It could have to do with this issue:

If not contact Webroot Support!

Thanks Daniel. I did see that message but  I don’t recall them talking about this kind of warning.  I was just curious if others were seeing this as well. Service it is I guess. Cheers

Hi. I support many Macs running Webroot SecureAnywhere and havent come across this.

Would be interested to know what it is too!

Looks like an FP to me with Apple’s XProtect security. This is a constant issue with Webroot on the MAC picking up XProtect. 

Contact support and complain.

Thanks jhartnerd123. Yea, I get Apple’s XProtect security is part of the problem, but now I am wondering why others are not seeing this?  And strangely, only on one of my many Macs right now is this occurring. 

I'll put in my “complaint” as well.  Cheers.

An update on this: 

I put in a ticket, and was mostly blown off by Customer Support, saying the issue has been fixed. Yet on that same Mac, I am still seeing these kinds of alerts, but for other reasons now. I reopened the ticket this morning and submitted a new image of the latest alert I saw this morning. I was blown off again, saying the issue was fixed. When I responded, they wrote back that I should re-read the previous answer and told me again the issue was fixed. They ignored that I am still seeing it on the latest build and showed them an example. 

Not really impressed with customer support these days. 

Update: They deleted the curt response and told me I should call in to discuss. The issue here is they want remote access to my machine, and I cannot allow that due to the sensitive nature of my clients and work related files on that machine.  Also, the wait times were incredibly long, and I do not have the luxury of waiting on the phone for 15 to 30 minutes. When I say this the ticket gets closed again. 

SIGH!

I will ping a couple of Webroot staff. @macdonaldj  and @TylerM to see what they can do for you and others on the backend of support.

Yeah, the MAC OS Agent is kinda lackluster to say the least. 

Sad to hear

I’m checking on this!

Thanks Tyler, Daniel.  Much appreciated. 

@MajorHavoc can I ask what version they’re running currently? The latest version is currently 9.6.1.2 which Ventura does support. I am worried this might be more about them not getting product updates.

As I did put in the ticket, it is running version 9.6.1.2:1710 which claims (in the app) to be the latest. 
The Computer is running MacOS Ventura 13.6.3 (22G436). 

The original post was some versions ago.

Ok, I am updated to the latest version (1808) and rebooted. I still got some alerts, but down from 6 to only 2 this time, and so far, no other random ones. If that happened, I’ll post here.  But here are the latest two:

The first is a system .plist for search, and should always be good unless it has been modified. 

The second, slimdevices , is an updater for a music player for a (very old) Logitech music server. It is also safe. Probably have not seen this one as the product made by slimdevices and bought by Logitech some time ago did not do very well. Not even sure it is supported anymore. (I can probably remove the update checker.)

I’ll post any further running alerts if they happen. 

Cheers

9.6.1.2:1710 and (1808) is just the definition number as the Mac agent isn’t full Cloud like the PC version and the Android Mobiles version and I wonder why all these years? Why not make it full Cloud wouldn’t that be better?

Thanks for that information, @MajorHavoc 

I’ve talked with support about this and it seems this is a different flavor of FP than the XProtect issue you originally saw. This is trickier since the message ‘Suspicious Activity detected' is a notification that Webroot SecureAnywhere provides when a change is made to the system that may resemble behavior of a malicious process.

To help protect against unknown or "zero-day" threats, the SecureAnywhere agent is constantly monitoring for certain behaviors or modifications commonly made by malware. One of those monitored actions is the modification to sensitive system files, which in this case, is a program's LaunchAgent component. Generally speaking, these notifications are not indicative of a verified-malicious action, as there are a number of automated tasks that can occur within macOS which could trigger a similar behavior. Common tasks that could prompt this message are updates to software or even the macOS itself, which in turn might result in programs updating/modifying their LaunchAgent or LaunchDaemon components.

You may see the alert mention a plist (property list) file, as we are indeed seeing in those two alerts you shared. These are typically storing settings or launch configuration data for an application. If you ever receive these prompts but recognize and trust the corresponding application, you can safely click the "OK" option. If the alert repeats multiple times for the same trusted file, you may click ignore to stop it from repeating endlessly.

