F-Secure 19.9 not working on Sonoma, log reports Bedrock UpstreamKit.framework, solution?
Hello, I have a problem with F-Secure 19.9 (63790) and macOS Sonoma 14.7.2. The software hangs on "Waiting for initial update..." and after a few minutes it says "Malware protection malfunction" and "Device reboot required", after system restarts it does the same problem.
Uninstalled with the F-Secure utility, deactivated, re-downloaded F-Secure, re-installed and re-activated, requested for update, re-installed again, I tried also an older package, same problem.
I checked system logs, it is filling a lot of logs about a component of F-Secure: Bedrock UpstreamKit.framework.
Temporarily I had to install a competitor's product for realtime scanning (it does not report any problems in my system).
Is there a solution for this problem? I read on this forum someone installed a beta version of F-Secure, is it a solution?
Logs reporting the antivirus component fscscannermanagerd crashes every 1-2 seconds due to a problem with /Library/F-Secure/Bedrock/lib/UpstreamKit.framework. It fills up the logs even disabling real-time scanning.
It repeats the same error over and over, I removed IDs from log lines < ... >
2024-12-16 18:29:56.844051 (system/com.f-secure.sp.scannermanagerd) <Notice>: service state: spawning
2024-12-16 18:29:56.844105 (system/com.f-secure.sp.scannermanagerd) <Notice>: launching: inefficient
2024-12-16 18:29:56.845569 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: xpcproxy spawned with pid 25967
2024-12-16 18:29:56.845594 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: internal event: SPAWNED, code = 0
2024-12-16 18:29:56.845597 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: service state: xpcproxy
2024-12-16 18:29:56.845601 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: deferred event: domain spawn response: 0
2024-12-16 18:29:56.845606 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: internal event: SOURCE_ATTACH, code = 0
2024-12-16 18:29:56.852692 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: service state: running
2024-12-16 18:29:56.852707 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: internal event: INIT, code = 0
2024-12-16 18:29:56.852736 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: Successfully spawned scannermanagerdwrapper[25967] because inefficient
2024-12-16 18:29:56.857562 (pid/25967 [scannermanagerd]) <Notice>: uncorking exec source upfront
2024-12-16 18:29:56.857579 (pid/25967 [scannermanagerd]) <Notice>: created
2024-12-16 18:29:56.859072 (pid/25967 [scannermanagerd]) <Notice>: domain exec event
2024-12-16 18:29:56.859080 (pid/25967 [scannermanagerd]) <Notice>: shutting down
2024-12-16 18:29:56.859091 (pid/25967 [scannermanagerd]) <Notice>: cleaning up
2024-12-16 18:29:56.859101 (system) <Notice>: removing child: pid/25967
2024-12-16 18:29:56.894572 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: exited with exit reason (namespace: 6 code: 0x1) - OS_REASON_DYLD | Library not loaded: @rpath/UpstreamKit.framework/Versions/A/UpstreamKit
Referenced from: < ... > /Library/F-Secure/Bedrock/bin/fscscannermanagerd
Reason: tried: '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint), '/Library/F-Secure/Bedrock/bin/../lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint), '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in p, ran for 50ms
2024-12-16 18:29:56.894588 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: service has crashed 1309 times in a row (last was not dirty)
2024-12-16 18:29:56.894591 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: service state: exited
2024-12-16 18:29:56.894597 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: internal event: EXITED, code = 0
2024-12-16 18:29:56.894599 (system) <Notice>: service inactive: com.f-secure.sp.scannermanagerd
2024-12-16 18:29:56.894614 (system/com.f-secure.sp.scannermanagerd [25967]) <Notice>: service state: not running
2024-12-16 18:29:56.894618 (system/com.f-secure.sp.scannermanagerd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
2024-12-16 18:29:56.894673 (system/com.f-secure.sp.scannermanagerd) <Notice>: internal event: WILL_SPAWN, code = 0
2024-12-16 18:29:56.894692 (system/com.f-secure.sp.scannermanagerd) <Notice>: service state: spawn scheduled
2024-12-16 18:29:56.894694 (system/com.f-secure.sp.scannermanagerd) <Notice>: service throttled by 10 seconds
A log file is created every 1 second for fscscannermanagerd, in short:
Termination Reason: Namespace DYLD, Code 1 Library missing
Library not loaded: @rpath/UpstreamKit.framework/Versions/A/UpstreamKit
Referenced from: < ... > /Library/F-Secure/*/fscscannermanagerd
Reason: tried: '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint), '/Library/F-Secure/Bedrock/bin/../lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint), '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' (code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in p
(terminated at launch; ignore backtrace)
Other details: I am using a legacy Mac 2016. macOS Monterey is discontinued software since September, 2024. To install macOS Sonoma I had to use OpenCore Legacy Patcher (distributed by Dortania).
