User profile for user: gandalf1414
gandalf1414 Author
User level: Level 1
4 points

Worried that I downloaded malware from a disk image

Hi, I accidentally downloaded a disk image and tried to run it, I shortly realized that it is probably malware. I'm worried that there's malware on my computer but I'm unsure if Gatekeeper was able to block me from running the image. I believe I clicked "Open anyway" or something along those lines even after it said not to run it, so I'm pretty scared that it was able to run. I checked the logs for Gatekeeper, and I see that it says "Code did not match any currently allowed policy". Does this mean it blocked whatever disk image I mistakenly tried to run?

Thank you so much for your answers, it will help me stop worrying.


2025-03-01 10:45:10.480495-0800 0x953f85   Default     0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Fast Gatekeeper overrides are: inactive
2025-03-01 10:45:14.308061-0800 0x95412e   Default     0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Caller indicated a Gatekeeper override occurred: <private>
2025-03-01 10:45:14.314205-0800 0x95412c   Default     0x0                  39200  2    CoreServicesUIAgent: [com.apple.launchservices:uiagent] Cleared Gatekeeper rejection record sucessfully
2025-03-01 10:45:25.864198-0800 0x953f85   Error       0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Error Domain=GatekeeperPolicyScanError Code=-67018 "Code did not match any currently allowed policy" UserInfo={NSURL=<private>, NSLocalizedDescription=Code did not match any currently allowed policy}
2025-03-01 10:45:30.659323-0800 0x95430b   Default     0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Adding Gatekeeper denial breadcrumb (direct): PST: (path: 5451bc9511ea5cc0), (team: (null)), (id: project-55554944375cf61a58343acb828244228823e532), (bundle_id: NOT_A_BUNDLE)
2025-03-01 10:45:30.662733-0800 0x95430b   Error       0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Gatekeeper rejection: 39389, <private>
2025-03-01 10:45:54.602124-0800 0x9545ed   Default     0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Fast Gatekeeper overrides are: inactive
2025-03-01 10:46:35.578533-0800 0x9548b4   Default     0x0                  301    0    syspolicyd: [com.apple.syspolicy.exec:default] Fast Gatekeeper overrides are: inactive
2025-03-01 10:46:37.719530-0800 0x9533cf   Default     0x0                  39200  2    CoreServicesUIAgent: [com.apple.launchservices:uiagent] Cleared Gatekeeper rejection record sucessfully


MacBook Air, macOS 15.3

Posted on Mar 1, 2025 1:45 PM

Reply
Question marked as Top-ranking reply
User profile for user: Old Toad
Old Toad
User level: Level 10
217,104 points

Posted on Apr 8, 2025 3:08 PM

.

View in context
10 replies
User profile for user: Old Toad
Old Toad
User level: Level 10
217,104 points

Mar 1, 2025 3:04 PM in response to gandalf1414

Malwarebytes will tell you if it found anything. Also you can download and run Etrecheck.  The free version is sufficient. Be sure to give it Full Disk Access.


Copy the report as shown in this animated screenshot



and use the Additional Text button to paste the report in your reply.



Then we can examine the report and see if AMOS is mentioned anywhere in the report.

Reply
User profile for user: Old Toad
Old Toad
User level: Level 10
217,104 points

Mar 1, 2025 3:38 PM in response to gandalf1414

First, there is no reason to ever install or run any 3rd party "cleaning", "optimizing", "speed-up", anti-virus, VPN or security apps on your Mac.  This documents describe what you need to know and do in order to protect your Mac: Effective defenses against malware and other threats - Apple Community and Recognize and avoid phishing messages, phony support calls, and other scams - Apple Support.  


There are no known viruses, i.e. self propagating, for Macs.  There are, however, adware and malware which require the user to install although unwittingly most of the time thru sneaky links, etc.   


Anti Virus developers try to group all types as viruses into their ad campaigns of fear.  They do a poor job of the detecting and isolating the adware and malware.  Since there are no viruses these apps use up a lot of system resources searching for what is non-existent and adversely affect system and app performance.


