After updating 1Password to 1Password for Mac 8.10.22 (81022042) on the Nightly channel, MacOS (Sonoma 14.2 (23C64) XProtect began reporting the following warnings: 2023-12-09 09:00:29.589 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"process":{"pid":21423,"name":"1Password-Crash-Handler"},"action":"report"} 2023-12-09 09:00:29.590 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"action":"report","process":{"pid":939,"name":"1Password-Crash-Handler"}} 2023-12-09 09:00:29.636 BadGacha ⚠️ ThreatDetected time 0.0000170 {"caused_by":[],"status_code":21,"execution_duration":1.704692840576172e-05,"status_message":"ThreatDetected"} 1Password Version: 1Password for Mac 8.10.22 (81022042) Extension Version: Not Provided OS Version: MacOS 14.2 (23C64) Browser: Not Provided

EssEmm Thank you for reaching out. The team continues to monitor the situation and my previous comment is still accurate: At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application. -Dave

Hello BenNeivert! 👋 Can you tell me a little more about these logs? How are you viewing them? Are you using a third-party utility? 1Password for Mac isn't antivirus software. Have you already reached out to Apple to make sure that your Mac isn't infected by malware and that it's safe for you to continue using? If you haven't then I recommend doing so. -Dave

Hello 1P_Dave , Thanks for responding. I am a great fan of 1Password and the other security work 1Password does. Yes, I am using third-party utilities. I discovered the warning using SilentKnight (https://eclecticlight.co/lockrattler-systhist/), and I then viewed the log with XProCheck (https://eclecticlight.co/consolation-t2m2-and-log-utilities/). The warnings indicate that further investigation is warranted, not a confirmation that malware is present. I did scan my computer to confirm that no malware was present. I believe that the warning is presented due to Apple's Xprotect providing a warning when the code returned is not 20 ("Most entries should report that no threat was detected and return a status code of 20. Those that don't and may merit your closer attention"). I believe the warnings are caused because 1Password-Crash-Handler is not returning a Code 20 for some reason. It appeared the first time after I updated the new Nighly release on Saturday morning. Please note that I am reporting this to improve the product. I am well aware of the glitches that might occur running the Nighly updates, but I enjoy exploring the software's latest features, so it is worth it for me. I also realize that there is a chance this has nothing to do with 1Password and could be a bug from somewhere else. Thanks again for the great product! Ben

BenNeivert Thank you for the detailed report and for the kind words about 1Password! 😊 I'm personally not as familiar with XProtect logs, especially when viewed using third-party tools. Are you able to link to any official Apple resources that outline what each status code means and how to interpret these logs? Just to confirm, you haven't see any messages or prompts from macOS itself? I look forward to hearing from you. -Dave

FYI I'm seing the same thing. This article provides additional details on Xprotect logs: https://eclecticlight.co/2022/09/01/hunting-malware-protection-in-the-log/ Corentin

1Password-Crash-Handler - BadGacha

13 Replies

1P_Dave
Moderator
2 years ago
BenNeivert

Thank you for the detailed report and for the kind words about 1Password! 😊

I'm personally not as familiar with XProtect logs, especially when viewed using third-party tools. Are you able to link to any official Apple resources that outline what each status code means and how to interpret these logs?

Just to confirm, you haven't see any messages or prompts from macOS itself? I look forward to hearing from you.

-Dave
BenNeivert
Occasional Contributor
2 years ago
Hello 1P_Dave ,
Thanks for responding. I am a great fan of 1Password and the other security work 1Password does.
Yes, I am using third-party utilities. I discovered the warning using SilentKnight (https://eclecticlight.co/lockrattler-systhist/), and I then viewed the log with XProCheck (https://eclecticlight.co/consolation-t2m2-and-log-utilities/). The warnings indicate that further investigation is warranted, not a confirmation that malware is present. I did scan my computer to confirm that no malware was present. I believe that the warning is presented due to Apple's Xprotect providing a warning when the code returned is not 20 ("Most entries should report that no threat was detected and return a status code of 20. Those that don't and may merit your closer attention").
I believe the warnings are caused because 1Password-Crash-Handler is not returning a Code 20 for some reason. It appeared the first time after I updated the new Nighly release on Saturday morning. Please note that I am reporting this to improve the product. I am well aware of the glitches that might occur running the Nighly updates, but I enjoy exploring the software's latest features, so it is worth it for me. I also realize that there is a chance this has nothing to do with 1Password and could be a bug from somewhere else.
Thanks again for the great product!
Ben
1P_Dave
Moderator
2 years ago
Hello BenNeivert! 👋

Can you tell me a little more about these logs? How are you viewing them? Are you using a third-party utility?

1Password for Mac isn't antivirus software. Have you already reached out to Apple to make sure that your Mac isn't infected by malware and that it's safe for you to continue using? If you haven't then I recommend doing so.

-Dave

Forum Discussion

1Password-Crash-Handler - BadGacha

13 Replies

Recent discussions

Feature request: visual indication when one account is signed out

Biometric unlock not working: That didn't work. Check your password and try again

Bring Back the Standalone Password Generator in Android – Not Just Hidden in Login Creation

What type of backup do you use?

"Type in window" for Mac