Does anyone have a solution? Thanks
Answers
-
Hello @ejegumqo
Welcome to the F-Secure Community. Thank you for your post.
We regret to hear about the issue you’re experiencing with the F-Secure app version 19.9 on your Mac. At the moment, we are consulting with our Mac experts to investigate the matter. Once we have an update, we will let you know.
In the meantime, could you please verify that the F-Secure app has the necessary permissions on your Mac? You can check this by going to System Settings > Privacy & Security > Full Disk Access and ensuring that all F-Secure components are listed and enabled.
Thank you for your patience, and we hope you have a great day.
Firmy
Community Manager | F-Secure Community
🔐 Strengthening digital security through knowledge and collaboration
🌐 Explore our User Guides | Knowledge Base for self-help resources
💻 Empower yourself with Cybersecurity Insights and protect what matters
📢 Help Shape Our New Homepage! Share your input in our design survey. -
Thanks for the welcome and reply.
Yes, the F-Secure app has "Full Disk Access" permission, I checked it and it is mandatory to enable it at every new installation. Login Items (launchd) for F-Secure app are also enabled, which are also mandatory.
I am in contact with F-Secure support, they should let me know in a few days. This problem affects also the latest F-Secure version 19.10 on my Mac.
-
Hello @ejegumqo
Thank you for your reply.
Thank you for your patience as we reviewed your case. After consulting with our product team, we believe the issue you are experiencing is likely due to the modifications introduced by the OpenCore Legacy Patcher (OCLP). This tool alters macOS to enable it to run on unsupported hardware, which can interfere with critical system components, including macOS's security mechanisms that our software relies on. Specifically, the error you reported suggests that the
UpstreamKit.framework
library violates the process’s library load constraints. This typically occurs when the library has been re-signed or when the macOS code-signing mechanics have been altered, potentially due to OCLP.To help confirm whether the library is intact and correctly signed, we recommend performing a validation check in Terminal. First, use the
codesign
command to verify the library's signature details, ensuring that it reflects the appropriate developer credentials. Next, use theshasum
command to confirm that the hash matches the expected value of:95968a14cddf8fb0afdad3fa2247081404489bb9f1fb472bf22384d0ec5d4f9e
If these checks confirm the binary is intact but the issue persists, it’s likely that OCLP has introduced changes to the macOS environment that are causing the malfunction.
While we strive to provide robust support for all our users, please note that our product is designed and tested for officially supported macOS configurations. Unfortunately, we cannot guarantee full compatibility or functionality in environments modified by OCLP. We recommend using our software on officially supported macOS systems to ensure the best possible performance.
If you have any further questions or need additional assistance, please don’t hesitate to reach us. Thank you for understanding, and we appreciate your continued support.
Firmy
Community Manager | F-Secure Community
🔐 Strengthening digital security through knowledge and collaboration
🌐 Explore our User Guides | Knowledge Base for self-help resources
💻 Empower yourself with Cybersecurity Insights and protect what matters
📢 Help Shape Our New Homepage! Share your input in our design survey. -
The error is issued by the F-Secure software component, it is not issued by system components, you can tell by the fact that there is one less "s" on "constraint" in the error message. This suggests an internal problem with the F-Secure software. I do not know what caused the problem, you should know that.
The only change applied by OCLP should be "Library validation" disabled, I do not know if the functioning of your component relies on this particular setting. It seems absurd to me that F-Secure does not work for a system configuration. Could it be OCLP or could it be something else? It is not a certainty! I have already made sure that the component was not tampered, I reinstalled F-Secure at least 10 times, the component is always removed and reinstalled each time. The problem is always the same, that component crashes with the error message "UpstreamKit not valid for use in process: Library violates process' load contraint".
However, all the system requirements are met. All software used before the update and OCLP work correctly, including those installed via the App Store, which use app notarization. The only software that does not work is F-Secure. Even the Support Tool (FSDIAG) does not work, it is absurd.
Other antivirus softwares work correctly, which is even more absurd. Absurd that a solution is not found, in the end I will have to change the antivirus software.
