Removing randomwhere, malware(leadingsignsearch) from [Security & Privacy] - [Full Disk Access]
Try Apple's command line tool tccutil
! The general usage is:
tccutil command service bundleIdentifier
Only one command (reset
) is implemented right now. The service is the protected item (e.g. Microphone or Photos). The bundleIdentifier is the bundle identifier of the app given access to protected services.
- Open Terminal
-
Get the bundleIdentifier of the apps to remove:
mdls -name kMDItemCFBundleIdentifier -r /Applications/Some.app #Some.app is just an example.app
Real example:
host:~ user$ mdls -name kMDItemCFBundleIdentifier -r /Applications/Utilities/Terminal.app com.apple.Terminal
More methods to get the bundleIdentifier: Getting the bundle identifier of an OS X application in a shell script. The app to remove is not necessarily in /Applications or /Applications/Utilities/.
-
Remove all permissions for the app:
tccutil reset All bad.axisofevil.randomwhere #bad.axisofevil.randomwhere is just an examplary bundleIdentifier
RansomWhere?'s exec has a (null) bundleIdentifier. The associated launch daemon plist contains a com.objective-see.ransomwhere
though, which looks like a typical bundleIdentifier. I would try this one first.
BTW: RansomWhere? is no ransomware but a sec tool available here: RansomWhere?
Alternative approach:
Download tccutil (v1.2.5) from github. It's not related to Apple's command line tool though having the same name. It's also available via brew but apparently outdated there (v1.2.2) and won't work with Catalina.
- Disable SIP
- Download tccutil from github.com/jacobsalmela/tccutil (direct link: tccutil)
- Unzip the downloaded tccutil-master.zip
- tccutil is a Python script.
-
In the command line enter (in the example below I d/led the zip to Downloads and unzipped it there - apply the path below to your environment respectively):
-h to get a short help text
sudo python $USER/Downloads/tccutil-master/tccutil.py -h
-l to list all items in the accessibility database
sudo python $USER/Downloads/tccutil-master/tccutil.py -l
-r to remove an app/entry
sudo python $USER/Downloads/tccutil-master/tccutil.py -r /path/to/example.app|bundleIdentifier
- Enable SIP