This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Traps for Mac DyLibModule blocking iTunes
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Traps for Mac DyLibModule blocking iTunes
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-16-2017 08:23 AM - edited 05-16-2017 08:24 AM
Hi,
I have a weird error on a manger's machine when he tries to start Itunes. It also happens on my macbook. It looks like the /Library/Application Support/PaloAltoNetworks/*/libmodule.dylib is blocking iTunes from opening. There is no Security Event reported to ESM. He is running Mac OS 10.12.5 and im on 10.12.4
Is there a way to make an exception for this when there is no actual ESM traps alert?
Process: iTunes [14740]
Path: /Applications/iTunes.app/Contents/MacOS/iTunes
Identifier: com.apple.iTunes
Version: 12.6.1 (12.6.1)
Build Info: iTunes-1200012006001025~3
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: iTunes [14740]
User ID: 20925
Date/Time: 2017-05-16 10:21:54.280 -0500
OS Version: Mac OS X 10.12.4 (16E195)
Report Version: 12
Anonymous UUID: 8FF28F2B-0356-56D9-F764-975399B8737A
Sleep/Wake UUID: 9B70AC37-2755-4929-8165-94D0CF1C8651
Time Awake Since Boot: 380000 seconds
Time Since Wake: 320000 seconds
System Integrity Protection: enabled
Crashed Thread: 0
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: DYLD, [0x5] Code Signature
Application Specific Information:
dyld: launch, loading dependent libraries
Dyld Error Message:
Library not loaded: /Library/Application Support/PaloAltoNetworks/*/libmodule.dylib
Referenced from: /Applications/iTunes.app/Contents/MacOS/iTunes
Reason: no suitable image found. Did find:
/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib: code signature in (/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib) not valid for use in process using Library Validation: mapping process is a platform binary, but mapped file is not
/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib: code signature in (/Library/Application Support/PaloAltoNetworks/*/libmodule.dylib) not valid for use in process using Library Validation: mapping process is a platform binary, but mapped file is not
Binary Images:
0x10c0cb000 - 0x10d9d6fef com.apple.iTunes (12.6.1 - 12.6.1) <9FF40F8E-75C3-35DD-A7B2-FF7D5C85C625> /Applications/iTunes.app/Contents/MacOS/iTunes
0x10ddc2000 - 0x10de46ff7 com.apple.iTunes.iPodUpdater (12.5.0 - 12.5.0) <6B0DDCFB-E2B9-3571-9367-4F3B051865D3> /Applications/iTunes.app/Contents/Frameworks/iPodUpdater.framework/Versions/A/iPodUpdater
0x10ded1000 - 0x10ded6ff3 com.apple.PIP (1.0 - 50.2) <27DB5780-10CE-3CDA-A363-AB9BD02098DC> /System/Library/PrivateFrameworks/PIP.framework/Versions/A/PIP
0x10dee3000 - 0x10e0a4fff +libgnsdk_dsp.3.06.1.dylib (3.6.1) <EC2BBC33-8463-3C4A-BFF7-3A66DDC8D2BF> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_dsp.3.06.1.dylib
0x10e0bf000 - 0x10e217ff7 +libgnsdk_manager.3.06.1.dylib (3.6.1) <F71695A1-CB46-372F-A8DE-2EFCD9A06767> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_manager.3.06.1.dylib
0x10e2d9000 - 0x10e325ff7 +libgnsdk_musicid.3.06.1.dylib (3.6.1) <2D7CA505-0F66-3528-AE7C-719B58B827F9> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_musicid.3.06.1.dylib
