Removing randomwhere, malware(leadingsignsearch) from [Security & Privacy] - [Full Disk Access]

Try Apple's command line tool tccutil! The general usage is:

tccutil command service bundleIdentifier

Only one command (reset) is implemented right now. The service is the protected item (e.g. Microphone or Photos). The bundleIdentifier is the bundle identifier of the app given access to protected services.

  1. Open Terminal
  2. Get the bundleIdentifier of the apps to remove:

    mdls -name kMDItemCFBundleIdentifier -r /Applications/Some.app #Some.app is just an example.app
    

    Real example:

    host:~ user$ mdls -name kMDItemCFBundleIdentifier -r /Applications/Utilities/Terminal.app
    com.apple.Terminal
    

    More methods to get the bundleIdentifier: Getting the bundle identifier of an OS X application in a shell script. The app to remove is not necessarily in /Applications or /Applications/Utilities/.

  3. Remove all permissions for the app:

    tccutil reset All bad.axisofevil.randomwhere #bad.axisofevil.randomwhere is just an examplary bundleIdentifier
    

RansomWhere?'s exec has a (null) bundleIdentifier. The associated launch daemon plist contains a com.objective-see.ransomwhere though, which looks like a typical bundleIdentifier. I would try this one first.

BTW: RansomWhere? is no ransomware but a sec tool available here: RansomWhere?


Alternative approach:

Download tccutil (v1.2.5) from github. It's not related to Apple's command line tool though having the same name. It's also available via brew but apparently outdated there (v1.2.2) and won't work with Catalina.

  1. Disable SIP
  2. Download tccutil from github.com/jacobsalmela/tccutil (direct link: tccutil)
  3. Unzip the downloaded tccutil-master.zip
  4. tccutil is a Python script.
  5. In the command line enter (in the example below I d/led the zip to Downloads and unzipped it there - apply the path below to your environment respectively):

    -h to get a short help text

    sudo python $USER/Downloads/tccutil-master/tccutil.py -h
    

    -l to list all items in the accessibility database

    sudo python $USER/Downloads/tccutil-master/tccutil.py -l
    

    -r to remove an app/entry

    sudo python $USER/Downloads/tccutil-master/tccutil.py -r /path/to/example.app|bundleIdentifier
    
  6. Enable SIP