mdsync and Time Machine

From time to time I still have the Bitdefender ransomware alerts that mdsync tried to access the Time Machine back-up. Starting with the time stamp that Bitdefender gives I checked system.log and found two messages concerning mdsync:

Sep  3 10:47:39 MacPro2013 mdsync[613]: objc[613]: Class MDSPathFilter is implemented in both /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Metadata and /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync. One of the two will be used. Which one is undefined.

Sep  3 10:47:39 MacPro2013 mdsync[613]: objc[613]: Class _MDSPathFilter is implemented in both /System/Library/PrivateFrameworks/SpotlightIndex.framework/Versions/A/SpotlightIndex and /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdsync. One of the two will be used. Which one is undefined.

On the same day I had three more cases with these two messages. But only in the above case there was the Bitdefender alert.

Unfortunately, I am too dumb to interpret and understand what these messages really mean. But maybe they tell us what is going on or going wrong. In any case SpotlightIndex is mentioned. And I am a little bit puzzled when I read that something is implemented in an "undefined" way.

Any ideas from the Community?

Hi DiZoE!

Thank you for your comment.

Unfortunately, I did not observe any other symptoms. In particular the blocked access seems to be unobservable otherwise.

The problem is there on a number of different Macs, cf. https://community.bitdefender.com/en/discussion/82672/anti-ransomware . I observe the Bitdefender alert on two different Macs myself (iMac Pro 2017 and Mac Pro 2013). So to reinstall MacOS is not a very promising option. And I believe mdsync is in the protected system part - if not somehow replaced by malware/ransomware, although this should not be possible.

The alerts are there since MacOS 10.15.6. So Bitdefender (although permanently updated) might be incompatible with 10.15.6. On the other hand Apple might have changed something that they did not communicate to developers or has unexpected side effects.

Bitdefender Support essentially said, that mdsync should not access Time Machine backups, "it is legitimately blocked." And "... only Time Machine system files are allowed to access Time Machine backups." Reasonable, if their assumption about allowed access is correct.

Because I have no firm information what mdsync is good for and whether or not it should have access to Time Machine back-ups I asked the question about mdsync and Time Machine. As there were and are indications that mdsync is part of Spotlight activities it should most probably not touch the huge Time Machine back-up, at least not to build an index. On the other hand, as I mentioned earlier, there were indications that mdsync is related to Time Machine activities. Then the assumption of Bitdefender that mdsync should be blocked would be wrong. I could very well imagine that Time Machine uses modules related to Spotlight to manage the complicated structure of the back-ups. But I am ohhh so dump! And I found so many bright and helpful ideas in the Apple community before. Therefore I decided to try again.

And finally it is always good to check/verify doubtful alerts.

Hi DiZoE!

Good questions, in particular the one about Spotlight > Privacy. Yes, I see several external disks and special folders that I excluded by intention. The funny thing now is about the back-up volume of Time Machine. A long time ago (years ago) I thought the Privacy should contain the Time Machine Back-up, since it would be quite confusing to have all back-ups listed in the search results. Then I had to learn that you are not allowed to add the back-up volume (error message says Time Machine-Backup may not be added to "Privacy"). I just checked this to be sure, same result. As I had some Spotlight related (AppleScript and Automator) problems over the years I frequently checked Preferences for Spotlight. The funny surprise was that from time to time I found the back-up volume in the Privacy list. Usually it was not there, but once in a while it was there. I found some correlation that it was in the list while Time Machine was running. This would seem to be reasonable. Unfortunately, I could not always verify this. Sometimes Time Machine had finished its activities, but the back-up volume was still in the list (even after closing and opening Preferences again to try to update the display). And sometimes Time Machine was active, but the back-up volume was not in the Privacy list. - So there could be something not working as it should. In any case I think, as I wrote before, that Spotlight should not touch the back-up-volume. But this does not mean that the back-up volume must be in the Privacy list. And there could be update problems with the Privacy list.

Please, note that this has nothing to do with the question what mdsync does and why it is blocked by Bitdefender when mdsync tries to access the back-up volume. This effect was not there before MacOS 10.15.6. - Nevertheless the aforementioned observations and the mdsync problem might be somehow related.

Now Time Machine > Options. The Options show the back-up volume (grey, not selectable) and some other volumes and folders that I intentionally do not want to be included in the Time Machine back-up or are excluded automatically like a NTFS Windows volume (grey). So I see nothing that I would not expect.

Same observations on two different Macs.

Finally the mdsync blocking message from Bitdefender is not very frequent, usually not even daily. Sometimes it did not show up for several days and I suspected that Bitdefender was updated to skip the message. And suddenly the message is there again. The last one I had was Sept. 6, i. e. 5 days ago.