0x10e3bd000 - 0x10e408fff +libgnsdk_submit.3.06.1.dylib (3.6.1) <D302DD68-8BB0-3FA1-8C16-75D4C08EABC2> /Applications/iTunes.app/Contents/Frameworks/libgnsdk_submit.3.06.1.dylib
0x110fd9000 - 0x111016dc7 dyld (433.5) <8239D0D7-66F6-3C44-A77F-586F74525DA3> /usr/lib/dyld
0x7fff773de000 - 0x7fff773e2ffb com.apple.agl (3.3.1 - AGL-3.3.1) <EEB77D74-9B6B-331F-B103-5A62A029BCE2> /System/Library/Frameworks/AGL.framework/Versions/A/AGL
0x7fff773e3000 - 0x7fff775a4fff com.apple.avfoundation (2.0 - 1187.36) <474E9FF4-4A97-3D48-8D4F-46FD3CADBBD6> /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation
0x7fff77648000 - 0x7fff77711ff3 com.apple.AVKit (1.1 - 356.12) <BB0FC855-987B-3B02-8940-9CF13E862539> /System/Library/Frameworks/AVKit.framework/Versions/A/AVKit
0x7fff77712000 - 0x7fff77712fff com.apple.Accelerate (1.11 - Accelerate 1.11) <E559CE70-1A9A-3C5C-9FB7-C51FDF82F03C> /System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate
0x7fff786f0000 - 0x7fff794c9ffb com.apple.AppKit (6.9 - 1504.82.104) <C295FF09-9984-34C3-953B-B263EF2107AB> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
0x7fff794db000 - 0x7fff794dbfff com.apple.ApplicationServices (48 - 48) <847E54B5-DEA4-3B50-93CE-4FC67789F179> /System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
0x7fff799fc000 - 0x7fff79c08fff com.apple.audio.toolbox.AudioToolbox (1.14 - 1.14) <6EEF498D-8233-3622-B34B-49FDD9D4DF14> /System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox
0x7fff79c09000 - 0x7fff79c09fff com.apple.audio.units.AudioUnit (1.14 - 1.14) <3D374973-8632-3F15-982C-E0508E6E5B1A> /System/Library/Frameworks/AudioUnit.framework/Versions/A/AudioUnit
0x7fff79d72000 - 0x7fff7a14cff7 com.apple.CFNetwork (811.4.18 - 811.4.18) <9CE329E8-6177-3474-976D-F5C63FC875CD> /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
0x7fff7a166000 - 0x7fff7a166fff com.apple.Carbon (154 - 157) <7F6DA3B9-CAE8-3F75-B06A-CC710244970F> /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon
0x7fff7a61e000 - 0x7fff7a61efff com.apple.Cocoa (6.11 - 22) <85EDFBE1-75F0-369E-8CA8-C6A639B98FA6> /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa
0x7fff7a768000 - 0x7fff7a7f5fff com.apple.audio.CoreAudio (4.3.0 - 4.3.0) <184D9C49-248F-3374-944C-FD1A99A6B32E> /System/Library/Frameworks/CoreAudio.framework/Versions/A/CoreAudio
0x7fff7abb3000 - 0x7fff7b04cff7 com.apple.CoreFoundation (6.9 - 1349.65) <F79384D1-FA3F-38CA-A847-B2625EBB790E> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
0x7fff7b04d000 - 0x7fff7b6cffff com.apple.CoreGraphics (2.0 - 1070.22) <3C0EEAC8-2475-38BD-81DC-C1F7F6C8E82F> /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
0x7fff7ba78000 - 0x7fff7ba78fff com.apple.CoreServices (775.19 - 775.19) <8AA95E32-AB13-3792-B248-FA150D8E6583> /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
0x7fff7c1a1000 - 0x7fff7c2edff3 com.apple.CoreText (352.0 - 544.12) <1ED17C4A-9E2D-3537-8C5F-FB675492A002> /System/Library/Frameworks/CoreText.framework/Versions/A/CoreText
0x7fff7c2ee000 - 0x7fff7c323ff3 com.apple.CoreVideo (1.8 - 235.3) <AC11D5FB-C77B-34F5-B942-F698E84C229F> /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo
0x7fff7c3d4000 - 0x7fff7c492ff7 com.apple.DiscRecording (9.0.3 - 9030.4.5) <88544E99-217A-33D9-8AC7-F54D2716658D> /System/Library/Frameworks/DiscRecording.framework/Versions/A/DiscRecording
