Has my macOS Sierra system been infected by unknown users?

macos mac malware macos-sierra

I noticed my system was running slow today and checked the list of system users in Terminal as a precaution. I found several users that I don’t recognize. Should I be concerned?

_applepay
_captiveagent
_ctkd
_datadetectors
_findmydevice
_gamecontrollerd
_hidd
_mbsetupuser
_mobileasset
_ondemand
_pcastagent
_pcastlibrary
_pcastserver
_wwwproxy
_xgridagent
_xgridcontroller
_xserverdocs

Apple's macOS has a number of built-in user accounts, with many of the system services running under dedicated user accounts. These special user accounts are prefixed with an underscore (_).

For example, _applepay is used for the Apple Pay daemon, and _findmydevice for the Find My Mac feature.

While these users are "users" to the system, they are special background users modern Unix-like systems use to keep processes contained and more-secure, and not quite the same as the user accounts you might login to your computer as.

Having a number of these pseudo-users is normal, and not itself a sign your system is compromised.


These “users” are not actual users—as in human users who are logged in—but rather they are called “daemon” users (aka: “service” accounts) created by the OS to manage processes and such in the background as part of normal OS operation. This is not idiosyncratic to macOS but rather a common practice of most any modern operating system (and perhaps a few older, not-so-modern operating systems).

You can see the full list of users on any macOS system by running this command in the Terminal:

dscl . -list /Users

On my macOS 10.12.6 (Sierra) install, I see this is output from that command:

_amavisd
_appleevents
_applepay
_appowner
_appserver
_ard
_assetcache
_astris
_atsserver
_avbdeviced
_calendar
_captiveagent
_ces
_clamav
_coreaudiod
_coremediaiod
_ctkd
_cvmsroot
_cvs
_cyrus
_datadetectors
_devdocs
_devicemgr
_displaypolicyd
_distnote
_dovecot
_dovenull
_dpaudio
_eppc
_findmydevice
_ftp
_gamecontrollerd
_geod
_hidd
_iconservices
_installassistant
_installer
_jabber
_kadmin_admin
_kadmin_changepw
_krb_anonymous
_krb_changepw
_krb_kadmin
_krb_kerberos
_krb_krbtgt
_krbfast
_krbtgt
_launchservicesd
_lda
_locationd
_lp
_mailman
_mbsetupuser
_mcxalr
_mdnsresponder
_mobileasset
_mysql
_netbios
_netstatistics
_networkd
_nsurlsessiond
_nsurlstoraged
_ondemand
_postfix
_postgres
_qtss
_sandbox
_screensaver
_scsd
_securityagent
_serialnumberd
_softwareupdate
_spotlight
_sshd
_svn
_taskgated
_teamsserver
_timezone
_tokend
_trustevaluationagent
_unknown
_update_sharing
_usbmuxd
_uucp
_warmd
_webauthserver
_windowserver
_www
_wwwproxy
_xcsbuildagent
_xcscredserver
_xserverdocs
daemon
jake
nobody
root

Related

How do I make HTTrack download at 15MBps?
How can I tell if my image is CMYK from Linux command line?
How to reset Bash on Mac OSX, .bash_profile corrupted and bash no longer works
linux shell wc -c count characters +1
How do I pipe output to date -d "value"?
How to find the PCs name in a batch script?
What is the safest and least expensive way to store 10 terabytes of data?
Ruby installation issues with RVM
How to install MSDOS from floppy to harddrive?
Is it better to always copy and delete, rather than move?
How to copy an ISO image onto USB with dd
regex : does not begin by "pattern"