Request information

[Massimiliano]

Happy Saturday to @treed and all the staff

I wanted to ask for information about a situation that has occurred since I have the MAC M1 and BigSur (always the latest version) and Malwarebytes (always updated, I always try the betas too)

The various apps that I have installed on the Mac (including MS Word & MS Excel - both downloaded from the Mac AppStore) every now and then, especially when they haven't been opened for some time (not necessarily a long time interval) become extremely slow on opening (with the icon bouncing for several seconds) as if they were scanned before use (it does not happen only after an update) and above all it practically never happens (if not very rarely) with system apps (for example Mail , Messages).

I read, some time ago here on the forum, about someone with a similar problem, even if it seems to be constant, which they solved by disabling the real-time protection of Malwarebytes (which I don't want to do).

My equipment is a MacBook Air M1 (with 16 GB of unified memory), BigSur (last version) and Malwarebytes (set to High as CPU usage - in case it scans the apps frequently, even those that have been present for a long time, I believe that lowering the CPU setting could make things worse, at least in my case)

If I need to collect logs, don't hesitate to ask me

Waiting for your clarifications on this matter, I wish everyone a Happy Weekend

Massimiliano

[alvarnell]

I can just report that other Big Sur users who are not Malwarebytes users observed the same thing with Microsoft and Adobe products. One of the changes that Big Sur brought is that applications are checked by the trustd process for validity (Signature, Notarization, and perhaps other things) when launched, not just on first launch. Perhaps not as thoroughly as first launch checks, but each executable component of those application bundles must be checked. The TCC database on your computer contains information about the last checks of each component, but if it has been updated or a component has been changed (perhaps by malware) then it must be verified by contacting an Apple on-line database. Applications from those venders contain many different executables beside the main one, so checking each will take longer than apps with a single or only a few executable files. If for some reason trustd is unable to check the Apple database, it is believed that the check will eventually time out and allow the launch.

One thing you might want to do is have Activity Monitor open the next time you launch one of the problem apps after an update to observe what processes are using lots of CPU time. One observations was that XProtect was at or near the top of the list during the verification scan. I always thought that Gatekeeper was the only thing that called on XProtect, but apparently that has changed. You can also watch for RealTime Protection being involved during that time.

[Massimiliano]

Thanks @alvarnell  for the reply.
But, as I wrote, Word and Excel are the 365 version of the Mac AppStore and not downloaded from the Microsoft site.
I don't have any Adobe or other heavy software in general
This happens with almost all apps (not always but often enough especially if I don't open the apps for one / two days) whether they are taken from sites or from the Mac AppStore (even the iOS ones that can be used on Mac M1) excluding only ( if not very rarely) those of the system (e.g. Mail, Messages)
As I wrote it does not happen only when the apps are updated (and I would understand it) and as regards changes made by Malware, since I have a Mac, Malwarebytes has never reported anything to me (it has only once blocked two Mac AppStore apps with advent of the App block function that were from SysTweak)

[alvarnell]

12 minutes ago, MAXBAR1 said:

But, as I wrote, Word and Excel are the 365 version of the Mac AppStore and not downloaded from the Microsoft site.

I never mentioned 365 and completely understood that they were from the MAS. My comments apply equally to all versions of Microsoft Office in Big Sur.

Do you have Automatic Updates from the App Store enabled, or do you do them manually?

I realize that changes by malware have been all but non-existent over many years now, but macOS is just trying to ensure that if such were possible, verification would catch it.

Edited May 8, 2021 by alvarnell

[Massimiliano]

37 minutes ago, alvarnell said:

I never mentioned 365 and completely understood that they were from the MAS. My comments apply equally to all versions of Microsoft Office in Big Sur.

I reiterated the origin of Office because I thought that the Mac AppStore apps were only verified at the beginning (being provided by Apple even if as a reseller and not a developer) and then only after an update

37 minutes ago, alvarnell said:

Do you have Automatic Updates from the App Store enabled, or do you do them manually?