0x7fff7c493000 - 0x7fff7c498fff com.apple.DiskArbitration (2.7 - 2.7) <A4DCD470-D8EA-37E9-BDCA-A2B469754C12> /System/Library/Frameworks/DiskArbitration.framework/Versions/A/DiskArbitration
0x7fff7c62a000 - 0x7fff7c9d0ff3 com.apple.Foundation (6.9 - 1349.64) <49C8DA40-9E5B-33F9-B092-F50115B59E95> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x7fff7c9d1000 - 0x7fff7c9fbff7 com.apple.GLKit (1.0 - 87) <1BB39C18-D067-3468-B01E-7099F98DF8D7> /System/Library/Frameworks/GLKit.framework/Versions/A/GLKit
0x7fff7cb91000 - 0x7fff7cc26fff com.apple.framework.IOKit (2.0.2 - 1324.50.21) <BA7DC917-35A9-3D1B-BBEC-ADF4495A166D> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
0x7fff7cc80000 - 0x7fff7cddffe7 com.apple.ImageIO.framework (3.3.0 - 1599.7) <2BDE099C-94BA-390E-9CB5-6BE969532EB6> /System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO
0x7fff7d0d1000 - 0x7fff7dcd9ff3 com.apple.JavaScriptCore (12603 - 12603.1.30.0.34) <42993DA4-E18A-3A41-86F8-23A6656273F9> /System/Library/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore
0x7fff7fbf2000 - 0x7fff7fc00fff com.apple.opengl (14.0.16 - 14.0.16) <2970D284-D6BD-3727-AA74-2697AE676952> /System/Library/Frameworks/OpenGL.framework/Versions/A/OpenGL
0x7fff7fc9d000 - 0x7fff7fde4fff com.apple.QTKit (7.7.3 - 2978.7) <4A9519EF-54D5-3537-86A9-329FAC6AB067> /System/Library/Frameworks/QTKit.framework/Versions/A/QTKit
0x7fff7fde5000 - 0x7fff8004fff7 com.apple.imageKit (3.0 - 1023) <412DD8C9-16DE-3715-9E60-76E30A9DB009> /System/Library/Frameworks/Quartz.framework/Versions/A/Frameworks/ImageKit.framework/Versions/A/ImageKit
0x7fff80751000 - 0x7fff80751fff com.apple.quartzframework (1.5 - 21) <09455972-8A33-3D61-B193-BA7E7CF984CA> /System/Library/Frameworks/Quartz.framework/Versions/A/Quartz
0x7fff80752000 - 0x7fff80952fff com.apple.QuartzCore (1.11 - 453.38) <8B771CD0-F78A-30EA-AD88-F65960528A5B> /System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
0x7fff80eb9000 - 0x7fff811bafff com.apple.security (7.0 - 57740.51.3) <E8E40839-4F2C-3954-9870-9F9BA185BC81> /System/Library/Frameworks/Security.framework/Versions/A/Security
0x7fff815e5000 - 0x7fff81654ff7 com.apple.SystemConfiguration (1.14 - 1.14) <A4B97859-CB45-3910-9785-0CAF015B46BC> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
0x7fff82f78000 - 0x7fff83323ffb com.apple.WebKit (12603 - 12603.1.30.0.34) <3D972E7D-1BC6-37CB-9ACA-AB1D81D468A0> /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit
0x7fff83324000 - 0x7fff8336fff7 com.apple.AOSAccounts (1.3.1 - 63.0.6) <8597759B-0A89-32D0-8A9D-2EAD956D2A1E> /System/Library/PrivateFrameworks/AOSAccounts.framework/Versions/A/AOSAccounts
0x7fff83b2c000 - 0x7fff83b5fffb com.apple.avfoundationcf (2.0 - 247.1) <F84668A7-D090-3440-8B1D-6DB42289D8EB> /System/Library/PrivateFrameworks/AVFoundationCF.framework/Versions/A/AVFoundationCF
0x7fff8408e000 - 0x7fff840a9fff com.apple.aps.framework (4.0 - 4.0) <6CA07CDF-1E35-34E9-95BF-BD565FF42BAD> /System/Library/PrivateFrameworks/ApplePushService.framework/Versions/A/ApplePushService
0x7fff8453e000 - 0x7fff84553ff7 com.apple.BiometricKit (1.0 - 100.99) <FF3B4FA5-CE9F-31D4-81A0-3618DDE68F0F> /System/Library/PrivateFrameworks/BiometricKit.framework/Versions/A/BiometricKit
