Popups: " will damage your computer." Brand new iMac, ReceiverHelp.app - malware?!

<continued due to 5000 character limit>

So, as the saying goes, "one more thing"...when attempting to simply drag the suspect files (listed above) into the trash, I'm prompted for the admin password -- which is a behavior I'm not familiar with, and one which seems like it would be a great malware "feature". (That's when I stopped, searched the Apple Community Forums, saw the issue mentioned but without much consensus, and then posted this thread seeking further clarification).

Is that behavior (prompting for a password) just an OS security feature (and expected behavior) when dragging something from within Macintosh HD > usr > local to the Trash? If so, all this may be wasted time, and the "fix" could be as simple as just entering the requested password, emptying trash, and then that's all behind us (because that's what some users have reported -- though others warned that would cause a disaster).

Yes. that's all normal. Those files are owned by the "root" or super-user. So you have to authentically with a similar powerful authorization in order to delete them.

And you are entirely correct that it would be a great malware "feature". They could just display a dialog box asking for your password. In fact, they do that on a regular basis and most everyone is happy to hand over their password. There is no way to tell if it is malware asking for your password or a legitimate require from Apple. The only extra information that is provided is a tiny icon in the corner of the padlock image on the dialog box.

If you only install software from the Mac App Store, then you have nothing to worry about. Apple does not allow Mac App Store apps to ask for your password. They can, actually, but that would get them in "big trouble" if they attempted it and Apple noticed. It is very rare for malware to try the Mac App Store route. It is easier to just run straight-up scams in the Mac App Store. Nothing illegal about that.

However, if you install software from outside of the Mac App Store, then it can ask for your password. If you never do that, then you know that any such request has to be a legitimate from Apple. But anything 3rd party software can ask for administrator privileges at any time. And yes, they can totally fake that icon on the padlock image, should they desire.

To wrap up: this was indeed a case where a software signing certificate was revoked for some, probably valid, reason and it ended up going through Apple's malware detection flow. This one is pretty minor. A similar incident happened with HP's printer software a while back and that was a royal mess. At least you were able to delete the files in question.

There are inherent issues that may occur when using Migration Assist from Old to Brand New computer.

Whatever issues exited on the old computer and TM Backup was made with old computer - they have basically been introduced in an otherwise Pristine and Virginal Installation on the new computer. This has badly polluted to New Computer ].

The net effect is what the new computer is experience presently.

This computer is definitely not “right out of the box” because you have restored an old computer into it. There isn’t anything wrong with that, but any problems on the old system will be migrated along with all the other files.

No one can say anything about these files. You have only given us a partial file name, which means nothing. The full path may have shown it to be malware, or not. It is hard to say what the meaning behind those “will damage your computer” messages might have been. Usually they are an indication that the file is malware, but sometimes Apple reuses that functionality for other things.

Rosetta is not malware. If you had restored a bunch of old software, you are likely to need Rosetta to run the old software on the new computer.

Unfortunately, setting up a new computer from a Time Machine restore has gotten pretty difficult over the years. The problems you encountered are typical and predictable. A better method is to turn on every single iCloud option possible, while still using the old computer. Then, setup a new user account on the new computer and log in to the same iCloud account. Manually reinstall only the latest version of the software you really need.

User wrote " Wife bought a new iMac (24" M1 2021). Booted it up, connected external hard drive from her old (very old) iMac that had a good recent Time Machine backup. In SetupAssistant, migrated everything from old iMac to new iMac "

Rest my case and good luck

lonebirdman wrote:

Of course, I understand that. That said, old computer had shown no indication of malware or anything else (other than being old and running old OS and apps).

That's all it takes.

In my OP I provided the full file names and path as they appear in the Finder:

File names:

ReceiverHelp.app

ServiceRecords.app

Full path1. :

Macintosh HD > usr > local > libexec > ReceiverHelp.app

Macintosh HD > usr > local > libexec > ServiceRecords.app

(Also in the same folder is a third file which appears related, but is not triggering a malware popup:

Macintosh HD > usr > local > libexec > AuthManager_Mac.app)

Sorry I missed that. Normally, if you want to specify a path you would write it "/usr/local/libexec/ReceiverHelp.app". When you write a path like this, it is a real path. You can provide it to the Finder or Terminal and it could find the file.

People (at least me) normally use the ">" just to specify steps in a sequence of a user interface operation. I would say something like - in Finder, choose Go > Go to the folder > enter "/usr/local/libexec/ReceiverHelp.app" > click the "Go" button.

All three files have a "Citrix" icon, and GetInfo shows them "© Citrix Systems 2017". Of course, that's not definitive, but...

