You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Popups: " will damage your computer." Brand new iMac, ReceiverHelp.app - malware?!

Wife bought a new iMac (24" M1 2021). Booted it up, connected external hard drive from her old (very old) iMac that had a good recent Time Machine backup. In SetupAssistant, migrated everything from old iMac to new iMac. Completed setup and booted up. First thing I did was update to BigSur 11.6.2. Done. Next thing was to update Safari. Done. Then I checked the other browsers she had installed from the old iMac. Chrome showed as up to date. Both Firefox and Edge coughed up alerts indicating they couldn't run (OK, Apple silicon, shrug...) and I was prompted me to install Rosetta. I did.


Boom. Immediately, alerts started popping:


"ReceiverHelp.app will damage your computer" This file was downloaded on an unknown date. (OK) (Show in Finder). [ ]Report malware to Apple to protect other users"


"ServiceRecords.app will damage your computer" This file was downloaded on an unknown date. (OK) (Show in Finder). [ ]Report malware to Apple to protect other users"


Clicking "Show in Finder" opens the enclosing folder, which is:

usr > local > libexec


There's a third file in that folder, AuthManager.app, but the "malware" warnings are (I think) only about the two files listed above.


If I drag these files to the trash in Finder, it prompts for the Admin password -- which is unexpected (I don't recall seeing that before) and with all the big popups warning of malware, a bit concerning.


Doing a search online for the file names, I see hundreds of posts about this (or something nearly identical), both here on Apple's Support Community, and also elsewhere online. Many of the threads here on Apple's Support Community have replies that claim this is no big deal, these files are leftovers from old Citrix software (in fact, wife uses some Citrix utility to remote connect the old iMac to her employer's computer system). Many other threads here deny that, and claim it's definitely real malware, you must install MalwareBites to get rid of this.


What a mess. This looks like something that's quite common, and the advice given by users (many of whom appear to be knowledgable, authoritative and genuinely trying to help) is highly contradictory. Doesn't Apple have some official Help document pointing the way on this?


Wife is unhappy. Her brand new Apple computer right out of the box barks up these "malware" alerts and guess who gets to try and explain what's happening...


Was I tricked into installing "Rosetta," which in fact was malware?

Is this just trivial, old leftovers, and its OK to go ahead and provide the admin password to trash those 3 files?

If this is such a common error (google the name of those files, there's a LOT out there on this...), shouldn't there be more of a clear consensus here (is this nothing, or a grave danger?), with a pointer to an official, Apple-blessed Help doc pointing the way? It's a pretty awful First Boot Experience for this customer (and her in-home IT manager...).


Any guidance? Your help is appreciated.

iMac Line (2012 and Later)

Posted on Jan 11, 2022 10:51 PM

Reply
Question marked as Top-ranking reply

Posted on Jan 12, 2022 11:32 AM

<continued due to 5000 character limit>


So, as the saying goes, "one more thing"...when attempting to simply drag the suspect files (listed above) into the trash, I'm prompted for the admin password -- which is a behavior I'm not familiar with, and one which seems like it would be a great malware "feature". (That's when I stopped, searched the Apple Community Forums, saw the issue mentioned but without much consensus, and then posted this thread seeking further clarification).

Is that behavior (prompting for a password) just an OS security feature (and expected behavior) when dragging something from within Macintosh HD > usr > local to the Trash? If so, all this may be wasted time, and the "fix" could be as simple as just entering the requested password, emptying trash, and then that's all behind us (because that's what some users have reported -- though others warned that would cause a disaster).


Yes. that's all normal. Those files are owned by the "root" or super-user. So you have to authentically with a similar powerful authorization in order to delete them.


And you are entirely correct that it would be a great malware "feature". They could just display a dialog box asking for your password. In fact, they do that on a regular basis and most everyone is happy to hand over their password. There is no way to tell if it is malware asking for your password or a legitimate require from Apple. The only extra information that is provided is a tiny icon in the corner of the padlock image on the dialog box.


If you only install software from the Mac App Store, then you have nothing to worry about. Apple does not allow Mac App Store apps to ask for your password. They can, actually, but that would get them in "big trouble" if they attempted it and Apple noticed. It is very rare for malware to try the Mac App Store route. It is easier to just run straight-up scams in the Mac App Store. Nothing illegal about that.


