Jump to content


  • Content Count

  • Joined

  • Last visited

About MacXpert

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Well, they are not signed by an "Apple Developer ID", but by Apple itself. Still you might be correct on some of them, and I didn't check all 7. Would you may be elaborate on those you recognize? The one that made me stumble upon the issue was "AnySearch", which I did inspect in depth, and found to be obviously and unambiguously a false positive. It was developed by Matt Swain (Source code on Github) and featured in some articles, because it adds search engine management to Safari (beyond the 4 options provided by Apple). You can still download it from the developer, but when you try to install it, Safari will instead propose to load the Apple-signed version from the (Legacy) Extensions Gallery. This is necessary, because unsigned extensions are now simply ignored. The file 'anysearch.safariextz' from Matt Swain's site has a different hash than 'AnySearch.safariextz' from Apple because of the signature. Both files check 100% clean on Virustotal (including Malwarebytes), while at the same time both of them are flagged "Adware.Crossrider" by MBAM for Mac. These are xar archives, and when you unpack them and compare the content itself, both are completely identical. The content consists of 4 PNGs, 1 Info.plist, 1 'Settings.plist', a 'global.htm' and a 'global.js' file. They are not very complex and it is easy to see, that they do exactly what the extension claims to do, without any detour. The provided selection of Search-engines is also unsuspicious, and the Extension has no entitlements in Safari. The Adware "Crossrider" on the other hand usually consists – as far as I could find out – of several critical components like Launch Agents, Profiles, background processes. None of that exists in this Safari Extension. One of the side-effects of "Crossrider" might be the modification of Safari's default search engine, but of course to a totally different one than those provided by "AnySearch". "Crossrider" does not even use the notorious fake search engine "anysearch.net" (that has nothing to do with Matt Swain's Extension), which could have been at least an excuse for the mixup. The verdict "Adware.Crossrider" is at least mislabeled. Unless Malwarebytes thinks, that the raw ability to configure a custom Search-engine (a feature present in most other browsers) already qualifies for malware, this is clearly a false positive. One that is confusing those safety- and privacy-aware users, who are looking for an elegant way to use e.g. Startpage.com as their default Search-engine in Safari. Does anybody have background information on the reasoning behind the detection of "AnySearch" or the other Extensions?
  2. Several Safari Legacy Extensions, that are verified, hosted and signed(!) by Apple, are falsely reported by MBAM for Mac [, Rules version: 398 (2019-07-08)] as a variety of Adware and PUP. A full list of Safari Legacy Extensions is at https://safari-extensions.apple.com and in the attached Extensions.plist (to be found on any macOS in ~/Library/Safari/Extensions ) I tested with all Extensions in the category "Search": https://safari-extensions.apple.com/?category=search Of those, 7 were reported as false positives, see screenshot. Extensions.plist.txt
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.