1Password-Crash-Handler - BadGacha
After updating 1Password to 1Password for Mac 8.10.22 (81022042) on the Nightly channel, MacOS (Sonoma 14.2 (23C64) XProtect began reporting the following warnings:
2023-12-09 09:00:29.589 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"process":{"pid":21423,"name":"1Password-Crash-Handler"},"action":"report"}
2023-12-09 09:00:29.590 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"action":"report","process":{"pid":939,"name":"1Password-Crash-Handler"}}
2023-12-09 09:00:29.636 BadGacha ⚠️ ThreatDetected time 0.0000170 {"caused_by":[],"status_code":21,"execution_duration":1.704692840576172e-05,"status_message":"ThreatDetected"}
1Password Version: 1Password for Mac 8.10.22 (81022042)
Extension Version: Not Provided
OS Version: MacOS 14.2 (23C64)
Browser: Not Provided
Comments
-
Hello @BenNeivert! 👋
Can you tell me a little more about these logs? How are you viewing them? Are you using a third-party utility?
1Password for Mac isn't antivirus software. Have you already reached out to Apple to make sure that your Mac isn't infected by malware and that it's safe for you to continue using? If you haven't then I recommend doing so.
-Dave
0 -
Hello @Dave_1P ,
Thanks for responding. I am a great fan of 1Password and the other security work 1Password does.
Yes, I am using third-party utilities. I discovered the warning using SilentKnight (https://eclecticlight.co/lockrattler-systhist/), and I then viewed the log with XProCheck (https://eclecticlight.co/consolation-t2m2-and-log-utilities/). The warnings indicate that further investigation is warranted, not a confirmation that malware is present. I did scan my computer to confirm that no malware was present. I believe that the warning is presented due to Apple's Xprotect providing a warning when the code returned is not 20 ("Most entries should report that no threat was detected and return a status code of 20. Those that don't and may merit your closer attention").
I believe the warnings are caused because 1Password-Crash-Handler is not returning a Code 20 for some reason. It appeared the first time after I updated the new Nighly release on Saturday morning. Please note that I am reporting this to improve the product. I am well aware of the glitches that might occur running the Nighly updates, but I enjoy exploring the software's latest features, so it is worth it for me. I also realize that there is a chance this has nothing to do with 1Password and could be a bug from somewhere else.
Thanks again for the great product!
Ben0 -
Thank you for the detailed report and for the kind words about 1Password! 😊
I'm personally not as familiar with XProtect logs, especially when viewed using third-party tools. Are you able to link to any official Apple resources that outline what each status code means and how to interpret these logs?
Just to confirm, you haven't see any messages or prompts from macOS itself? I look forward to hearing from you.
-Dave
0 -
FYI I'm seing the same thing.
This article provides additional details on Xprotect logs: https://eclecticlight.co/2022/09/01/hunting-malware-protection-in-the-log/Corentin
0 -
@BenNeivert and @cortig
Thank you for the replies. I've forwarded this to the team internally so that this can be looked into further. Because this issue involves logs that Apple doesn't normally expose or document, rendered by a third-party app, it might take the team longer than usual to look into this.
I appreciate you both reporting this and I'll post any updates that I receive. 🙂
-Dave
0 -
@Dave_1P ,
You are welcome; the kind words are deserved :-)Sorry, I was not able to send you the Apple documentation. I did attempt to gather the information you requested, but Apple was reticent to share much information regarding Gatekeeper's inner workings. :-)
Happy Holidays to you and the 1Password team!
Regards,
Ben0 -
I'm seeing this as well, but also with SnagitHelper2024.
At least one developer is seeing this:
https://developer.apple.com/forums/thread/742828
I'm betting this is a false positive. Let's see if 14.2.1 resolves this. Check reports again tomorrow after XProtect Remediator scans again.
I've reported these to Apple Support.
0 -
I agree with @MrC; I am pretty sure they are false positives due at least partly to how XProtect reports alerts: anything not Code 0 or 20. Other applications also trigger alerts as well.
0 -
Thank you again for everyone's input. This has been brought to the attention of our developers. 🙂
-Dave
0 -
Hello everyone,
At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application.
The team will watch to see if any further action is needed.
-Dave
0 -
Hello all 👋,
Here's another datapoint: BadGacha popped up in my XPROTECT Remediator Report on 02/23/24, also due to 1Password-Crash-Handler. My Report looks just like what @BenNeivert posted.
Possibly BG was listed previously but my logs rolled over on the 23rd.
-SM-
M1 MBP / macOS 14.3.1 / 1P v8.10.26 (81026039)
0 -
Thank you for reaching out. The team continues to monitor the situation and my previous comment is still accurate:
At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application.
-Dave
1