Yes, I have the automatic updates on Mac AppStore setting (as well as on the system setting and all the other app setting) and, at least as regards office, the update normally takes place once a month with Patch Tuesday (or in the days immediately following)

[alvarnell]

39 minutes ago, MAXBAR1 said:

I reiterated the origin of Office because I thought that the Mac AppStore apps were only verified at the beginning

It's my understanding from the Howard Oakley blog analysis, that all apps are verified every time they are launched in Big Sur, regardless of their origin. If hash values of all executables match what's been stored locally in the TCC database, then verification goes relatively fast. If not that means there have been changes (normally from updates) and Apple's on-line database must be checked to see if they match any hash that executable ever had that was not revoked.

42 minutes ago, MAXBAR1 said:

Yes, I have the automatic updates on Mac AppStore setting 

So you can't be certain that the App wasn't updated before you launch it, which should explain why some are faster than others. What I have observed is that most launches just bounce a few times and then appear. With more complex apps, like those from Microsoft that have been updated, in addition to the bounces, I get a "verification" dialog with a progress bar.

One thing I don't know about Malwarebytes RealTime Protection is whether they only scan new and changed files, in which case any updated MAS apps should be scanned as soon as they are downloaded and not at launch. Or if they do so called "On Access" scans which happen every time a file is opened, which might account for the delays you are seeing. Staff/@Treed may want to comment on this if not proprietary.

[Massimiliano]

2 minutes ago, alvarnell said:

So you can't be certain that the App wasn't updated before you launch it, which should explain why some are faster than others. What I have observed is that most launches just bounce a few times and then appear. With more complex apps, like those from Microsoft that have been updated, in addition to the bounces, I get a "verification" dialog with a progress bar.

The apps of the Mac AppStore, when they update are seen in the Updates tab.
As for the other apps (which however are very few on my Mac) they are apps that receive very few updates (in some cases less than one a year). I am sure of it because, despite having automatic updates, often, even before these occur at the launch of the app, I have already found them on the site before they are proposed to me

In the end there are 9 in all including Malwarebytes (not Mac AppStore and not supplied as standard with macOS)

[alvarnell]

1 minute ago, MAXBAR1 said:

The apps of the Mac AppStore, when they update are seen in the Updates tab.

Yes they do, but with automatic updates they will move from Updates to Updated Recently for thirty days, so you may not notice them before they have installed. I'm a bit more of a control freak, so I do all updates I can manually. I think only the Google apps are still able to work around that most of the time.

[Massimiliano]

In reality, they are rarely done automatically before I find them with update button and do it manually. As I've already written, the same goes for non-Mac AppStore apps.

The problem of the dancing icon (not two / three times but even twenty) also happens 20 times / month / app (especially if little used)

In reality, having only, in addition to the 9 mentioned above, 13 applications excluding the system ones, I do it quite quickly and in addition I check all the updates in the worst case every two days (both on the store and on the developer sites). Some apps have been in need of updating for years (except lately they have released the M1 version)

I'm used to keeping only the apps I use installed and I try to use as little as possible 

Consider that between System, App and Personal Files on my Mac are occupied less than 39 GB

Edited May 10, 2021 by MAXBAR1

[Massimiliano]

On 5/8/2021 at 11:48 AM, alvarnell said:

Yes they do, but with automatic updates they will move from Updates to Updated Recently for thirty days, so you may not notice them before they have installed. 

At least in my case, it indicates exactly the days since installation (see screenshot) and not just within the last 30 days

[alvarnell]

Not sure what you are getting at. Of course it shows you exactly when it was installed, but only for the last thirty days? Everything in your screenshot was today, do you also see installations over thirty days not shown in the shot?

[Massimiliano]

I misunderstood.

I thought you meant there was no specific reference but only an indication of 30 days.

In my case, as I wrote, some apps even get only 1 biennial update.
And that was why I didn't understand these frequent checks (even 15/20 times a month) as long as those icon bounces refer to these checks that didn't happen until I had Catalina on the old Mac and I found myself with Big Sur on M1 (having read about another user, here on the forum, that he had solved by deactivating the Malwatebytes RTP, an action that I categorically exclude)