Summary
In some cases, OpenText™ Core Endpoint Protection will detect a file that is located on your backup, such as Time Machine. If the files detected include:
  These file are not threats, but are part of the OS X operating system and contain certain strings of code that we detect.

Additional Information
Our detections for the AppleKextExcludeList.kext include many applications that Apple will run that we do not (including certain keylogger families). This does not mean you have a keylogger just that Apple allows some of these programs to run.  

Similarly, MRT.app is Apple's built in Malware Removal Tool. This tool, while a great help to the OS X platform, was not encrypted and will cause our system to detect it.  We have built in safeguards to allow these programs to remain undetected on your system.  However, with the many various ways that Backups can be named and stored there may be instances that we detect these files.
 
Important Note:
Even after following the Recommended Action, this may happen again. It may re-occur if the files that were previously allowed are changed in any way, which can happen when an operating system update is applied. The OpenText™ Core Endpoint Protection allow action works with the files that you specify and if those files are modified, the new versions of those files need to be allowed.
 
Here is an example of a detection:
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/MRTv3

with trace/malware group “Keylogger.Refog.1.r”

Recommended Action
If OpenText™ Core Endpoint Protection continues to detect these files, you can modify the agent to tell OpenText™ Core Endpoint Protection to ignore them.

Please follow the instructions below for your product to resolve this issue.

+Home users - Webroot SecureAnywhere
Instructions to prevent the files from being detected:
  1. Open the OpenText™ Core Endpoint Protection.
     
  2. Click the gear icon next to PC Security.
     
  3. Select the Block/Allow Files tab.
     
  4. Find the files and click Allow.

+Business users - OpenText™ Core Endpoint Protection
Important information:
  • In order to make changes to the OpenText™ Core Endpoint Protection and allow the files that were detected, the device must have the Unmanaged Endpoint policy applied.
  • If the OpenText™ Core Endpoint Protection is hidden, applying the Unmanaged policy will unhide it.
  • There is no way to allow files for Macs using the OpenText™ Management Console, this has to be done at the agent.
  • To disable the scanning of archived files, you will modify the endpoint policy assigned to the device using the OpenText™ Management Console.

Instructions to locally allow the files using the OpenText™ Core Endpoint Protection:
  1. Apply the Unmanaged policy.
  2. Open the OpenText™ Core Endpoint Protection.
     
  3. Click the gear icon next to PC Security.
     
  4. Select the Block/Allow Files tab.
     
  5. Find the files and click Allow.
     
  6. Re-apply the original policy.
  
 
If you have additional questions or concerns, please open a ticket and Support will provide assistance.
 
Is this article helpful?
   
Thanks for your feedback!

Powered by NOHOLD Inc. U.S. Patent No. 10,659,398
All Contents Copyright© 2025