Is XProtectRemediatorMRTv3 a False Positive?
Posted: 07-Jun-2022 | 7:13AM · Edited: 07-Jun-2022 | 7:15AM · 8 Replies · Permalink
Hi, I just recently noticed that Norton 360 found a threat (OSX.Trojan.Gen.2) back in March 15th 2022: XProtectRemediatorMRTv3 in /Library/System/Library/CoreServices/XProtect.app/Contents/MacOS/ From what I have found out, this is very likely a False Positive, after the macOS 12.3 update. Other AV vendors (at least two) had flagged the same file.
But I haven't found anything in the Norton Community about MRTv3. Norton 360 does not classify the file as a threat anymore in Idle Scans just a day after the 15th. But the File is still listed under "Unresolved Risks". This made me suspicious, because if it is a False Positive, it should not be listed there. Probably Norton 360 does not update the "Unresolved Risks" log, when reclassifying threats as FP. If that is the case the behavior should be updated, I think.
Because of the whole it had been flagged as a virus, but not anymore, but is still listed in "Unresolved Risks" and I just noticed it, I have submitted my file on June 4th to Norton and wait for confirmation that it is a False Positive.
What I'm hoping is that someone from Norton could just confirm that Norton 360 indeed had flagged XProtectRemediatorMRTV3 as False Positive under that specific file path in that timeframe and that it has been resolved by a signature update.
It would also be nice to get rid of the entry in "Unresolved Risks" (if it is a FP) as that file location is SIP protected and thus cannot be modified to "resolve" the risk.
Re: Is XProtectRemediatorMRTv3 a False Positive?
Posted: 21-Jun-2022 | 7:30AM · Permalink
Hello @Crwmy,
I can confirm we detected XProtectRemediatorMRTv3 as OSX.Trojan.Gen.2 on the 15th of March, 2022 and resolved this false positive detection on the same day.
Thank you for reporting the issue with the unresolved threats entries in the security logs, we'll look into it.