-
The error is issued by the F-Secure software component, it is not issued by system components, you can tell by the fact that there is one less "s" on "constraint" in the error message. This suggests an internal problem with the F-Secure software. I do not know what caused the problem, you should know that.
The only change applied by OCLP should be "Library validation" disabled, I do not know if the functioning of your component relies on this particular setting. It seems absurd to me that F-Secure does not work for a system configuration. Could it be OCLP or could it be something else? It is not a certainty! I have already made sure that the component was not tampered, I reinstalled F-Secure at least 10 times, the component is always removed and reinstalled each time. The problem is always the same, that component crashes with the error message "UpstreamKit not valid for use in process: Library violates process' load contraint".
However, the system requirements are met. All software used before the update and OCLP work correctly, including those installed via the App Store, which use app notarization. The only software that does not work is F-Secure. Even the Support Tool (FSDIAG) does not work, it is absurd.
Other antivirus softwares work correctly, which is even more absurd. Absurd that a solution is not found, in the end I will have to change the antivirus.
-
Sorry for the double reply, it disappeared and I had to repost it.
I did the requested test with
codesign
, you did not specify well what to check and with which commands.-$ codesign --verify --verbose fscscannermanagerd fscscannermanagerd: valid on disk fscscannermanagerd: satisfies its Designated Requirement -$ codesign --display --verbose=4 fscscannermanagerd Executable=/Library/F-Secure/Bedrock/bin/fscscannermanagerd Identifier=fscscannermanagerd Format=Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=6206 flags=0x10000(runtime) hashes=179+11 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=983040 Hash type=sha256 size=32 CandidateCDHash sha256=8dabb0891c534c71341f2e893a6455e67330cab5 CandidateCDHashFull sha256=8dabb0891c534c71341f2e893a6455e67330cab52bda9ba0487ec7618d0cd0e4 Hash choices=sha256 CMSDigest=8dabb0891c534c71341f2e893a6455e67330cab52bda9ba0487ec7618d0cd0e4 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=663552 Executable Segment flags=0x1 Page size=4096 Library Load Constraints: Has Library Load Constraints [Dict] [Key] ccat [Value] [Int] 0 [Key] comp [Value] [Int] 1 [Key] reqs [Value] [Dict] [Key] team-identifier [Value] [Dict] [Key] $in [Value] [Array] [String] 6KALSAFZJC [String] 8DP7YP837J [String] V928P8X763 [Key] vers [Value] [Int] 1 CDHash=8dabb0891c534c71341f2e893a6455e67330cab5 Signature size=9080 Authority=Developer ID Application: F-Secure Corporation (6KALSAFZJC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=17 Dec 2024 at 13:51:54 Info.plist=not bound TeamIdentifier=6KALSAFZJC Runtime Version=15.0.0 Sealed Resources=none Internal requirements count=1 size=180 -$ shasum fscscannermanagerd de4b47a6174e80725d05d5906d705c6037ab838a fscscannermanagerd -$ codesign --verify --verbose UpstreamKit UpstreamKit: valid on disk UpstreamKit: satisfies its Designated Requirement -$ codesign --display --verbose=4 UpstreamKit Executable=/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit Identifier=com.f-secure.bedrock.UpstreamKit Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=428 flags=0x10000(runtime) hashes=6+3 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=983040 Hash type=sha256 size=32 CandidateCDHash sha256=dff002f89bb5178dbc65e9c483f3bccab7bd004c CandidateCDHashFull sha256=dff002f89bb5178dbc65e9c483f3bccab7bd004c0a3425ab8bac99c676f37f9d Hash choices=sha256 CMSDigest=dff002f89bb5178dbc65e9c483f3bccab7bd004c0a3425ab8bac99c676f37f9d CMSDigestType=2 Executable Segment base=0 Executable Segment limit=8192 Executable Segment flags=0x0 Page size=4096 CDHash=dff002f89bb5178dbc65e9c483f3bccab7bd004c Signature size=9080 Authority=Developer ID Application: F-Secure Corporation (6KALSAFZJC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=17 Dec 2024 at 13:52:04 Info.plist entries=19 TeamIdentifier=6KALSAFZJC Runtime Version=15.0.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=192 -$ shasum UpstreamKit dc69b50bd09baec42ad3c8dca5a240dc1bb0b1f0 UpstreamKit
I hope this is helpful.
