, Thunderbolt@191,0,0
PCI Card: pci12d8,400e, USB Open Host Controller, Thunderbolt@194,0,0
PCI Card: pci12d8,400e, USB Open Host Controller, Thunderbolt@194,0,1
PCI Card: pci12d8,400f, USB Enhanced Host Controller, Thunderbolt@194,0,2
Serial ATA Device: APPLE SSD SM0512G, 500.28 GB
USB Device: USB 3.0 Bus
USB Device: Bluetooth USB Host Controller
USB Device: USB 2.0 Bus
USB Device: Hub
USB Device: USB Optical Mouse
USB Device: FaceTime HD Camera (Display)
USB Device: Apple Thunderbolt Display
USB Device: QuickFire Rapid keyboard
USB Device: Display Audio
Thunderbolt Bus: MacBook Pro, Apple Inc., 27.1
Thunderbolt Device: Thunderbolt Display, Apple Inc., 1, 26.2

 

L1 Bithead

Re: Traps for Mac DyLibModule blocking iTunes

Just in case, here is the reply from TAC:

It looks like Apple is now restricting injection to iTunes completely in their latest update.
We will be releasing a content update to address this (same as the policy below) but in the meantime, Please create the condition and policy manually to address this:

to create a condition
- login to the ESM console
- go to Settings -> Conditions -> MacOS
- click on the menu/hamburger icon . its a 3 short lines to the left of Rows where you select number or rows to display, then select Add
- select Bundle ID for the condition type
Name: iTunes > 12.6.0
Description: iTunes >12.6.0
Bundle ID: com.apple.iTunes
version comparison: Greater than
Version: 12.6.0
- click Save

To create the policy
- go to Policies -> Exploit ->Application Protection Modules -> MacOS
- click on the hamburger/menu icon which looks like 3 short horizontal lines to the left of Rows where you select number of rows to display
then click Add
- select Dylib-Hijacking Protection , set Activation to OFF
- Select ROP Mitigation, set Activation to OFF
- under Processes tab, add itunes to the selected Processes list
- under Conditions, add the condition created above to the Include list
- name the policy under Name tab then click Apply

Once the agent checks in, it should have the policy. Confirm if iTunes can now be launched.

L3 Networker

Re: Traps for Mac DyLibModule blocking iTunes

Right. I got this from support and it Fixed my issue once mac traps agents checked in. 

 

"We've been able to confirm that Apple has blocked all injection to iTunes as a security measure. As a workaround, please first create a condition, then a policy as follows:

Settings > Conditions
1. Add a condition for Mac OS
2. Name condition for iTunes > 12.6.0
3. Bundle ID: com.apple.iTunes
4. Version: > 12.6.0

This condition will be enacted if iTunes higher than 12.6.0 is installed on the machine.

Policy > Mac > Add
1. Disable Dylib Hijacking and ROP Mitigation modules.
2. In the conditions tab, select your new condition and apply."


This should also be addressed in the next content version. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!