Jump to content

RTProtectionDaemon Full Disk Access on Mojave


Recommended Posts

During my Premium trial, I noticed many "RTProtectionDaem" file system permission deny errors in the Console app when running on Mojave.

I decided to try adding /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app to Full Disk Access in System Preferences / Security & Privacy:

FDA.png.6ba2cadf00aabec71a72d690d2c508ce.png

After that all the Console errors stopped, and I also noticed a reduction in CPU usage for RTProtectionDaemon.

I couldn't find any info regarding this in the user manual or on the forums, so I just thought I'd post it in case it might help anyone else is seeing issues with Premium on Mojave.

Link to post
Share on other sites

  • Staff

Thanks for your feedback.

Malwarebytes for Mac is slightly impacted by Mojave's new privacy protections. The software needs to be able to scan for Safari extensions, which are in a protected folder in Mojave. Unfortunately, Mojave does not trigger a permission request alert when a background process (like RTProtectionDaemon) tries to access such resources. This means that it will throw errors in the logs.

The good news is that this doesn't affect detections from a practical standpoint. Mojave only allows certain verified Safari extensions to load from Safari's extensions folder. This means that the adware extensions can no longer load from this protected folder, so there should be nothing to detect there on Mojave. Still, it can't hurt to add RTProtectionDaemon to the Full Disk Access list, and the only data Malwarebytes for Mac will use that permission to look at is Safari extensions. It will not look at things like your e-mail messages, browsing history, etc.

I haven't seen any other reports of performance issues caused by this issue, but we'll look into that.

Link to post
Share on other sites

Thank you for the info!

I was seeing errors on far more directories than just Safari Extensions:

error	11:12:16.380345 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:16.450804 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:16.482700 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:16.498165 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:16.506978 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:16.507332 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:16.547984 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:16.590979 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:16.599280 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:16.616164 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:18.142231 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:20.806274 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:20.809638 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:20.845359 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:20.861293 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:20.885284 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:20.899736 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:20.907199 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:20.913606 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:20.913790 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:20.947074 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:20.995794 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:21.000432 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:21.009104 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:22.585268 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:23.760913 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:23.763139 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:23.807840 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:23.824618 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:23.842068 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:23.856439 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:23.863758 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:23.870585 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:23.870712 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:23.905057 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:23.947802 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:23.952462 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:23.961636 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:25.347283 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:32.742310 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:32.744642 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:32.781225 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:32.797441 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:32.814654 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:32.828201 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:32.835720 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:32.842705 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:32.842838 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:32.876472 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:32.935913 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:32.940708 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:32.954135 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait

and that's only 15 seconds' worth, so it seemed reasonable to assume it might impact performance with that high of an error rate.

Link to post
Share on other sites

  • Staff

Adding the Malwarebytes app won't actually help, so I don't recommend adding it. You would need to add RTProtectionDaemon, but you can't navigate there from the dialog you get by pressing the + button.

To add it, choose Go to Folder from the Go menu in the Finder, then paste the following path into the dialog that appears:

/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app

Then click Go. This will reveal the RTProtectionDaemon app in the Finder.

Then, in System Preferences -> Security & Privacy -> Privacy -> Full Disk Access, click the padlock at the bottom left of the window to unlock the preferences, then drag the RTProtectionDaemon app into the list. That should add it.

Link to post
Share on other sites

  • 2 weeks later...

I would like to point out that the Titanium Software Maintenance software deletes this Malwarebytes setting in the privacy section of macOS.

I do not know if it is caused by the software in question, Malwarebytes or Apple.

If it is possible to carry out a verification

The software is free and is located at this link

I have always found it useful for occasional system maintenance. If it is not recommended to please let me know.

Thank you

Greetings

Massimiliano

 

P.S.: for some time I no longer have the possibility to edit posts in case of error. If you can solve. Thank you

Link to post
Share on other sites

2 hours ago, MAXBAR1 said:

 for some time I no longer have the possibility to edit posts in case of error.

The edit prompt is only available for a short time after you submit the post, so it probably expired before you discovered your error.

Link to post
Share on other sites

4 minutes ago, alvarnell said:

The edit prompt is only available for a short time after you submit the post, so it probably expired before you discovered your error.

Unfortunately, I do not seem to be able to edit even after the post has been published; not even 1 second after publication

Link to post
Share on other sites

  • 1 month later...

I had already pointed out that the Titanium Software Maintenance software deletes this Malwarebytes setting (FULL ACCESS TO DISK IN MOJAVE PRIVACY SETTING).

I do not know if it is caused by the software in question, Malwarebytes or Apple.

