After updating 1Password to 1Password for Mac 8.10.22 (81022042) on the Nightly channel, MacOS (Sonoma 14.2 (23C64) XProtect began reporting the following warnings: 2023-12-09 09:00:29.589 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"process":{"pid":21423,"name":"1Password-Crash-Handler"},"action":"report"} 2023-12-09 09:00:29.590 BadGacha 👉 no status_message report time 0.0000000 {"status":null,"action":"report","process":{"pid":939,"name":"1Password-Crash-Handler"}} 2023-12-09 09:00:29.636 BadGacha ⚠️ ThreatDetected time 0.0000170 {"caused_by":[],"status_code":21,"execution_duration":1.704692840576172e-05,"status_message":"ThreatDetected"} 1Password Version: 1Password for Mac 8.10.22 (81022042) Extension Version: Not Provided OS Version: MacOS 14.2 (23C64) Browser: Not Provided

EssEmm Thank you for reaching out. The team continues to monitor the situation and my previous comment is still accurate: At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application. -Dave

Hello BenNeivert! 👋 Can you tell me a little more about these logs? How are you viewing them? Are you using a third-party utility? 1Password for Mac isn't antivirus software. Have you already reached out to Apple to make sure that your Mac isn't infected by malware and that it's safe for you to continue using? If you haven't then I recommend doing so. -Dave

Hello 1P_Dave , Thanks for responding. I am a great fan of 1Password and the other security work 1Password does. Yes, I am using third-party utilities. I discovered the warning using SilentKnight (https://eclecticlight.co/lockrattler-systhist/), and I then viewed the log with XProCheck (https://eclecticlight.co/consolation-t2m2-and-log-utilities/). The warnings indicate that further investigation is warranted, not a confirmation that malware is present. I did scan my computer to confirm that no malware was present. I believe that the warning is presented due to Apple's Xprotect providing a warning when the code returned is not 20 ("Most entries should report that no threat was detected and return a status code of 20. Those that don't and may merit your closer attention"). I believe the warnings are caused because 1Password-Crash-Handler is not returning a Code 20 for some reason. It appeared the first time after I updated the new Nighly release on Saturday morning. Please note that I am reporting this to improve the product. I am well aware of the glitches that might occur running the Nighly updates, but I enjoy exploring the software's latest features, so it is worth it for me. I also realize that there is a chance this has nothing to do with 1Password and could be a bug from somewhere else. Thanks again for the great product! Ben

BenNeivert Thank you for the detailed report and for the kind words about 1Password! 😊 I'm personally not as familiar with XProtect logs, especially when viewed using third-party tools. Are you able to link to any official Apple resources that outline what each status code means and how to interpret these logs? Just to confirm, you haven't see any messages or prompts from macOS itself? I look forward to hearing from you. -Dave

FYI I'm seing the same thing. This article provides additional details on Xprotect logs: https://eclecticlight.co/2022/09/01/hunting-malware-protection-in-the-log/ Corentin

1Password-Crash-Handler - BadGacha

13 Replies

1P_Dave
Moderator
2 years ago
EssEmm

Thank you for reaching out. The team continues to monitor the situation and my previous comment is still accurate:

At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application.

-Dave
EssEmm
New Contributor
2 years ago
Hello all 👋,

Here's another datapoint: BadGacha popped up in my XPROTECT Remediator Report on 02/23/24, also due to 1Password-Crash-Handler. My Report looks just like what BenNeivert posted.

Possibly BG was listed previously but my logs rolled over on the 23rd.

-SM-

M1 MBP / macOS 14.3.1 / 1P v8.10.26 (81026039)
1P_Dave
Moderator
2 years ago
Hello everyone,

At this time we believe this may indeed be a false positive. 1Password's crash handling functionality uses reviewed open source code and Apple-provided operating system interfaces for handling crashes and exceptions that happen to a macOS application.

The team will watch to see if any further action is needed.

-Dave
ianto
Occasional Contributor
2 years ago
1P_Dave Thank you for your vigilance and the team's efforts!

It would be great if this topic could be updated once a resolution or explanation has been found. I am seeing the exact same :)
1P_Dave
Moderator
2 years ago
Thank you again for everyone's input. This has been brought to the attention of our developers. 🙂

-Dave
BenNeivert
Occasional Contributor
2 years ago
I agree with MrC; I am pretty sure they are false positives due at least partly to how XProtect reports alerts: anything not Code 0 or 20. Other applications also trigger alerts as well.
MrC
Super Contributor
2 years ago
I'm seeing this as well, but also with SnagitHelper2024.

At least one developer is seeing this:

https://developer.apple.com/forums/thread/742828

I'm betting this is a false positive. Let's see if 14.2.1 resolves this. Check reports again tomorrow after XProtect Remediator scans again.

I've reported these to Apple Support.
BenNeivert
Occasional Contributor
2 years ago
1P_Dave ,
You are welcome; the kind words are deserved :-)

Sorry, I was not able to send you the Apple documentation. I did attempt to gather the information you requested, but Apple was reticent to share much information regarding Gatekeeper's inner workings. :-)

Happy Holidays to you and the 1Password team!

Regards,
Ben
1P_Dave
Moderator
2 years ago
BenNeivert and cortig

Thank you for the replies. I've forwarded this to the team internally so that this can be looked into further. Because this issue involves logs that Apple doesn't normally expose or document, rendered by a third-party app, it might take the team longer than usual to look into this.

I appreciate you both reporting this and I'll post any updates that I receive. 🙂

-Dave
cortig
Super Contributor
2 years ago
FYI I'm seing the same thing.
This article provides additional details on Xprotect logs: https://eclecticlight.co/2022/09/01/hunting-malware-protection-in-the-log/

Corentin