We are experiencing a significant issue with macOS security alerts that began on July 9th, at approximately 4:40 AM UTC. This alert is incorrectly identifying output files from our snippet tests as malware, causing these files to be blocked and moved to the Trash. This is completely disrupting our automated testing workflows.
Issue Description:
- Alert: We are seeing the "Malware Blocked and Moved to Trash" popup window.
- Affected Files: The security alert triggers when attempting to execute .par files generated as outputs from our snippet tests. These .par files are unique to each individual test run; they are not a single, static tool.
- System-Wide Impact: This issue is impacting multiple macOS hosts across our testing infrastructure.
- Timeline: The issue began abruptly on July 9th, at approximately 4:40 AM UTC. Before that time, our tests were functioning correctly.
- macOS Versions: The problem is occurring on hosts running both macOS 14.x and 15.x.
- Experimental Host: Even after upgrading an experimental host to macOS 15.6 beta 2, the issue persisted.
- Local execution: The issue can be reproduced locally.
Observations:
- The security system is consistently flagging these snippet test output files as malware.
- Since each test generates a new .par file, and this issue is impacting all generated files, the root cause doesn't appear to be specific to the code within the .par files themselves.
- This issue is impacting all the snippet tests, making us believe that the root cause is not related to our code.
- The sudden and widespread nature of the issue strongly suggests a change in a security database or rule, rather than a change in our testing code.
Questions:
- Could a recent update to the XProtect database be the cause of this false positive?
- Are there any known issues or recent changes in macOS security mechanisms that could cause this kind of widespread and sudden impact?
- What is the recommended way to diagnose and resolve this kind of false positive?
We appreciate any guidance or assistance you can provide. Thank you.
I recommend that you file a bug about this. Make sure to include a sysdiagnose log taken immediately after seeing the problem and a copy of the file that triggered the problem.
Please post your bug number, just for the record.
Also, just for my own education:
- What do you mean by “output files from our snippet tests”? The term snippets has a lot of different uses, so I’m curious what it means in this context.
- You talk about .parfiles. Are these Parchive files? Or something else?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"