A curious fact about malware is that they virtually never try to masquerade as legitimate apps. On very rare occasions, there are some that use "com.apple." in their file names, but that is very, very rare. Usually it is either nonsense words or generic words. These Citrix files (and they are really Citrix files) have pretty generic file names, but malware never uses /usr/local/libexec.

And if you want a second opinion on this, here it is: https://blog.malwarebytes.com/malwarebytes-news/2021/09/macs-turn-on-apps-signed-by-symantec-treat-them-as-malware/

Right, I knew there would be some compatibility issues with the new Apple silicon, which is why, when I attempted to launch an old app (in this case it was either Forefox or Microsoft's Edge browser), and I got a popup telling me Rosetta was required, I clicked OK to install it (I did first go to the App store and searched for Firefox and Edge, neither of which I found there). Then, as soon as I said OK to install Rosetta, immediately, the popups started.

That makes sense. These apps are designed to run in the background. But those Rosetta installation prompts require a Finder launch before t appears. So the background Intel apps were just silently failing until Rosetta was installed. Once Rosetta was installed, they could get past the architecture block and trigger the (erroneous) malware detection.

Not a big fan of using cloud services when it's not absolutely necessary, reluctant to do so for a variety of technical and other reasons. I figured using Time Machine would be more straightforward and reliable. Maybe not.

Time Machine is great for recovering from a disaster. If you have a computer physically die or get stolen and you want to restore that onto an identical computer, then Time Machine does a great job. But the further you get away from that ideal of "identical computer" the more trouble you are going to have.

And Time Machine should not be used to clone an installation. There are some directories that contain unique identifiers. If you make a copy of those unique identifiers, then they aren't unique anymore. You will have strange problems with services like AirDrop, Keychain, and other "continuity" features.

And one last important caveat. Apple, like every other software developer on the entire planet, assumes that you will never, ever need or install any other software. Once you do, all bets are off and no more guarantees. If you use only Apple software, then Time Machine will work great even if you are significantly far away from that idea of "identical" (not including the "cloning" that I described above). It is always 3rd party software that is the problem. If you transfer to a new computer or even upgrade your old computer, your old 3rd party software is the most likely to cause problems. And since every developer is different, there is no way to tell which is going to work and which won't.

lonebirdman wrote:

I use Carbon Copy Cloner on my own Macs, in part because it provides (I think) better options for bootable backups (I know, bootable backups have become much harder/more complicated with recent OS updates). My CCC license allows multiple users, so I could set it up on her Mac too, but...for a casual user like her, do you think TM or CCC makes more sense?

I don't use Carbon Copy Cloner so I can't comment on it. I wouldn't be too concerned about having a bootable backup. Technically speaking, Time Machine is bootable too. It just boots into Recovery mode from which you can reinstall the operating system and restore your data. This does take more time than simply booting from an external clone. But it is also very rare. The cost in time is relatively higher (a couple of hours vs. a couple of minutes) but the risk is low (and much lower these days with modern computers with SSDs).

About malware prevention...

I have always avoided having any kind of "anti virus" software running on my Macs, believing that they almost always do more harm than good. I'm fairly careful about installing things, and I have solid backups. My spouse is, let's just say, not quite as careful. I have educated her about malware vectors and she no longer automatically clicks "OK" immediately in every dialog that pops up (this took some effort) but she may be more vulnerable to malware tricks and social engineering than some of us. Given the kind of user she is, do you (still) think it's best just to keep all the "Mac anti-virus" apps off her machine? Or if you think they have some benefit, which would you recommend?

I can't really answer this one either. The macOS operating system already included very good protection for the system against malware. However, Apple always allows the user to override system settings. The only way to install malware on a Mac is to trick the user into installing it. But it turns out that is an effective strategy. So I consider 3rd party security apps to be effective protection for the operating system against the user. So if you find yourself, or your spouse, repeatedly being tricked into installing malware, then a 3rd party security app might be a good idea.

However, the security industry is crazy right now. Most users will not be able to distinguish between an effective security app and a scam app, or even a malware app. Two major anti-virus vendors have recently started including crypto mining software in their antivirus products. That really blurs the line between malware and anti-malware. And I'm talking about major, legitimate vendors here. There are many others that are nothing more than scams and a few are actually malware themselves.

If you did want to install a 3rd party security app, I strongly recommend that you start a new thread and specifically ask. Most people will tell you not to install anything. But some people will give you good suggestions. If you have one in mind, ask about it and if there are any horror stories, they will tell you about them.

Possible solution

Use Disk Utility to erase a Mac with Apple silicon