0x7fff868ee000 - 0x7fff86a2dfe7 com.apple.coreui (2.1 - 431.3) <2E8FEC10-FC5B-3782-92DA-A85C24B7BF7C> /System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI
0x7fff8a3d6000 - 0x7fff8a536ffb com.apple.MediaRemote (1.0 - 1) <5D7E9985-FB99-3F6C-87A1-73282D674590> /System/Library/PrivateFrameworks/MediaRemote.framework/Versions/A/MediaRemote
0x7fff8c6ab000 - 0x7fff8c911ff3 com.apple.SkyLight (1.600.0 - 160.40) <BA7B7ACC-1B91-3E87-92EC-1C2969EF7088> /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/SkyLight
0x7fff8cdc1000 - 0x7fff8ce2cff3 com.apple.StoreFoundation (1.0 - 582.5) <FB02BCFA-BBE3-39A8-9EA5-718D3F3E7CAE> /System/Library/PrivateFrameworks/StoreFoundation.framework/Versions/A/StoreFoundation
0x7fff8e4c4000 - 0x7fff8e584ff7 com.apple.ViewBridge (282 - 282) <71C6F456-E63F-3465-BCC7-377D29CF817D> /System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/ViewBridge
0x7fff8eaa1000 - 0x7fff8eaa5fff com.apple.iPod (1.7 - 20) <ECAAB770-8181-3B50-97DC-1F10D094B7EF> /System/Library/PrivateFrameworks/iPod.framework/Versions/A/iPod
0x7fff8edf5000 - 0x7fff8edf6ffb libSystem.B.dylib (1238.51.1) <D9B20A4F-87BC-36CB-9405-80E105666725> /usr/lib/libSystem.B.dylib
0x7fff8ef2f000 - 0x7fff8ef85ff7 libc++.1.dylib (307.5) <0B43BB5D-E6EB-3464-8DE9-B41AC8ED9D1C> /usr/lib/libc++.1.dylib
0x7fff8f4ef000 - 0x7fff8f714ffb libicucore.A.dylib (57163.0.1) <325E1C97-1C45-3A7E-9AFB-D1328E31D879> /usr/lib/libicucore.A.dylib
0x7fff8faa3000 - 0x7fff8fe75047 libobjc.A.dylib (709) <DC77AA6E-A4E4-326D-8D7F-82D63AA88F99> /usr/lib/libobjc.A.dylib
0x7fff902a1000 - 0x7fff902b2ff3 libz.1.dylib (67) <46E3FFA2-4328-327A-8D34-A03E20BFFB8E> /usr/lib/libz.1.dylib
Model: MacBookPro12,1, BootROM MBP121.0167.B24, 2 processors, Intel Core i7, 3.1 GHz, 16 GB, SMC 2.28f7
Graphics: Intel Iris Graphics 6100, Intel Iris Graphics 6100, Built-In
Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1867 MHz, 0x02FE, 0x4544464232333241314D412D4A442D460000
Memory Module: BANK 1/DIMM0, 8 GB, DDR3, 1867 MHz, 0x02FE, 0x4544464232333241314D412D4A442D460000
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x133), Broadcom BCM43xx 1.0 (7.21.171.124.1a2)
Bluetooth: Version 5.0.4f18, 3 services, 27 devices, 1 incoming serial ports
Network Service: Display Ethernet, Ethernet, en5
Network Service: Wi-Fi, AirPort, en0
PCI Card: pci11c1,5901, IEEE 1394 Open HCI, Thunderbolt@190,0,0
PCI Card: Apple 57761-B0, Ethernet Controller, Thunderbolt@191,0,0
PCI Card: pci12d8,400e, USB Open Host Controller, Thunderbolt@194,0,0
PCI Card: pci12d8,400e, USB Open Host Controller, Thunderbolt@194,0,1
PCI Card: pci12d8,400f, USB Enhanced Host Controller, Thunderbolt@194,0,2
Serial ATA Device: APPLE SSD SM0512G, 500.28 GB
USB Device: USB 3.0 Bus
USB Device: Bluetooth USB Host Controller
USB Device: USB 2.0 Bus
USB Device: Hub
USB Device: USB Optical Mouse
USB Device: FaceTime HD Camera (Display)
USB Device: Apple Thunderbolt Display
USB Device: QuickFire Rapid keyboard
USB Device: Display Audio
Thunderbolt Bus: MacBook Pro, Apple Inc., 27.1
Thunderbolt Device: Thunderbolt Display, Apple Inc., 1, 26.2
1 ACCEPTED SOLUTION
Accepted Solutions
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-18-2017 12:01 PM
Just in case, here is the reply from TAC:
It looks like Apple is now restricting injection to iTunes completely in their latest update.
