Are my MacBook updates managed by swscan.apple.com?

More info.

I presume you mean this message? (You left out the .com).

Further digging says that address is for Apple's update server. In which case, it would be easiest to click the Restore Defaults button.

But, and while this is 2014 old news, a similar message used to be part of the iWorm Trojan. This post from past forum member Linc Davis may not apply, but you should probably read it.

-----------------------------------------------

You installed the "iWorm" trojan. The following procedure may leave a few small files behind, but it will permanently deactivate the trojan, as long as you never reinstall it.

"iWorm" is known to be distributed via BitTorrent in the form of a pirated Adobe product. If you've ever downloaded any software from a torrent, delete it. I suggest you delete the torrent client as well, to avoid making the same mistake again. If you know of any other way in which you might have been infected, please give details. That information may help others.

While "iWorm" was present, your computer may have been under the remote control of criminals. Change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.

Others may tell you that you should erase the startup volume, reinstall OS X, and restore only user data from a backup in order to be sure that you're rid of the malware. All other software would then have to be reinstalled from fresh downloads or original media. You can do that if you wish, but I've seen no evidence that it's necessary. If you choose that option, you can skip the rest of this comment. Ask for guidance if you need it.

Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding. If you have more than one user account, you must be logged in as an administrator.

Step 1

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons/com.JavaW.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.JavaW.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash. Then delete the following item in the same way:

/Library/Application Support/JavaW

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

Step 2

The trojan hacks the system to block software updates from Apple. The file modified is /etc/hosts.

The easiest way to fix the hosts file is to restore it from a backup that predates the modification, or to copy the unmodified file from another Mac. If you can't do that, then do as below.

Triple-click anywhere in the line below on this page to select it:

open -e /etc/hosts

Copy the selected text to the Clipboard by pressing the key combination command-C.

Paste into a Terminal window by pressing command-V. A TextEdit window should open. At the top of the window, you should see this:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

Below that, you may see some other lines. The first 10 lines should be exactly as above, apart from differences in the blank space within lines. Otherwise you can't use this procedure—STOP and ask for guidance.

If the contents of the TextEdit window are as described, close it, then enter the following command in the Terminal window in the same way as before (by copy and paste):

sudo sed -i~ '11,$d' /etc/hosts

You may be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning to be careful. Confirm. Quit Terminal.

If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. Log in as one and start over.

That will fix the hosts file. There is now a copy of the old hosts file with the name "hosts~" in the same folder as "hosts". You can delete the copy if you wish. Don't delete the file named "hosts".

It means your Mac has SDM management on it, put there by the company the MacBook belongs to, or used to belong to.

If you are given the option to Restore Defaults, then click that.

If you are using any VPN software, then remove it also.

If your device is Managed by an employer or school, then the MDM software would have to be removed by them.

Mine has just started doing this. It will show for a few seconds to a minute then disappear. It’s not a company machine and has never been anywhere near any profiles. It’s just a basic M2 Air used for browsing about and playing movies, bought direct from Apple and only used by me since new.

I think it’s just a glitch that it’s showing up now and then because it disappears pretty quickly and then doesn’t come back for a while.

But it must be coming from somewhere, or there would be no message to show.

I didn't really expect to find anything with swscan in a file name on my M2 mini Pro, but these aliases were buried deep within part of Xcode:

swscanf_l.3

swscanf.3

Which, for who knows what reason Apple's engineers would need to do such a thing, the aliases point to the actual files in the same folder with these names:

wscanf_l.3

wscanf.3

Same names without the s at the beginning. Both are just small text files holding various error codes and the messages they would display if encountered.

No real help of course knowing that about Xcode, but there must be something triggering the message. You could open Activity Monitor and do a search for swscan to see if there's an active process by that name.

I've purchased my MacBook from an Apple "Premium Partner", as there is no official store in my country.

I have searched up "LaunchDaemons" and "com.JavaW.plist", it is no where to be found on the Finder, I used the 'open' command on Terminal, but that was also not a file or such on my Storage, I've done the procedure (not fully, skipping Step 1 as I couldn't find the File).

My conclusion is that I've deleted the files you've mentioned, if I've done anything incorrect or I should do some extra steps, please reply.