Jump to content
valuedcustomer

RTProtectionDaemon Full Disk Access on Mojave

Recommended Posts

During my Premium trial, I noticed many "RTProtectionDaem" file system permission deny errors in the Console app when running on Mojave.

I decided to try adding /Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app to Full Disk Access in System Preferences / Security & Privacy:

FDA.png.6ba2cadf00aabec71a72d690d2c508ce.png

After that all the Console errors stopped, and I also noticed a reduction in CPU usage for RTProtectionDaemon.

I couldn't find any info regarding this in the user manual or on the forums, so I just thought I'd post it in case it might help anyone else is seeing issues with Premium on Mojave.

Share this post


Link to post
Share on other sites

Thanks for your feedback.

Malwarebytes for Mac is slightly impacted by Mojave's new privacy protections. The software needs to be able to scan for Safari extensions, which are in a protected folder in Mojave. Unfortunately, Mojave does not trigger a permission request alert when a background process (like RTProtectionDaemon) tries to access such resources. This means that it will throw errors in the logs.

The good news is that this doesn't affect detections from a practical standpoint. Mojave only allows certain verified Safari extensions to load from Safari's extensions folder. This means that the adware extensions can no longer load from this protected folder, so there should be nothing to detect there on Mojave. Still, it can't hurt to add RTProtectionDaemon to the Full Disk Access list, and the only data Malwarebytes for Mac will use that permission to look at is Safari extensions. It will not look at things like your e-mail messages, browsing history, etc.

I haven't seen any other reports of performance issues caused by this issue, but we'll look into that.

Share this post


Link to post
Share on other sites

Thank you for the info!

I was seeing errors on far more directories than just Safari Extensions:

error	11:12:16.380345 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:16.450804 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:16.482700 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:16.498165 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:16.506978 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:16.507332 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:16.547984 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:16.590979 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:16.599280 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:16.616164 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:18.142231 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:20.806274 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:20.809638 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:20.845359 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:20.861293 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:20.885284 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:20.899736 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:20.907199 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:20.913606 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:20.913790 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:20.947074 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:20.995794 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:21.000432 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:21.009104 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:22.585268 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:23.760913 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:23.763139 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:23.807840 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:23.824618 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:23.842068 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:23.856439 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:23.863758 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:23.870585 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:23.870712 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:23.905057 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:23.947802 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:23.952462 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:23.961636 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait
error	11:12:25.347283 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Cookies
error	11:12:32.742310 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/IdentityServices
error	11:12:32.744642 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Calendars
error	11:12:32.781225 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.mail-shared.plist
error	11:12:32.797441 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist
error	11:12:32.814654 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.notbackedup.plist
error	11:12:32.828201 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.AddressBook.plist.jRkBQDX
error	11:12:32.835720 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Preferences/com.apple.homed.plist
error	11:12:32.842705 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Messages
error	11:12:32.842838 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/HomeKit
error	11:12:32.876472 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Mail
error	11:12:32.935913 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Safari
error	11:12:32.940708 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/Suggestions
error	11:12:32.954135 -0600	kernel	Sandbox: RTProtectionDaem(61) System Policy: deny(1) file-read-data /Users/***/Library/PersonalizationPortrait

and that's only 15 seconds' worth, so it seemed reasonable to assume it might impact performance with that high of an error rate.

Share this post


Link to post
Share on other sites

A question to Treed
I was not able to put RTProtectionDaemon in full access to the disk, but I put the Malwarebytes application directly. (see attached picture)
May it have negative implications for privacy but not only?
Thank you
A greeting
Massimiliano

1922750210_Schermata2018-11-15alle14_11_06.jpg.dd6b9e41f8876fd7dfe2fa3400320e7a.jpg

Share this post


Link to post
Share on other sites

Adding the Malwarebytes app won't actually help, so I don't recommend adding it. You would need to add RTProtectionDaemon, but you can't navigate there from the dialog you get by pressing the + button.