We will be releasing a content update to address this (same as the policy below) but in the meantime, Please create the condition and policy manually to address this:
to create a condition
- login to the ESM console
- go to Settings -> Conditions -> MacOS
- click on the menu/hamburger icon . its a 3 short lines to the left of Rows where you select number or rows to display, then select Add
- select Bundle ID for the condition type
Name: iTunes > 12.6.0
Description: iTunes >12.6.0
Bundle ID: com.apple.iTunes
version comparison: Greater than
Version: 12.6.0
- click Save
To create the policy
- go to Policies -> Exploit ->Application Protection Modules -> MacOS
- click on the hamburger/menu icon which looks like 3 short horizontal lines to the left of Rows where you select number of rows to display
then click Add
- select Dylib-Hijacking Protection , set Activation to OFF
- Select ROP Mitigation, set Activation to OFF
- under Processes tab, add itunes to the selected Processes list
- under Conditions, add the condition created above to the Include list
- name the policy under Name tab then click Apply
Once the agent checks in, it should have the policy. Confirm if iTunes can now be launched.
2 REPLIES 2
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-18-2017 12:01 PM
Just in case, here is the reply from TAC:
It looks like Apple is now restricting injection to iTunes completely in their latest update.
We will be releasing a content update to address this (same as the policy below) but in the meantime, Please create the condition and policy manually to address this:
to create a condition
- login to the ESM console
- go to Settings -> Conditions -> MacOS
- click on the menu/hamburger icon . its a 3 short lines to the left of Rows where you select number or rows to display, then select Add
- select Bundle ID for the condition type
Name: iTunes > 12.6.0
Description: iTunes >12.6.0
Bundle ID: com.apple.iTunes
version comparison: Greater than
Version: 12.6.0
- click Save
To create the policy
- go to Policies -> Exploit ->Application Protection Modules -> MacOS
- click on the hamburger/menu icon which looks like 3 short horizontal lines to the left of Rows where you select number of rows to display
then click Add
- select Dylib-Hijacking Protection , set Activation to OFF
- Select ROP Mitigation, set Activation to OFF
- under Processes tab, add itunes to the selected Processes list
- under Conditions, add the condition created above to the Include list
- name the policy under Name tab then click Apply
Once the agent checks in, it should have the policy. Confirm if iTunes can now be launched.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-19-2017 01:17 PM
Right. I got this from support and it Fixed my issue once mac traps agents checked in.
"We've been able to confirm that Apple has blocked all injection to iTunes as a security measure. As a workaround, please first create a condition, then a policy as follows: Settings > Conditions 1. Add a condition for Mac OS 2. Name condition for iTunes > 12.6.0 3. Bundle ID: com.apple.iTunes 4. Version: > 12.6.0 This condition will be enacted if iTunes higher than 12.6.0 is installed on the machine. Policy > Mac > Add 1. Disable Dylib Hijacking and ROP Mitigation modules. 2. In the conditions tab, select your new condition and apply."
This should also be addressed in the next content version.
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks