"BadGacha" warning on my Mac mini

I am a little disappointed to read some of the swipes being taken at Howard Oakley. Howard and Etresoft are both authors of successful and very useful MacOS utilities. I also don't understand the use of the term "social media influence" as a pejorative. I would suggest taking five minutes to look over https://eclecticlight.co/category/macs/.

A response from Howard Oakley.

https://eclecticlight.co/2024/04/21/last-week-on-my-mac-does-apple-support-its-security-software/

For clarification, XProtect does not display any messages like this. It has virtually no user interface. The user interface it does have is infuriating, and more disruptive to the user experience than any malware. I know this makes no sense, but that's the way the world works.

All of these reports about "BadGacha" are from people using a certain app written by a social media influencer. This app takes low-level log reports, that no one should ever, ever look at, and displays them.

If Apple had a reason to report any kind of "BadGacha" virus, then there would be a dialog pop-up telling you. You wouldn't be able to dismiss the dialog and you wouldn't be able to use your computer. Your only solution would be to erase the hard drive and install the latest version of macOS Sonoma. Because this isn't happening, these reports are, therefore, false.

AndyXII wrote:

A response from Howard Oakley.

https://eclecticlight.co/2024/04/21/last-week-on-my-mac-does-apple-support-its-security-software/

Exactly. Who but a social media influencer would go to the trouble to create a new blog post complaining about what someone in some other Internet forum is saying about them?

By definition, an "influencer" is successful at it. So that means that their misinformation is going to be spread and repeated. And when that happens on social media, it comes from a "social media influencer".

I'm used to people posting those kinds of false statements about me. It's been going on for years. My interest here is in providing accurate, truthful information for anyone in the future who might stumble upon this honeypot thread here in this forum.

Anything involving malware, security, viruses is at high risk of being used in a campaign of misinformation. Nothing sells like fear. That's why it's so attractive to "security" companies, "security researchers", social media influencers, and internet cyberstalkers. The Apple Support Community is one of the few places where fear doesn't sell. We want to help people have a better experience with their Apple products. Fear doesn't help with that. Instead, we use logic, reason, and the truth. You can tell a lot of about someone when they see that approach as a threat.

Frederick Karayan wrote:

Could you please provide evidence, data, a press release, a license agreement, or any other data in support of your remark that "no one should ever, ever look at" low-level log reports?

Apple doesn't publish that kind of information, let alone press releases, on low-level system topics. There is no harm in looking at the data, provided one is both honest and mentally stable. Tech support scammers often use Console log messages to convince people that they've been infected by malware. Here in the forums, the biggest problem is people looking at that never-ending list of scary-sounding messages on their own and losing all touch with reality.

We've all seen Apple's promotion and marketing materials. Those focus on more uplifting and empowering messages. They don't show people getting scammed or people struggling with a buggy computer caused by 3rd party antivirus.

The closest you are ever going to find to this kind of information is on the Developer forums. There, Apple engineers refer to these messages as "Log Noise". This all started when Apple introduced the new Unified Logging system that logs any and all messages from all Apple apps.

These messages only have meaning to the Apple developers who coded them. If Apple wants users to know something, they have the means and the capacity to tell them directly. They're happy to do that. Nobody other than that specific Apple developer who wrote XProtectRemediator has any knowledge of what any console log messages actually mean.

MrHoffman wrote:

For assistance with third-party tools reporting undocumented and internal details of macOS, please contact the third party for details and assistance.

This app is from a class of tools — I’ll including Little Snitch here, as well as Apple and third-party logs and telemetry — that can be useful for some folks, and can be a source of needless worry and concern for others.

Cyber-stalker really doesn't care about any of that.

AppleStar wrote:

If you are who I think you are then congratulations for EtreCheck which I am using regularly.

Thanks!

About my request: I am someone rather technical and I do spend some time analyzing what my devices are doing - as I do with some servers I run. So I am still curious why Apple is logging something as somehow relevant if it is not ;)

I can't explain Apple's Console.app or its new Unified Logging system. I find it completely unusable. It logs unbelievably massive amounts of nonsense. While at the same time, it redacts much of that information, making it even more useless.

I understand that what I'm saying makes no sense. Why would Apple be logging so massive quantities of repetitive gibberish, making a point to remove any information that might possibly be useful? It makes no sense. I don't know why.

I have never seen any instance where anyone has ever obtained any useful information from Console. Yes. It's that bad. I have seen many cases where people have stared at that never ending stream of techno-babble, lost touch with reality, and became convinced that hackers had taken control over their lives.

This is nothing but yet another piece of evidence. It's logging that it has found a "BadGacha" virus. This is false. It is reporting false information. That alone should be enough to do an immediate File > Quit.

