I have several apps built with older versions of Realbasic. Gatekeeper in the macOS 12 beta is flagging them as containing the OSX.HellRTS.A malware. But its not just my apps, it appears to be any app built with this older version of RB. I created a project, dropped the RB3D control and a tcpsocket control of the form and hit compile. Even this basic app is flagged as malware. Other 3rd party virus software does not flag the apps.
If I code sign the apps and disk image with my code sign cert, is Apple going to falsely flag my cert?
Is there an official way to tell Apple about its false positives?
The two apps in question are compiled in RB2007r3. This was the last version that worked well for me that still included features such as RB3D and SpriteSurface. So I still have several apps that I keep updated using this older version. But even just hitting compile on a new project and downloading the app causes the Malware trigger.
Other anti-virus companies have a way to submit apps that are triggering false positives. Does anyone know how to do this with Apple?
So I followed the xProtect link above and located the xProtect.plist mentioned there. I don’t know how to fully read the plist, but it looks to me that part of what Apple is using to detect the malware are apps using the file: rbframework.dylib. If so, this could cause a lot of false positives with older RB apps.
Here is a snippet from the plist:
I did try submitting a bug report. I didn’t know if that was the correct way or not.
Any thoughts on if customers clicking the “report to Apple button” will help Apple see its wrong, or will it hurt my code signing cert? I haven’t clicked the “report to Apple button” yet. If it would help, then I would click it, but if it will hurt me, I’d rather not.
According to the Joe’s xprotect link, the plist gets updated based your app store settings. So if you have your app store configured to install security updates, presumably this file would get updated with the latest malware definition. I don’t know when the def was last updated. I just saw the false positives for the first time while code signing the DMGs to be ready for macOS 10.12.
That sucks that they didn’t even realize that these dylibs are part of RB and end up in all RB-made apps.
I wonder if you can work around this issue by renaming the Shell.rbx_0_129.dylib. I think that’s a plugin, and for plugins it does not matter what name they have - they all get loaded automatically. Try that, and see if that helps.
At some points some virus scanners just marked my AES plugin as compromised. It seems like some virus used the same byte sequence in the AES code. I changed mine a bit and got a DLL which was no longer marked as suspicious.