However, if you install software from outside of the Mac App Store, then it can ask for your password. If you never do that, then you know that any such request has to be a legitimate from Apple. But anything 3rd party software can ask for administrator privileges at any time. And yes, they can totally fake that icon on the padlock image, should they desire.


To wrap up: this was indeed a case where a software signing certificate was revoked for some, probably valid, reason and it ended up going through Apple's malware detection flow. This one is pretty minor. A similar incident happened with HP's printer software a while back and that was a royal mess. At least you were able to delete the files in question.

Similar questions

10 replies
Question marked as Top-ranking reply

Jan 12, 2022 11:32 AM in response to lonebirdman

<continued due to 5000 character limit>


So, as the saying goes, "one more thing"...when attempting to simply drag the suspect files (listed above) into the trash, I'm prompted for the admin password -- which is a behavior I'm not familiar with, and one which seems like it would be a great malware "feature". (That's when I stopped, searched the Apple Community Forums, saw the issue mentioned but without much consensus, and then posted this thread seeking further clarification).

Is that behavior (prompting for a password) just an OS security feature (and expected behavior) when dragging something from within Macintosh HD > usr > local to the Trash? If so, all this may be wasted time, and the "fix" could be as simple as just entering the requested password, emptying trash, and then that's all behind us (because that's what some users have reported -- though others warned that would cause a disaster).


Yes. that's all normal. Those files are owned by the "root" or super-user. So you have to authentically with a similar powerful authorization in order to delete them.


And you are entirely correct that it would be a great malware "feature". They could just display a dialog box asking for your password. In fact, they do that on a regular basis and most everyone is happy to hand over their password. There is no way to tell if it is malware asking for your password or a legitimate require from Apple. The only extra information that is provided is a tiny icon in the corner of the padlock image on the dialog box.


If you only install software from the Mac App Store, then you have nothing to worry about. Apple does not allow Mac App Store apps to ask for your password. They can, actually, but that would get them in "big trouble" if they attempted it and Apple noticed. It is very rare for malware to try the Mac App Store route. It is easier to just run straight-up scams in the Mac App Store. Nothing illegal about that.


However, if you install software from outside of the Mac App Store, then it can ask for your password. If you never do that, then you know that any such request has to be a legitimate from Apple. But anything 3rd party software can ask for administrator privileges at any time. And yes, they can totally fake that icon on the padlock image, should they desire.


To wrap up: this was indeed a case where a software signing certificate was revoked for some, probably valid, reason and it ended up going through Apple's malware detection flow. This one is pretty minor. A similar incident happened with HP's printer software a while back and that was a royal mess. At least you were able to delete the files in question.

Jan 12, 2022 9:06 AM in response to etresoft

Thank you for your insights (and, I have purchased EtreCheckPro, have it on my other Macs, and am familiar with its use, if it's needed here).

etresoft wrote:

This computer is definitely not “right out of the box” because you have restored an old computer into it. There isn’t anything wrong with that, but any problems on the old system will be migrated along with all the other files.

Of course, I understand that. That said, old computer had shown no indication of malware or anything else (other than being old and running old OS and apps). Maybe it's malware that has been sitting idle and a new environment gave it the opportunity to trigger....something. Maybe not.

No one can say anything about these files. You have only given us a partial file name, which means nothing. The full path may have shown it to be malware, or not. It is hard to say what the meaning behind those “will damage your computer” messages might have been. Usually they are an indication that the file is malware, but sometimes Apple reuses that functionality for other things.

In my OP I provided the full file names and path as they appear in the Finder:


File names:

ReceiverHelp.app

ServiceRecords.app


Full path:

Macintosh HD > usr > local > libexec > ReceiverHelp.app

Macintosh HD > usr > local > libexec > ServiceRecords.app


(Also in the same folder is a third file which appears related, but is not triggering a malware popup:

Macintosh HD > usr > local > libexec > AuthManager_Mac.app)


All three files have a "Citrix" icon, and GetInfo shows them "© Citrix Systems 2017". Of course, that's not definitive, but...

