Gatekeeper/File Quarantine Flagging RB built apps as malware

I have several apps built with older versions of Realbasic. Gatekeeper in the macOS 12 beta is flagging them as containing the OSX.HellRTS.A malware. But its not just my apps, it appears to be any app built with this older version of RB. I created a project, dropped the RB3D control and a tcpsocket control of the form and hit compile. Even this basic app is flagged as malware. Other 3rd party virus software does not flag the apps.

If I code sign the apps and disk image with my code sign cert, is Apple going to falsely flag my cert?

Is there an official way to tell Apple about its false positives?

I’m not aware that Gatekeeper checks for this sort of thing. I was under the impression it only validated code signing.

Are you sure this is not another Virus-scanning tool that is incorrectly flagging it?

Yes, its Gatekeeper. It even has a checkbox to “Report malware to Apple to protect other users”. This is why I’m worried about Apple flagging my code signing cert.

The warning looks just like the warning shown on apple’s website: Malware Example

You say older version.
What version specifically?

There’s a component of GateKeeper called xprotect that performs basic signature checking (though this is not code signatures).

You mean you distribute software without code signing ?

I don’t think that’s what he’s saying. I think he’s only asking if his signature would get flagged as malicious due to users submitting the false positive report.

I think it is prudent to find out what version of RB he’s using. I haven’t done very much Sierra testing, but I haven’t seen any false positives for RealStudio or Xojo built apps yet.

The two apps in question are compiled in RB2007r3. This was the last version that worked well for me that still included features such as RB3D and SpriteSurface. So I still have several apps that I keep updated using this older version. But even just hitting compile on a new project and downloading the app causes the Malware trigger.

Other anti-virus companies have a way to submit apps that are triggering false positives. Does anyone know how to do this with Apple?

So I followed the xProtect link above and located the xProtect.plist mentioned there. I don’t know how to fully read the plist, but it looks to me that part of what Apple is using to detect the malware are apps using the file: rbframework.dylib. If so, this could cause a lot of false positives with older RB apps.

Here is a snippet from the plist:

MatchType Match Identity qNzMoqc0sjpk3utUxnQWEUZyMKg= MatchFile NSURLNameKey rbframework.dylib NSURLTypeIdentifierKey MatchType Match Identity eX17YAgTaOUMt9icXVHF0meoiog= MatchFile NSURLNameKey RBShell.rbx_0.129.dylib NSURLTypeIdentifierKey

Wow, that is heavy-handed. You might try submitting a bug report at

I did try submitting a bug report. I didn’t know if that was the correct way or not.

Any thoughts on if customers clicking the “report to Apple button” will help Apple see its wrong, or will it hurt my code signing cert? I haven’t clicked the “report to Apple button” yet. If it would help, then I would click it, but if it will hurt me, I’d rather not.

Wow… and it seems that it’s there for quite some time already. See the 3rd screenshot on this article from 2010:

You mentioned that you see it on macOS 12 beta? What about other versions? I have those plist entries here on El Capitan as well.

According to the Joe’s xprotect link, the plist gets updated based your app store settings. So if you have your app store configured to install security updates, presumably this file would get updated with the latest malware definition. I don’t know when the def was last updated. I just saw the false positives for the first time while code signing the DMGs to be ready for macOS 10.12.

That sucks that they didn’t even realize that these dylibs are part of RB and end up in all RB-made apps.

I wonder if you can work around this issue by renaming the Shell.rbx_0_129.dylib. I think that’s a plugin, and for plugins it does not matter what name they have - they all get loaded automatically. Try that, and see if that helps.

We had before malware written in Xojo.

At some points some virus scanners just marked my AES plugin as compromised. It seems like some virus used the same byte sequence in the AES code. I changed mine a bit and got a DLL which was no longer marked as suspicious.

None of my apps use Shell.rbx, just the rbframework.dylib.