At my wits end: unable to remove virus Trojan.GenericKD.71025853 from InstallerSandboxes directory

Mac Studio M1
Mac OS Ventura 13.6.3
Bitdefender 9.4.1.4

Hello,

Bitdefender found a virus which it cannot remove/quarantine and instructs the user to manually remove.

Bitdefender Report:

We identified a threat that needs to be manually removed.

Threat name: Trojan.GenericKD.71025853

Path: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/Applications/MobileSlideShow.app/CPAnalyticsConfig-Photos.json

What I tried and did not remove the threat (confirmed by repeat Bitdefender scans)

• despite having administrator privileges and using “show hidden files” in Finder, I am unable to open the /Library/InstallerSandboxes/.PKInstallSandboxManager/ folder, and all efforts to unlock the folder via File → info which did not work despite the face I have read and write privileges.
• reboot
• reboot in safe mode
• reinstall Ventura
• clear all caches (using Clean My Mac)

I never access shady or suspicious web sites, and I always have Bitdefender running.

Bitdefender supports told me to “hire an expert.”

Thanks very much for your time and help

Have you considered reporting it to BitDefender to see if it’s a false positive? A quick Google search suggests they can occur - False positive - what is Trojan.GenericKD.48174843? — Expert Community

thank you. The warning should have been removed April 2022 but it’s still there and another Bitdefender site suggests removing it anyways.
thank you for your post

Bitdefender supports told me to “hire an expert.”

I’m just spitting here, but have you tried disabling SIP before rebooting in safe mode?

thank you very much. Is this to be able to access folder contents in safe mode ? Is this dangerous if I have a potential virus and disable protection (probably a very naive question) ?
thank you very much for thinking about my problem.

Yes. My thought is that maybe that will allow you to access the folder contents while in safe mode.

I am following your instructions, and can’t understand why in recovery → terminal mode, neither of the two “authorized user” names are accepted, although I tried many times, checked the spelling and tried with and without quotes. Would you have an idea ? thanks again very much

This path appears to be an app running inside XCode’s iOS simulator.

Can you wipe/reset the simulator to erase its contents? Or failing that, can you uninstall/reinstall XCode itself (which is what this affected sandbox appears to be runniing)?

@fritz @Shamino
As soon as I disabled the SIP and rebooted, Bitdefender put the file in quarantine where I deleted it (not via Finder). Thanks very much I am very grateful for your help.

…don’t forget to re-enable SIP.

Care to elaborate on what this means? My interpretation of that statement is that they have acknowledged that is a false positive, and that they tweaked their definitions to eliminate it. If this is a false positive the correct action on their part is to adjust their definitions and scanning so that it doesn’t happen, not to force you to delete a file that isn’t a problem.

That response from Bitdefender “support” doesn’t answer the question of whether this is a false positive or not.

yes, I put a big red sign on my desk. Easy to forget ! thank you

I received a detailed answer yesterday from Bitdefender with an elaborate procedure to delete the file. I assume that it would pose some risk which seems contradictory.