Removing randomwhere, malware(leadingsignsearch) from [Security & Privacy] - [Full Disk Access]

security malware

Try Apple's command line tool tccutil! The general usage is:

tccutil command service bundleIdentifier

Only one command (reset) is implemented right now. The service is the protected item (e.g. Microphone or Photos). The bundleIdentifier is the bundle identifier of the app given access to protected services.

  1. Open Terminal

  2. Get the bundleIdentifier of the apps to remove:

    mdls -name kMDItemCFBundleIdentifier -r /Applications/Some.app #Some.app is just an example.app

    Real example:

    host:~ user$ mdls -name kMDItemCFBundleIdentifier -r /Applications/Utilities/Terminal.app
com.apple.Terminal

    More methods to get the bundleIdentifier: Getting the bundle identifier of an OS X application in a shell script. The app to remove is not necessarily in /Applications or /Applications/Utilities/.

  3. Remove all permissions for the app:

    tccutil reset All bad.axisofevil.randomwhere #bad.axisofevil.randomwhere is just an examplary bundleIdentifier

RansomWhere?'s exec has a (null) bundleIdentifier. The associated launch daemon plist contains a com.objective-see.ransomwhere though, which looks like a typical bundleIdentifier. I would try this one first.

BTW: RansomWhere? is no ransomware but a sec tool available here: RansomWhere?

Alternative approach:

Download tccutil (v1.2.5) from github. It's not related to Apple's command line tool though having the same name. It's also available via brew but apparently outdated there (v1.2.2) and won't work with Catalina.

  1. Disable SIP
  2. Download tccutil from github.com/jacobsalmela/tccutil (direct link: tccutil)
  3. Unzip the downloaded tccutil-master.zip
  4. tccutil is a Python script.

  5. In the command line enter (in the example below I d/led the zip to Downloads and unzipped it there - apply the path below to your environment respectively):

    -h to get a short help text

    sudo python $USER/Downloads/tccutil-master/tccutil.py -h

    -l to list all items in the accessibility database

    sudo python $USER/Downloads/tccutil-master/tccutil.py -l

    -r to remove an app/entry

    sudo python $USER/Downloads/tccutil-master/tccutil.py -r /path/to/example.app|bundleIdentifier
  6. Enable SIP

Related

Cannot download fonts on Fontbook In Catalina
Searching for visible and invisible system files gives no results [duplicate]
How to disable auto-capitalization in Apple Mail app (really impossible?)
Apple ID Sign in issue
How to resolve rejection on App store with In-App purchase, free trial and links of web application
Wrong amount of messages counted in Mail
Bypassing Enrollment Server Reinstalling MacOS
How to print to a HP Photosmart C4599 printer from Sierra?
How to make notes read-only?
Adding GPS support to a Wi-Fi only iPad
Video player for macOS with jumping by subs and speed control
Which distance sensor to lock screen if I leave my seat?