Please note, the alert should only show up once to notify you that an application or system process has done something a bit different today. That seems likely why you didn’t get most of the six alerts repeating this time but the two you did get must have changed those plist files again. If it was genuinely malicious activity, it would be blocked by the client with the default policy settings.

Should you wish to fully suppress these alerts on Business agents, the Webroot management console provides the option of hiding the User Interface of SecureAnywhere. Doing so should force these messages to remain hidden.

Thanks Jeremiah. That is the same lousy answer as before. This create a terrible problem for most uses, especially the ones that I support that are constantly complaining about these .

First, these are personal accounts, so how do I suppress these there?

Second, if these things keep popping up all the time, users are just going to knee jerk and close them without reading them, which, to be honest, is what I am doing now because there are too many of them. In reality, that creates a very big hole for something nefarious to get through because we are being trained by these bogus (that’s right, I consider these bogus, the program should know what is valid or not)  alerts which are, for the most part, meaningless, or worse, not understood, for most users. 

I’m sorry, but I will leave this in the “bug” category. Webroot is supposed to be an advanced product. I would expect an advanced product should be able to tell what is a valid system change, and what is not, and only warn on things it is not sure of. 

As for only showing up once, that too is not the case, otherwise I would not see these things every time I restart. 

Webroot needs to do better here. 

Thank you for checking. I just think this is a cop-out answer to get around actually fixing this problem. 

Thanks for the feedback, @MajorHavoc and I agree that we need to work on avoiding alert fatigue at all times. I am working with the threat and engineering teams to see what we can do to improve this experience.

To me the Mac client needs lots of work and why not make a new one and make it full cloud like the Windows and Android client’s? We have not heard any good things from the Mac client in many years. Or is there a reason for this? I know a few that will not use the Mac Client because of all the issues they rather use another product so Webroot/Opentext is losing Mac users.

Thanks.

I’m afraid I have to agree that the Mac client needs work and reporting certainly needs optimising

I would agree. And one of my biggest grief points in the scan results “window” which cannot be resized, and is impossible to see everything on that screen. It would be great if this were a real window I could resize so I can see more info. 

So Customer Service says this is fixed.

We just had a power outage for three hours. My M2 Mac, which was low on power shutdown, and then restarted when the power came back on.

There were 42 (FOURTY TWO) alerts for suspicious activity I had to click through to get rid of the alerts. All of them system or .plist files that were just fine. Why can't this remember I have already had those alerts. But seriously, 42?

This is obviously NOT fixed. SIGH (I reopened the ticket - they will probably tell me it's fixed because I won’t see them again. Which is what they told me last time. What has happened to the Mac development and support team? Hard to recommend this to friends and clients when it has these problem.)

Update: just looked at the Webroot menu item. There were THREE scans running. Something else I was told was fixed.  

ARGH! I want to scream. Once again, I got the same answer to my ticket that this has been fixed and I will only see the warnings once. 

Really? I have had this M2 MBP for more than a year. I restart occasionally, and have seen a few warnings each time. But 42 at one time?  Sorry, that is not seeing them once. 

And 42 is crazy. I stopped reading them about half way through I was so tired of the constant pop up. 

Can someone at Webroot give me the email of the Customer Support Manager for Mac so I can write an email please? I am really getting tired of being blown off by support telling me that this is fixed when it obviously is not fixed, and I see these warnings all the time.  I am very close to removing WSA from this machine and trying some other product that will not annoy me all the time with inappropriate warnings on system functions and .plist files. 

Thanks

@MajorHavoc 

I will bring this concern up when I attend the Partner Advisory Board sessions later this week. I’m absolutely flabbergasted that OpenText has let the MAC Agent languish. 
Sure I purposely copy windows AND MAC malware right to folders, and the agent does zero to quarantine it.

It’s better at false positives than doing any sort of real protection. 

Thank you.