This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Numerous "mughthesec" detected

I'm a user of Sophos Central Endpoint 10.0.0 on Mac (macOS Catalina 10.15.7).
There are numerous detections of the so-called "mughthesec" every day (see attached screenshots for example). It's very worrying if those mughthesec are harmful, or if they are harmless then these detection warnings are very distracting. They are mostly under /private/tmp/ directory. It's very time-consuming to manually delete them one by one.
I want to know what they are? How do I automatically clean them up?


This thread was automatically locked due to age.

Top Replies

  • Hi

    Could you please check under the central dashboard, There is an action for every threat detection. Kindly see if it was been cleanup or it requires manual deletion. I would also suggest to run a full system scan and check it once. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi Shweta, thanks for responding. I'm pretty sure they require manual deletion. And these "Mughthesec" are newly and continuously produced every day, even after a full system scan. It's been very distracting. Can you offer some help on this situation?

  • Hi

    Could you please try removing those programs and extensions completely from your computer where you are seeing the detection?

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Hi Shweta. Thanks for your suggestion. Fortunately, it worked. For future reference, I'm recording the whole picture as follows.

    I deleted the program or extension "UniversalWebResults" under those two ".../Library/Program Support/" directories. The "/Private/tmp/" ("tmp" for temporary) directory is regularly cleaned up by my operating system and therefore any "Mughthesec" in it also automatically disappears regularly.

    I've monitored for one week after the removal, and there's no "Mughthesec" detected anymore, so far.

    I actually recognize the name of this program/extension "UniversalWebResults". It was an annoying web browser extension that had bothered me for months. After I installed Sophos several weeks ago, at first, it only found "Mughthesec" under the "/Private/tmp/" directory, instead of finding the program/extension itself. Now I suspect that those temporary "Mughthesec", which had kept reproducing after my removals, had all been created by this program/extension. Since I hadn't remove the program itself at that time, they had kept reproducing. At the time I resorted to this forum for help, it was coincidentally the first time Sophos had detected the program/extension "UniversalWebResults" itself. Being tired and hopeless of failed removals, I didn't try removing them, until suggested to do so. And then it worked.

    In fact, I have a final quick question: what on earth is "Mughthesec"? Would you please answer this for me, thanks.

  • You have to  delete unwanted apps and the “Any Search” browser extension, and unload and delete the Mughthesec launch agent (~/Library/LaunchAgents/com.Mughthesec.plist).

  • Hi

    Mughthesec is usually hidden as an adobe flash player download that looks legitimate. It spreads under the file name player.dmg  via malicious ads and popups on shady websites. This should help:

    https://www.bleepingcomputer.com/news/security/new-mac-adware-mughthesec-will-cause-serious-headaches/

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • I see. Thank you!