  1. Multiple users have posted about these files in other threads, stating they are harmless (some claiming Apple support staff told them that) and they could simply be deleted.
  2. Computer owner does use some system extension/app/thing from Citrix to securely connect to workplace's Windows-centric network.

Yes, none of that is definitive, but given the above, it seems premature to me to immediately wipe a new machine.


Rosetta is not malware. If you had restored a bunch of old software, you are likely to need Rosetta to run the old software on the new computer.

Right, I knew there would be some compatibility issues with the new Apple silicon, which is why, when I attempted to launch an old app (in this case it was either Forefox or Microsoft's Edge browser), and I got a popup telling me Rosetta was required, I clicked OK to install it (I did first go to the App store and searched for Firefox and Edge, neither of which I found there). Then, as soon as I said OK to install Rosetta, immediately, the popups started.

Unfortunately, setting up a new computer from a Time Machine restore has gotten pretty difficult over the years. The problems you encountered are typical and predictable. A better method is to turn on every single iCloud option possible, while still using the old computer.

Not a big fan of using cloud services when it's not absolutely necessary, reluctant to do so for a variety of technical and other reasons. I figured using Time Machine would be more straightforward and reliable. Maybe not.


Still, I view the "malware" popups with some skepticism (for reasons cited above). At least until there's more indications it's not just an over-zealous/sloppily-written alert, because as you say...

It is hard to say what the meaning behind those “will damage your computer” messages might have been. Usually they are an indication that the file is malware, but sometimes Apple reuses that functionality for other things.


So, as the saying goes, "one more thing"...when attempting to simply drag the suspect files (listed above) into the trash, I'm prompted for the admin password -- which is a behavior I'm not familiar with, and one which seems like it would be a great malware "feature". (That's when I stopped, searched the Apple Community Forums, saw the issue mentioned but without much consensus, and then posted this thread seeking further clarification).


Is that behavior (prompting for a password) just an OS security feature (and expected behavior) when dragging something from within Macintosh HD > usr > local to the Trash? If so, all this may be wasted time, and the "fix" could be as simple as just entering the requested password, emptying trash, and then that's all behind us (because that's what some users have reported -- though others warned that would cause a disaster).


Thanks again for the insights.

Jan 12, 2022 3:27 AM in response to lonebirdman

There are inherent issues that may occur when using Migration Assist from Old to Brand New computer.


Whatever issues exited on the old computer and TM Backup was made with old computer - they have basically been introduced in an otherwise Pristine and Virginal Installation on the new computer. This has badly polluted to New Computer ].


The net effect is what the new computer is experience presently.


Jan 12, 2022 4:50 AM in response to lonebirdman

This computer is definitely not “right out of the box” because you have restored an old computer into it. There isn’t anything wrong with that, but any problems on the old system will be migrated along with all the other files.


No one can say anything about these files. You have only given us a partial file name, which means nothing. The full path may have shown it to be malware, or not. It is hard to say what the meaning behind those “will damage your computer” messages might have been. Usually they are an indication that the file is malware, but sometimes Apple reuses that functionality for other things.


Rosetta is not malware. If you had restored a bunch of old software, you are likely to need Rosetta to run the old software on the new computer.


Unfortunately, setting up a new computer from a Time Machine restore has gotten pretty difficult over the years. The problems you encountered are typical and predictable. A better method is to turn on every single iCloud option possible, while still using the old computer. Then, setup a new user account on the new computer and log in to the same iCloud account. Manually reinstall only the latest version of the software you really need.

Jan 12, 2022 8:15 AM in response to PRP_53

Thank you for you input.

P. Phillips wrote:

Whatever issues exited on the old computer and TM Backup was made with old computer - they have basically been introduced in an otherwise Pristine and Virginal Installation on the new computer. This has badly polluted to New Computer ].

Of course, I understand that (though I am not convinced, at least not yet, that the computer has been "badly polluted). Not my first rodeo.


Possible solution: Use Disk Utility to erase a Mac with Apple silicon

That seems like a fairly drastic path at this early stage -- and I have some skepticism that the files actually are malware. I've looked through threads reporting similar issues, and in more than a few of them, users have reported Apple's staff telling them just to trash the files, with apparent success. I think I'd like to get more clarity before getting out that big hammer. The old machine and new machine are sitting next to each other, old machine is perfectly functional, so I see no reason to go there (wipe the new machine) just yet.