There is one app, Malwarebytes, which was developed by a long time contributor to these forums and a highly respected member of the computer security community, that is designed solely to seek out adware and known malware and remove it.  The free version is more than adequate for most users.  


Unless you're using a true VPN tunnel, such as between you and your employer's, school's or bank's servers, they provide false security from a privacy standpoint. 


The anti-virus apps very often give false positives. The only real way to confirm that the malware has been installed is to run Etrecheck and look for the malware name.


You should install Avast and Sophos according to the developers' instructions. Then you can check to see if you've removed all of the supporting files by downloading and running the shareware app Find Any File to search for any files with the application's or the developer's name in the file name.  For software mentioned you'd do the following search(es): 


1 - Name contains avast

2 - Name contains sophos

3 - Name contains amos

4 - Name. contains virus or virustotal


Any files that are found can be dragged from the search results window to the Desktop or Trash bin in the Dock for deletion.


FAF can search areas that Spotlight can't like invisible folders, system folders and packages.  


If you get warnings that the file can't be deleted because it is in use or used by another app boot into Safe Mode according to How to use safe mode on your Mac and delete from there.


Note:  if you have a wireless keyboard with rechargeable batteries connect it with its charging cable before booting into Safe Mode.  This makes it act as a wired keyboard as will assure a successful boot into Safe Mode.



Reply
User profile for user: etresoft
etresoft
User level: Level 9
57,752 points

Mar 1, 2025 4:38 PM in response to gandalf1414

gandalf1414 wrote:

I ran the disk image through VirusTotal and confirmed that it had the AMOS trojan. I already deleted the disk image from my computer and I ran Sophos/Avast and it didn't find anything so I think it's already been removed. What i'm worried about is if the malicious script already ran, and if Gatekeeper was able to block it

Gatekeeper doesn't block malware. Gatekeeper checks the signature and notarization status of a file. It uses that information to display a dialog informing the user of the status of the file. It can be one of:


1) Downloaded and check for malware (none having been found); or

2) Could not check for malware. (But the user can override and install.)


(There's another hidden layer of Gatekeeper here that checks the runtime and entitlements and may prevent the file from running.)


Even after all of this, if XProtect detects actual malware, it may prevent an executable from running.


All of this runs in the background and/or displays a dialog altering the user to that which Apple wants the user to know. Nobody really knows what any of the log messages mean.

Reply
User profile for user: gandalf1414
gandalf1414 Author
User level: Level 1
4 points

Mar 1, 2025 4:06 PM in response to Old Toad

I appreciate your reply, but my worry and question is not if the malware is still on my system. I was the stupid user that installed it through a fake link and tried to run it. I already removed the malware. (I know it was the AMOS trojan after scanning it through VirusTotal, you can search up the website as you can upload suspicious files and it'll scan the file for you) My question is on what the Gatekeeper logs in my post meant. The malware tried to run the disk image below, and I want help in interpreting the logs, specifically if Apple's native security was able to block it from running based on what the logs say. I'm wondering someone experienced in how MacOS's security works if they could give any insight.


Here's an additional log snippet that I picked up.


Timestamp                       Thread     Type        Activity             PID    TTL  
2025-03-01 10:45:25.818331-0800 0x954307   Default     0x0                  0      0    kernel: (AppleMobileFileIntegrity) AMFI: '/Volumes/TradingView/TradingView' is adhoc signed.
2025-03-01 10:45:25.819548-0800 0x953694   Default     0x0                  38984  0    amfid: /Volumes/TradingView/TradingView not valid: Error Domain=AppleMobileFileIntegrityError Code=-423 "The file is adhoc signed or signed by an unknown certificate chain" UserInfo={NSURL=file:///Volumes/TradingView/TradingView, NSLocalizedDescription=The file is adhoc signed or signed by an unknown certificate chain}
2025-03-01 10:45:30.662776-0800 0x954308   Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 39389, /Volumes/TradingView/TradingView
2025-03-01 10:45:30.664180-0800 0x9541ee   Default     0x0
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Worried that I downloaded malware from a disk image

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up