-
Hello @ejegumqo
Thank you for taking the time to provide the detailed test results. We truly appreciate your patience and effort in helping us better understand the issue.
Based on the information you've shared, the signature details for the
UpstreamKit.framework
appear correct and reflect the appropriate developer credentials. However, the hash generated using theshasum
command differs from the expected value, which strongly suggests that theUpstreamKit
binary on your system has been altered.Our developer team reviewed your case and shared additional insights. The error message from macOS indicates that the
UpstreamKit.framework
code signature is invalid for use in the process due to a violation of the library load constraint. Code signatures are inherently stable—if valid on one system, they should be valid on another. Specifically, macOS reports:code signature in < ... > '/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint)
This indicates two possibilities:
- The library has been re-signed, causing the hash to differ from the original version.
- OpenCore Legacy Patcher (OCLP) has modified macOS's code-signing mechanics, which could prevent proper validation of the framework's signature.
Indeed, reinstalling should fix it if the hash doesn't match. It then may or may not work. To ensure the best possible experience with our product, we recommend using it on officially supported macOS systems. Our product may not function as expected on systems modified by tools like OCLP.
If you have any further questions or need additional assistance, please don’t hesitate to reach out.
Thank you again for your understanding and cooperation.
Firmy
Community Manager | F-Secure Community
🔐 Strengthening digital security through knowledge and collaboration
🌐 Explore our User Guides | Knowledge Base for self-help resources
💻 Empower yourself with Cybersecurity Insights and protect what matters
📢 Help Shape Our New Homepage! Share your input in our design survey. -
I see inaccuracies. Very approximate answers that have no basis in truth. My advice is to be more precise because I see too much approximation.
In my opinion it is not a signature problem, it is an internal problem of F-Secure. The error message is related to the crash of the F-Secure component and is not a system error message. The system error message is: "EXC_CRASH (SIGABRT)", while this error message comes from your component: "'/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit' not valid for use in process: Library violates process' library load contraint)" and has nothing to do with signatures imho.
The
codesign
tool says that the signature is valid and reports a series of hashes and timestamp. As I said the software has been reinstalled at least 10 times, with yesterday 11. Keep in mind that that file is from the 19.10 installer package, I do not know what hash the original file has, but I know thatshasum
has several options that give different results.- I doubt that OCLP has altered
codesign
. - I doubt that file has been touched, the only one that could have touched that and other files is F-Secure updater.
Unless you accuse OCLP or any other software of altering F-Secure files, but you should be sure.
You are being very vague, about it could be, but there is no truth in your statements. How can it be OCLP can it be Minecraft or Firefox? It has not been verified. As I said all other software works fine on my system, all except the F-Secure app. I am not an advocate for OCLP, but the problem has not been verified, the only certainty is that F-Secure app is not working on my device.
The operating system is among those supported in the system requirements of your product. The device is an "official" Apple system.
If it was decided a priori that the problem is OCLP you should write it in the system requirements, since it is widely used users should know that it is not a supported option. This already happens for other well known software such as Homebrew. You might as well be explicit.
- I doubt that OCLP has altered
-
Hello @ejegumqo
Thank you for your reply and feedback.
We have shared it with our developer team for further clarification. In the meantime, we noticed another point of interest: the codesign CDHash appears to be different, which would also affect the shasum hash.
To address this, we kindly ask you to install the latest version of the F-Secure app, version 19.10, as mentioned in the release notes. Once installed, please run the command
shasum -a 256
in the Terminal and share your findings with us.We look forward to your response. Thank you, and have a great day.
Firmy
Community Manager | F-Secure Community
🔐 Strengthening digital security through knowledge and collaboration
🌐 Explore our User Guides | Knowledge Base for self-help resources
💻 Empower yourself with Cybersecurity Insights and protect what matters
📢 Help Shape Our New Homepage! Share your input in our design survey. -
I did the litmus test. I extracted the files directly from the F-Secure installation package mpkg (version 19.10).
The signatures match, the hashes match, they are exactly the same files that are installed on the system.
