Skip to main content
December 9, 2023
Question

1Password-Crash-Handler - BadGacha

  • December 9, 2023
  • 13 replies
  • 609 views

After updating 1Password to 1Password for Mac 8.10.22 (81022042) on the Nightly channel, MacOS (Sonoma 14.2 (23C64) XProtect began reporting the following warnings:

2023-12-09 09:00:29.589 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"process":{"pid":21423,"name":"1Password-Crash-Handler"},"action":"report"}
2023-12-09 09:00:29.590 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"action":"report","process":{"pid":939,"name":"1Password-Crash-Handler"}}
2023-12-09 09:00:29.636 BadGacha ⚠️ ThreatDetected time 0.0000170 {"caused_by":[],"status_code":21,"execution_duration":1.704692840576172e-05,"status_message":"ThreatDetected"}


1Password Version: 1Password for Mac 8.10.22 (81022042)
Extension Version: Not Provided
OS Version: MacOS 14.2 (23C64)
Browser: Not Provided

13 replies

1P_Dave
1Password Employee
December 11, 2023

Hello @BenNeivert! 👋

Can you tell me a little more about these logs? How are you viewing them? Are you using a third-party utility?

1Password for Mac isn't antivirus software. Have you already reached out to Apple to make sure that your Mac isn't infected by malware and that it's safe for you to continue using? If you haven't then I recommend doing so.

-Dave

December 11, 2023

Hello @1P_Dave ,
Thanks for responding. I am a great fan of 1Password and the other security work 1Password does.
Yes, I am using third-party utilities. I discovered the warning using SilentKnight (https://eclecticlight.co/lockrattler-systhist/), and I then viewed the log with XProCheck (https://eclecticlight.co/consolation-t2m2-and-log-utilities/). The warnings indicate that further investigation is warranted, not a confirmation that malware is present. I did scan my computer to confirm that no malware was present. I believe that the warning is presented due to Apple's Xprotect providing a warning when the code returned is not 20 ("Most entries should report that no threat was detected and return a status code of 20. Those that don't and may merit your closer attention").
I believe the warnings are caused because 1Password-Crash-Handler is not returning a Code 20 for some reason. It appeared the first time after I updated the new Nighly release on Saturday morning. Please note that I am reporting this to improve the product. I am well aware of the glitches that might occur running the Nighly updates, but I enjoy exploring the software's latest features, so it is worth it for me. I also realize that there is a chance this has nothing to do with 1Password and could be a bug from somewhere else.
Thanks again for the great product!
Ben

1P_Dave
1Password Employee
December 14, 2023

@BenNeivert

Thank you for the detailed report and for the kind words about 1Password! 😊

I'm personally not as familiar with XProtect logs, especially when viewed using third-party tools. Are you able to link to any official Apple resources that outline what each status code means and how to interpret these logs?

Just to confirm, you haven't see any messages or prompts from macOS itself? I look forward to hearing from you.

-Dave

December 15, 2023

FYI I'm seing the same thing.
This article provides additional details on Xprotect logs: https://eclecticlight.co/2022/09/01/hunting-malware-protection-in-the-log/

Corentin

1P_Dave
1Password Employee
December 18, 2023

@BenNeivert and @cortig

Thank you for the replies. I've forwarded this to the team internally so that this can be looked into further. Because this issue involves logs that Apple doesn't normally expose or document, rendered by a third-party app, it might take the team longer than usual to look into this.

I appreciate you both reporting this and I'll post any updates that I receive. 🙂

-Dave

December 18, 2023

@1P_Dave ,
You are welcome; the kind words are deserved :-)

Sorry, I was not able to send you the Apple documentation. I did attempt to gather the information you requested, but Apple was reticent to share much information regarding Gatekeeper's inner workings. :-)

Happy Holidays to you and the 1Password team!

Regards,
Ben

MrC
December 19, 2023

I'm seeing this as well, but also with SnagitHelper2024.

At least one developer is seeing this:

https://developer.apple.com/forums/thread/742828

I'm betting this is a false positive. Let's see if 14.2.1 resolves this. Check reports again tomorrow after XProtect Remediator scans again.

I've reported these to Apple Support.

December 22, 2023

I agree with @MrC; I am pretty sure they are false positives due at least partly to how XProtect reports alerts: anything not Code 0 or 20. Other applications also trigger alerts as well.

1P_Dave
1Password Employee
January 5, 2024

Thank you again for everyone's input. This has been brought to the attention of our developers. 🙂

-Dave

January 14, 2024

@1P_Dave Thank you for your vigilance and the team's efforts!

It would be great if this topic could be updated once a resolution or explanation has been found. I am seeing the exact same :)