To add it, choose Go to Folder from the Go menu in the Finder, then paste the following path into the dialog that appears:

/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app

Then click Go. This will reveal the RTProtectionDaemon app in the Finder.

Then, in System Preferences -> Security & Privacy -> Privacy -> Full Disk Access, click the padlock at the bottom left of the window to unlock the preferences, then drag the RTProtectionDaemon app into the list. That should add it.

Share this post


Link to post
Share on other sites

I made the changes you advised me. (see attached picture)

One question: but the manual / scheduled scanning process haven't the same access problems?

Thanks

474614791_Schermata2018-11-15alle15_33_09.jpg.1cad1dfc8dccb058b6072263640e9e03.jpg

 

Share this post


Link to post
Share on other sites

Yes, any scan will have this issue, but RTProtectionDaemon handles both cases. (Its name is not entirely accurate at this point... it's not only used for RTP.)

Share this post


Link to post
Share on other sites

I would like to point out that the Titanium Software Maintenance software deletes this Malwarebytes setting in the privacy section of macOS.

I do not know if it is caused by the software in question, Malwarebytes or Apple.

If it is possible to carry out a verification

The software is free and is located at this link

I have always found it useful for occasional system maintenance. If it is not recommended to please let me know.

Thank you

Greetings

Massimiliano

 

P.S.: for some time I no longer have the possibility to edit posts in case of error. If you can solve. Thank you

Share this post


Link to post
Share on other sites
2 hours ago, MAXBAR1 said:

 for some time I no longer have the possibility to edit posts in case of error.

The edit prompt is only available for a short time after you submit the post, so it probably expired before you discovered your error.

Share this post


Link to post
Share on other sites
4 minutes ago, alvarnell said:

The edit prompt is only available for a short time after you submit the post, so it probably expired before you discovered your error.

Unfortunately, I do not seem to be able to edit even after the post has been published; not even 1 second after publication

Share this post


Link to post
Share on other sites

I had already pointed out that the Titanium Software Maintenance software deletes this Malwarebytes setting (FULL ACCESS TO DISK IN MOJAVE PRIVACY SETTING).

I do not know if it is caused by the software in question, Malwarebytes or Apple.

If it is possible to carry out a verification

I have always found it useful for occasional system maintenance. 

MAINTENANCE download page

BEFORE.jpg.c884da75cd0387bb21be9a7e25981f51.jpgBEFORE USE OF MAINTENANCE

AFTER.jpg.9a38af3c8d7e5f4eef6f8409b77a2369.jpgAFTER USE OF MAINTENANCE

SETTING OF MAINTENANCE

SETTING.jpg.2b8d221f1a6216115b86e61f73926cb2.jpgMAIN SCREEN

OPZIONI.jpg.56645306e3fbce83b061ae8676bdf341.jpgSETTING OPZIONI SCREEN

 

until now nobody has been able to give me an explanation about it.
Thanks to anyone who will explain the reasons (and if there are any options that it is better not to use).
Greetings

Share this post


Link to post
Share on other sites

I'm away from my computer, so can’t help diagnose this at present, but would be helpful if you can determine exactly which of those actions is clearing RTProtection. I suspect the staff will need to contact Titanium to resolve.

Share this post


Link to post
Share on other sites

Unfortunately, Titanium, which I contacted, tried to download Malwarebytes, but was not willing to purchase the Premium version and therefore did not perform any tests.

I hope that any contacts between the two software houses can solve the problem.

 

Share this post


Link to post
Share on other sites

Update:
I sent back the same email to Titanium indicating the possibility of a free trial of Malwarebytes in order to perform the necessary tests to solve the problem
I'm waiting for an answer (hoping that the email will not be trashed), but if Thomas Reed could take a look at the problem, maybe he would solve a lot sooner.

