WebRoot detects Xprotect as Refog

Last week as Apple released macOS Monterey 12.3 and as customers' systems updated, our security monitoring platform lit up like the proverbial Christmas tree.

The problem;

Xprotect Remediator MRT v3 detected as Keylogger.Refog.1.r.

To start with we had to dig into what Xprotect Remediator MRT is. It didn't take long to find that Xprotect is Apple's built-in Anti-Virus technology. 

Apple updated Xprotect on March 3rd, 2022 to version 2157, introducing rule MACOS.e150543, which prevents variants of the adware FPlayer. The other updates to XProtect come to rule MACOS.1db9cfa and MACOS.6eaea4b. Both rules prevent the XCSSET malware, introduced in version 2142 and 2144 respectively. Both were last updated in version 2149 from June 28, 2021.


Now we had to identify why WebRoot identified this as a virus. We identified that this only occurred with macOS clients running WebRoot version Older versions didn't show the issue with macOS Monterey 12.3, and clients running version on older builds of macOS Monterey didn't report the problem.

So it was certainly a macOS Monterey 12.3 WebRoot Version issue.

A quick discussion with WebRoot support confirmed this was a False positive and we were advised that a resolution was in the works and would be released shortly.


Similar posts

Get notified about the latest posts straight to your inbox.

The latest technology together with useful hints, tips and how-tos.

Subscribe for updates.