I have several apps built with older versions of Realbasic. Gatekeeper in the macOS 12 beta is flagging them as containing the OSX.HellRTS.A malware. But its not just my apps, it appears to be any app built with this older version of RB. I created a project, dropped the RB3D control and a tcpsocket control of the form and hit compile. Even this basic app is flagged as malware. Other 3rd party virus software does not flag the apps.
If I code sign the apps and disk image with my code sign cert, is Apple going to falsely flag my cert?
Is there an official way to tell Apple about its false positives?
Yes, its Gatekeeper. It even has a checkbox to “Report malware to Apple to protect other users”. This is why I’m worried about Apple flagging my code signing cert.
I don’t think that’s what he’s saying. I think he’s only asking if his signature would get flagged as malicious due to users submitting the false positive report.
I think it is prudent to find out what version of RB he’s using. I haven’t done very much Sierra testing, but I haven’t seen any false positives for RealStudio or Xojo built apps yet.
The two apps in question are compiled in RB2007r3. This was the last version that worked well for me that still included features such as RB3D and SpriteSurface. So I still have several apps that I keep updated using this older version. But even just hitting compile on a new project and downloading the app causes the Malware trigger.
Other anti-virus companies have a way to submit apps that are triggering false positives. Does anyone know how to do this with Apple?
So I followed the xProtect link above and located the xProtect.plist mentioned there. I don’t know how to fully read the plist, but it looks to me that part of what Apple is using to detect the malware are apps using the file: rbframework.dylib. If so, this could cause a lot of false positives with older RB apps.
Here is a snippet from the plist:
MatchType
Match
Identity
qNzMoqc0sjpk3utUxnQWEUZyMKg=
MatchFile
NSURLNameKey
rbframework.dylib
NSURLTypeIdentifierKey
com.apple.mach-o-dylib
MatchType
Match
Identity
eX17YAgTaOUMt9icXVHF0meoiog=
MatchFile
NSURLNameKey
RBShell.rbx_0.129.dylib
NSURLTypeIdentifierKey
com.apple.mach-o-dylib
I did try submitting a bug report. I didn’t know if that was the correct way or not.
Any thoughts on if customers clicking the “report to Apple button” will help Apple see its wrong, or will it hurt my code signing cert? I haven’t clicked the “report to Apple button” yet. If it would help, then I would click it, but if it will hurt me, I’d rather not.
According to the Joe’s xprotect link, the plist gets updated based your app store settings. So if you have your app store configured to install security updates, presumably this file would get updated with the latest malware definition. I don’t know when the def was last updated. I just saw the false positives for the first time while code signing the DMGs to be ready for macOS 10.12.
That sucks that they didn’t even realize that these dylibs are part of RB and end up in all RB-made apps.
I wonder if you can work around this issue by renaming the Shell.rbx_0_129.dylib. I think that’s a plugin, and for plugins it does not matter what name they have - they all get loaded automatically. Try that, and see if that helps.
At some points some virus scanners just marked my AES plugin as compromised. It seems like some virus used the same byte sequence in the AES code. I changed mine a bit and got a DLL which was no longer marked as suspicious.