Jan 12, 2022 11:31 AM in response to lonebirdman

lonebirdman wrote:

Of course, I understand that. That said, old computer had shown no indication of malware or anything else (other than being old and running old OS and apps).

That's all it takes.

In my OP I provided the full file names and path as they appear in the Finder:

File names:
ReceiverHelp.app
ServiceRecords.app

Full path1. :
Macintosh HD > usr > local > libexec > ReceiverHelp.app
Macintosh HD > usr > local > libexec > ServiceRecords.app

(Also in the same folder is a third file which appears related, but is not triggering a malware popup:
Macintosh HD > usr > local > libexec > AuthManager_Mac.app)

Sorry I missed that. Normally, if you want to specify a path you would write it "/usr/local/libexec/ReceiverHelp.app". When you write a path like this, it is a real path. You can provide it to the Finder or Terminal and it could find the file.


People (at least me) normally use the ">" just to specify steps in a sequence of a user interface operation. I would say something like - in Finder, choose Go > Go to the folder > enter "/usr/local/libexec/ReceiverHelp.app" > click the "Go" button.

All three files have a "Citrix" icon, and GetInfo shows them "© Citrix Systems 2017". Of course, that's not definitive, but...

A curious fact about malware is that they virtually never try to masquerade as legitimate apps. On very rare occasions, there are some that use "com.apple." in their file names, but that is very, very rare. Usually it is either nonsense words or generic words. These Citrix files (and they are really Citrix files) have pretty generic file names, but malware never uses /usr/local/libexec.


And if you want a second opinion on this, here it is: https://blog.malwarebytes.com/malwarebytes-news/2021/09/macs-turn-on-apps-signed-by-symantec-treat-them-as-malware/


Right, I knew there would be some compatibility issues with the new Apple silicon, which is why, when I attempted to launch an old app (in this case it was either Forefox or Microsoft's Edge browser), and I got a popup telling me Rosetta was required, I clicked OK to install it (I did first go to the App store and searched for Firefox and Edge, neither of which I found there). Then, as soon as I said OK to install Rosetta, immediately, the popups started.

That makes sense. These apps are designed to run in the background. But those Rosetta installation prompts require a Finder launch before t appears. So the background Intel apps were just silently failing until Rosetta was installed. Once Rosetta was installed, they could get past the architecture block and trigger the (erroneous) malware detection.

Not a big fan of using cloud services when it's not absolutely necessary, reluctant to do so for a variety of technical and other reasons. I figured using Time Machine would be more straightforward and reliable. Maybe not.

Time Machine is great for recovering from a disaster. If you have a computer physically die or get stolen and you want to restore that onto an identical computer, then Time Machine does a great job. But the further you get away from that ideal of "identical computer" the more trouble you are going to have.


And Time Machine should not be used to clone an installation. There are some directories that contain unique identifiers. If you make a copy of those unique identifiers, then they aren't unique anymore. You will have strange problems with services like AirDrop, Keychain, and other "continuity" features.


And one last important caveat. Apple, like every other software developer on the entire planet, assumes that you will never, ever need or install any other software. Once you do, all bets are off and no more guarantees. If you use only Apple software, then Time Machine will work great even if you are significantly far away from that idea of "identical" (not including the "cloning" that I described above). It is always 3rd party software that is the problem. If you transfer to a new computer or even upgrade your old computer, your old 3rd party software is the most likely to cause problems. And since every developer is different, there is no way to tell which is going to work and which won't.

Jan 12, 2022 1:17 PM in response to etresoft

First -- a BIG thank you, @etresoft, for your help (for your help specifically in this case, and for all the others you help regularly), your contributions are greatly appreciated. Sincerely.


Second - for the benefit of others who may find this thread in the future: as I suspected, it appears the "malware" warning in this case was, let's just say, overstated. That warning probably is accurate most of the time (so nobody should just ignore that), and it's worth paying attention to, though in my case, my suspicions appear justified.