If it is possible to carry out a verification

I have always found it useful for occasional system maintenance. 

MAINTENANCE download page

BEFORE.jpg.c884da75cd0387bb21be9a7e25981f51.jpgBEFORE USE OF MAINTENANCE

AFTER.jpg.9a38af3c8d7e5f4eef6f8409b77a2369.jpgAFTER USE OF MAINTENANCE

SETTING OF MAINTENANCE

SETTING.jpg.2b8d221f1a6216115b86e61f73926cb2.jpgMAIN SCREEN

OPZIONI.jpg.56645306e3fbce83b061ae8676bdf341.jpgSETTING OPZIONI SCREEN

 

until now nobody has been able to give me an explanation about it.
Thanks to anyone who will explain the reasons (and if there are any options that it is better not to use).
Greetings

Link to post
Share on other sites

I'm away from my computer, so can’t help diagnose this at present, but would be helpful if you can determine exactly which of those actions is clearing RTProtection. I suspect the staff will need to contact Titanium to resolve.

Link to post
Share on other sites

Update:
I sent back the same email to Titanium indicating the possibility of a free trial of Malwarebytes in order to perform the necessary tests to solve the problem
I'm waiting for an answer (hoping that the email will not be trashed), but if Thomas Reed could take a look at the problem, maybe he would solve a lot sooner.

I hope that sooner or later what is written

On 11/14/2018 at 6:06 PM, treed said:

I haven't seen any other reports of performance issues caused by this issue, but we'll look into that.

lead to a resolution of the problem or the possibility of not having to enter

/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app

to Full Disk Access in System Preferences / Security & Privacy:

Link to post
Share on other sites

THE PROBLEM IS SOLVED

The only option that delete RTProtectionDaemon from Full Disk Access in System Preferences / Security & Privacy is the one currently selected in the attached screenshot (Ricostruzione Database LaunchServices) (in English: Database LaunchServices Reconstruction)

1522550586_Schermata2018-12-31alle20_05_52.jpg.b05b430330b980be9e28eba6429c4409.jpg

If all options are selected except that the setting is not changed.

Link to post
Share on other sites

Thanks for running that down.

My experience with reconstructing Launch Services using any method has been mixed. Once in awhile it will solve the issue I have, but often it just creates new ones. I strongly suspect that this is an Apple bug and that the Maintenance Utility is simply issuing a Terminal command to run the lsregister process. I don't understand why it is removing the RTProtection daemon.

Hopefully the developers can figure this one out.

Link to post
Share on other sites

  • Staff

I'm glad this was resolved.

I'm curious, though... what functionality does Maintenance provide that you feel is necessary? Modern macOS is pretty good at maintaining itself, and I don't generally recommend the use of these kinds of tools, except perhaps in very specific troubleshooting situations. I definitely wouldn't recommend it as something to run regularly.

Rebuilding the launch services database, for example, should not be done unless you're having a problem like having the same app appear multiple times in the Open With menu, or having the wrong app open for a particular file or URL.

Link to post
Share on other sites

I used it a lot in the past, before receiving advice from you, also because I came from the Windows world where this type of maintenance was necessary not to say fundamental.

Now it was a pure curiosity to understand what was due to the disappearance of the above privacy setting.

Now I leave the system to keep alone, the only thing that I still use with an app that I created with Automator is cleaning CACHE FLUSH DNS so you do not have to look for the command from the terminal that is more complex to remember than that of MS Windows.

Link to post
Share on other sites

  • Staff

I think the cause must have been rebuilding launch services, but I'd view that as a potential bug in macOS. If you have given full disk access to security software, malware that managed to get itself loaded from one of those protected locations could potentially remove that access from the security software to prevent itself from being detected. Of course, that would require the malware to gain that access in the first place, which means this is a bit of a stretch, and it's probably not actually a real-world issue.

Link to post
Share on other sites

As I said above, once satisfied the curiosity about the reason for canceling the RTProtectionDaemon privacy setting, I have uninstalled the MAINTENANCE application of Titanium Software with the uninstaller integrated into the app, leaving macOS to self-maintenance by running each single plus the FLUSH of the CACHE DNS.

 

Link to post
Share on other sites

DNS Cache is used to speed up your browsing experience by saving URL translation information locally, so you don't have to keep asking for it on a remote DNS server. It does contain a list of sites you recently visited, but unless you have some sort of malware on your computer that can harvest that information and send it somewhere, it can't possibly be used to track. And I seriously doubt that any malware developer would find that information useful compared to other information on your Mac.

You might find a better defense against tracking cookies is the Ghostery extention. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.