My best guess is that this is the baby of some powerful, well-connected person high-up in Apple's software engineering team. They've been pushing it relentlessly and it is a Career Limiting Move for anyone to resist. The new version of Xcode now routes debugging messages through it, helpfully deleting them if your debug code logs too much data. (Note: when writing complex, asynchronous code like the kind Apple now demands, logging copious amounts of data is the only way to debug it. And Apple broke that.)

NB: You would consider Howard Oakley a social media influencer?

You wouldn't? By what criteria is he not?

Take it up with the social media influencer who released your "XProCheck" app.

Those are all internal status messages. You aren't supposed to be looking at them at all.

For example, XProtect has several modules to look for several different types of infections. Each specific type of infection has specific characteristics. For any infection to be "found", it would have to trip some minimum threshold of events. There are always legitimate, but incompetent, developers who regularly do something wrong and trip one event or another. There needs to be multiple matches before doing something.

But when logging runtime behaviour, each module is going to report all events, under its own identifier. Unfortunately, Apple didn't obfuscate those identifiers as it should have. This leads social media influencers and "internet security researchers" to write apps and blog posts to scare people.

When I added antivirus detection to my own app, I made the exact same error that Apple did, with similar results. Years later, that one mistake is still used to libel and defame me. There's nothing to see here.

If you are who I think you are then congratulations for EtreCheck which I am using regularly.

About my request: I am someone rather technical and I do spend some time analyzing what my devices are doing - as I do with some servers I run. So I am still curious why Apple is logging something as somehow relevant if it is not ;)

NB: You would consider Howard Oakley a social media influencer?

Also: https://eclecticlight.co/2023/03/05/last-week-on-my-mac-keysteal-honkbox-and-badgacha/

They are snippets from the system log captured by Howard Oakley's XProCheck app.

Please explain "No one should ever look at"? Apple provides the Console app precisely to look at logs.

tmg2010 wrote:

They are snippets from the system log captured by Howard Oakley's XProCheck app.

Yes. I know. 😄

Please explain "No one should ever look at"? Apple provides the Console app precisely to look at logs.

Please see my previous reply. I realize that Apple provides the app. But it's a horrible app. The entire system is just awful. In theory, it was designed exclusively for developers and should only be used by developers. No one else knows what the individual log messages mean, if anything. No one should ever look at the Apple logs because only Apple engineers know what they mean, and they never say anything. But, as a developer, I can tell you this system is totally useless. I would never, ever use it for my own apps. No way. Never.

Seems to me that XProtect mistakenly thing that Teams is infected with BadGacha, my log entry are:

2024-02-26 22:34:55.778 BadGacha 👉 no status_message report time 0.0000000 {"action":"report","process":{"pid":786,"name":"Microsoft Teams Launcher"},"status":null}

2024-02-26 22:34:55.781 BadGacha ⚠️ ThreatDetected time 0.0000319 {"execution_duration":3.1948089599609375e-05,"status_message":"ThreatDetected","status_code":21,"caused_by":[]}

Three times in the last day?

Frederick Karayan wrote:

I am a little disappointed to read some of the swipes being taken at Howard Oakley.

What swipes? I said he's a social media influencer. I'll ask again, by what criteria is he not?

Howard and Etresoft are both authors of successful and very useful MacOS utilities.

You came here asking specific questions about specific words, and now you are throwing them around with reckless abandon. What is an "author"? Someone who writes books? What books has Oakley written? There's a reason we make distinctions between "authors" and "bloggers". Other than a few academic papers, I've written no books and no blogs, so I'm neither. Years ago, I was a software engineer, but that term is regulated in Canada. I'm now downgraded to software developer. I'm fine with that. Small price to pay for free healthcare. My US satellites are still in orbit and still working, after all.

What is "successful"? Oakley doesn't charge any money for apps, so money's no metric there. But lots of people run them and they seem to believe what the apps tell them. By social media standards, that's definitely success. Lots of people run EtreCheck, but I'm not sure if they understand what it says or believe it. In the economic wasteland that is Mac apps, EtreCheck has been a success. But in material terms, it doesn't generate a livable wage.

What is "useful"? I don't know. I can tell you that it's subjective. These social media influencer apps generate confusion and misinformation here in the forums. I wouldn't call that useful. But I won't deny they are useful engines of influence. Jury's still out on EtreCheck. It's been useful for attracting stalkers and other malicious people. Great fun, they are.

I also don't understand the use of the term "social media influence" as a pejorative.

You are the only one using it as a pejorative term. I believe I've pretty well defended my use of the "social media influencer" label. He's only one of several such social media influencers in the Apple internet world. But with any social media influencer, it is a good idea to be critical. They may be able to tell you about things you didn't already know about. That can be useful. But they may also tell you things that aren't true. How can you tell the difference? This applies to anything you see on the Internet, on TV, or in print. In that broader field of information, social media influencers do far less harm than reporters or journalists. They're the best of the worst. Is that pejorative?