The Fix: In this case, I simply dragged the files in question to the Trash, provided the requested Admin password, then emptied the trash. Problem solved. Quick and as easy as one could hope for. Computer seems perfectly functional and happy, no wipe-and-reinstall necessary.


Now, I have two follow-up questions if I may ask, as long as I have your attention...


For context: this is my spouse's Mac. She is completely non-technical. I manage her tech gear (because she won't or doesn't pay enough attention to stay safe IMHO). She was perfectly happy using her 10-year-old iMac (mostly for web and email, to connect to her work IT system, a few other things, but overall pretty light user). I eventually convinced her that she needed to get a new Mac specifically because the old one was not secure: old OS couldn't be updated, old apps couldn't be updated, and sensitive info on the computer = too high a risk. OK, we have crossed that bridge.


About backup options...


I have always had her use Time Machine to do regular, automated local backups to an external drive. Her needs are simple, and TM seems perfect for that. However...


I use Carbon Copy Cloner on my own Macs, in part because it provides (I think) better options for bootable backups (I know, bootable backups have become much harder/more complicated with recent OS updates). My CCC license allows multiple users, so I could set it up on her Mac too, but...for a casual user like her, do you think TM or CCC makes more sense?


About malware prevention...


I have always avoided having any kind of "anti virus" software running on my Macs, believing that they almost always do more harm than good. I'm fairly careful about installing things, and I have solid backups. My spouse is, let's just say, not quite as careful. I have educated her about malware vectors and she no longer automatically clicks "OK" immediately in every dialog that pops up (this took some effort) but she may be more vulnerable to malware tricks and social engineering than some of us. Given the kind of user she is, do you (still) think it's best just to keep all the "Mac anti-virus" apps off her machine? Or if you think they have some benefit, which would you recommend?


(I hope these questions don't violate any protocol for you here, if so, you know not to answer).


Many big thanks to you, again.

Jan 12, 2022 1:46 PM in response to lonebirdman

lonebirdman wrote:

I use Carbon Copy Cloner on my own Macs, in part because it provides (I think) better options for bootable backups (I know, bootable backups have become much harder/more complicated with recent OS updates). My CCC license allows multiple users, so I could set it up on her Mac too, but...for a casual user like her, do you think TM or CCC makes more sense?

I don't use Carbon Copy Cloner so I can't comment on it. I wouldn't be too concerned about having a bootable backup. Technically speaking, Time Machine is bootable too. It just boots into Recovery mode from which you can reinstall the operating system and restore your data. This does take more time than simply booting from an external clone. But it is also very rare. The cost in time is relatively higher (a couple of hours vs. a couple of minutes) but the risk is low (and much lower these days with modern computers with SSDs).

About malware prevention...

I have always avoided having any kind of "anti virus" software running on my Macs, believing that they almost always do more harm than good. I'm fairly careful about installing things, and I have solid backups. My spouse is, let's just say, not quite as careful. I have educated her about malware vectors and she no longer automatically clicks "OK" immediately in every dialog that pops up (this took some effort) but she may be more vulnerable to malware tricks and social engineering than some of us. Given the kind of user she is, do you (still) think it's best just to keep all the "Mac anti-virus" apps off her machine? Or if you think they have some benefit, which would you recommend?

I can't really answer this one either. The macOS operating system already included very good protection for the system against malware. However, Apple always allows the user to override system settings. The only way to install malware on a Mac is to trick the user into installing it. But it turns out that is an effective strategy. So I consider 3rd party security apps to be effective protection for the operating system against the user. So if you find yourself, or your spouse, repeatedly being tricked into installing malware, then a 3rd party security app might be a good idea.


However, the security industry is crazy right now. Most users will not be able to distinguish between an effective security app and a scam app, or even a malware app. Two major anti-virus vendors have recently started including crypto mining software in their antivirus products. That really blurs the line between malware and anti-malware. And I'm talking about major, legitimate vendors here. There are many others that are nothing more than scams and a few are actually malware themselves.


If you did want to install a 3rd party security app, I strongly recommend that you start a new thread and specifically ask. Most people will tell you not to install anything. But some people will give you good suggestions. If you have one in mind, ask about it and if there are any horror stories, they will tell you about them.

Popups: " will damage your computer." Brand new iMac, ReceiverHelp.app - malware?!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.