I hope that sooner or later what is written

On 11/14/2018 at 6:06 PM, treed said:

I haven't seen any other reports of performance issues caused by this issue, but we'll look into that.

lead to a resolution of the problem or the possibility of not having to enter

/Library/Application Support/Malwarebytes/MBAM/Engine.bundle/Contents/PlugIns/RTProtectionDaemon.app

to Full Disk Access in System Preferences / Security & Privacy:

Share this post


Link to post
Share on other sites

THE PROBLEM IS SOLVED

The only option that delete RTProtectionDaemon from Full Disk Access in System Preferences / Security & Privacy is the one currently selected in the attached screenshot (Ricostruzione Database LaunchServices) (in English: Database LaunchServices Reconstruction)

1522550586_Schermata2018-12-31alle20_05_52.jpg.b05b430330b980be9e28eba6429c4409.jpg

If all options are selected except that the setting is not changed.

Share this post


Link to post
Share on other sites

Thanks for running that down.

My experience with reconstructing Launch Services using any method has been mixed. Once in awhile it will solve the issue I have, but often it just creates new ones. I strongly suspect that this is an Apple bug and that the Maintenance Utility is simply issuing a Terminal command to run the lsregister process. I don't understand why it is removing the RTProtection daemon.

Hopefully the developers can figure this one out.

Share this post


Link to post
Share on other sites

I'm glad this was resolved.

I'm curious, though... what functionality does Maintenance provide that you feel is necessary? Modern macOS is pretty good at maintaining itself, and I don't generally recommend the use of these kinds of tools, except perhaps in very specific troubleshooting situations. I definitely wouldn't recommend it as something to run regularly.

Rebuilding the launch services database, for example, should not be done unless you're having a problem like having the same app appear multiple times in the Open With menu, or having the wrong app open for a particular file or URL.

Share this post


Link to post
Share on other sites

I used it a lot in the past, before receiving advice from you, also because I came from the Windows world where this type of maintenance was necessary not to say fundamental.

Now it was a pure curiosity to understand what was due to the disappearance of the above privacy setting.

Now I leave the system to keep alone, the only thing that I still use with an app that I created with Automator is cleaning CACHE FLUSH DNS so you do not have to look for the command from the terminal that is more complex to remember than that of MS Windows.

Share this post


Link to post
Share on other sites

I think the cause must have been rebuilding launch services, but I'd view that as a potential bug in macOS. If you have given full disk access to security software, malware that managed to get itself loaded from one of those protected locations could potentially remove that access from the security software to prevent itself from being detected. Of course, that would require the malware to gain that access in the first place, which means this is a bit of a stretch, and it's probably not actually a real-world issue.

Share this post


Link to post
Share on other sites

As I said above, once satisfied the curiosity about the reason for canceling the RTProtectionDaemon privacy setting, I have uninstalled the MAINTENANCE application of Titanium Software with the uninstaller integrated into the app, leaving macOS to self-maintenance by running each single plus the FLUSH of the CACHE DNS.

 

Share this post


Link to post
Share on other sites

You shouldn't even need to flush the DNS cache unless you're having a problem... and if you're having frequent problems with the DNS cache, there's some kind of problem that needs to be solved, for which flushing the cache is purely a temporary fix.

Share this post


Link to post
Share on other sites

In reality I have no problem with the CACHE DNS.

I had taken this habit, probably wrong, to clean the CACHE after the COOKIES

as an anti-tracking measure by websites after visiting sites of the means of payment.

Share this post


Link to post
Share on other sites

DNS Cache is used to speed up your browsing experience by saving URL translation information locally, so you don't have to keep asking for it on a remote DNS server. It does contain a list of sites you recently visited, but unless you have some sort of malware on your computer that can harvest that information and send it somewhere, it can't possibly be used to track. And I seriously doubt that any malware developer would find that information useful compared to other information on your Mac.

You might find a better defense against tracking cookies is the Ghostery extention. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.