False Positive - MRT -- When will this be fixed?

  • 6 April 2021
  • 1 reply

Userlevel 2
Badge +4

We will occasionally get an alert about a uncategorized file on our Macs. The error will always be something similar to the following:

MRT, Uncategorized file, \Library\Apple\System\Library\InstallerSandboxes\.PKInstallSandboxManager-SystemSoftware\BF320ED5-6C90-4CB6-B2F4-84E54AFD49FD.activeSandbox\Root\Library\Apple\System\Library\CoreServices\\Con, 00000000000000000000000000000000, 

The MRT will always be in a random sandbox location. I’ve talked with support on this and they said that this is a known issue and that Webroot’s whitelist only allows for MRT to be in one location, so when it is found in another location it throws this false positive. They also said that the only method for releasing this file and allow it is to put the device in an unmanaged profile and then release the file from the agent on the Mac directly.

I have several issues with both the false positive AND the way to fix it.

  1. Why is Webroot not using application signing to verify applications and still relying on whitelisting in this day and age? Almost every application should be digitally signed by the author. If the file is digitally signed, what does it matter what location it is in?
  2. Why doesn’t Webroot properly support application sandboxing? This has been present in Macs for a while now.
  3. Why doesn’t the mac agent and Webroot web console support releasing the file from the management console? This is the whole point of a management console--to not have to connect to endpoints directly to manage them.
  4. Placing the endpoint in an unmanaged profile just to release a file seems administratively excessive. The whole point of using a managed agent is to control everything centrally and needing to place a device into an unmanaged profile AND to then manage it from the local device to release a file goes against the idea of central administration.

This issue has been present for quite some time (about a year if not longer), and it has still yet to be fixed.

1 reply

Userlevel 7
Badge +17

@netmc ,

These are some really good and very technical questions. I’m going to ping one of our product experts - perhaps he can provide some clarity here!

@dstokes1  - Can you be of assistance here?