In my opinion we are off track, I strongly doubt that someone has altered the files, the hashes I provided came from a fresh installation.This is the whole process:
-$ cd Downloads/fsecure -$ pkgutil --check-signature F-Secure-Safe-Installer_uhlehs1tp3390_.mpkg Package "F-Secure-Safe-Installer_uhlehs1tp3390_.mpkg": Status: signed by a developer certificate issued by Apple for distribution Notarization: trusted by the Apple notary service Signed with a trusted timestamp on: 2024-12-17 12:54:35 +0000 Certificate Chain: 1. Developer ID Installer: F-Secure Corporation (6KALSAFZJC) Expires: 2029-02-08 05:17:13 +0000 SHA256 Fingerprint: 6A 69 05 21 9F E7 3B 83 91 F8 12 61 A4 7F 6C 26 F7 98 E8 6A 5A 04 A5 2D DA 91 99 2A 64 B7 79 63 ------------------------------------------------------------------------ 2. Developer ID Certification Authority Expires: 2031-09-17 00:00:00 +0000 SHA256 Fingerprint: F1 6C D3 C5 4C 7F 83 CE A4 BF 1A 3E 6A 08 19 C8 AA A8 E4 A1 52 8F D1 44 71 5F 35 06 43 D2 DF 3A ------------------------------------------------------------------------ 3. Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24 -$ pkgutil --expand F-Secure-Safe-Installer_uhlehs1tp3390_.mpkg mpkg-extract -$ cd mpkg-extract -$ ls -l total 56 -rw-r--r-- 1 whoiam staff 26589 17 Dic 13:51 Distribution drwxr-xr-x 5 whoiam staff 160 15 Gen 21:01 PlugIns drwx------ 37 whoiam staff 1184 15 Gen 21:00 Resources drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.bedrock-customized.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.browsingprotection.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.agents-and-daemons.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.bin.pkg drwx------ 6 whoiam staff 192 15 Gen 21:00 com.f-secure.fsmac.customization.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.gui.customization.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.gui.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.lib.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.fsmac.tools.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.passwordvault.pkg drwx------ 5 whoiam staff 160 15 Gen 21:00 com.f-secure.xfence.pkg -$ pkgutil --check-signature com.f-secure.bedrock-customized.pkg Package "com.f-secure.bedrock-customized.pkg": Status: no signature -$ pkgutil --expand com.f-secure.bedrock-customized.pkg pkg Could not open package for expansion: com.f-secure.bedrock-customized.pkg -$ mkdir bedrock-extract -$ copy com.f-secure.bedrock-customized.pkg/* bedrock-extract -$ cd bedrock-extract -$ cat Payload | gunzip | cpio -i 17286 blocks -$ cd Library/F-Secure/Bedrock/bin -$ ls -l total 13952 -rwxr-xr-x 1 whoiam staff 1861824 15 Gen 21:07 fscdoormand -rwxr-xr-x 1 whoiam staff 1526208 15 Gen 21:07 fscscannermanagerd -rwxr-xr-x 1 whoiam staff 3574688 15 Gen 21:07 fscsecuritycloudd -rwxr-xr-x 1 whoiam staff 173376 15 Gen 21:07 fscupstreamd -$ codesign --verify --verbose fscscannermanagerd fscscannermanagerd: valid on disk fscscannermanagerd: satisfies its Designated Requirement -$ codesign --display --verbose=4 fscscannermanagerd Executable=/Users/whoiam/Downloads/fsecure/mpkg-extract/bedrock-extract/Library/F-Secure/Bedrock/bin/fscscannermanagerd Identifier=fscscannermanagerd Format=Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=6206 flags=0x10000(runtime) hashes=179+11 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=983040 Hash type=sha256 size=32 CandidateCDHash sha256=8dabb0891c534c71341f2e893a6455e67330cab5 CandidateCDHashFull sha256=8dabb0891c534c71341f2e893a6455e67330cab52bda9ba0487ec7618d0cd0e4 Hash choices=sha256 CMSDigest=8dabb0891c534c71341f2e893a6455e67330cab52bda9ba0487ec7618d0cd0e4 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=663552 Executable Segment flags=0x1 Page size=4096 Library Load Constraints: Has Library Load Constraints [Dict] [Key] ccat [Value] [Int] 0 [Key] comp [Value] [Int] 1 [Key] reqs [Value] [Dict] [Key] team-identifier [Value] [Dict] [Key] $in [Value] [Array] [String] 6KALSAFZJC [String] 8DP7YP837J [String] V928P8X763 [Key] vers [Value] [Int] 1 CDHash=8dabb0891c534c71341f2e893a6455e67330cab5 Signature size=9080 Authority=Developer ID Application: F-Secure Corporation (6KALSAFZJC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=17 Dec 2024 at 13:51:54 Info.plist=not bound TeamIdentifier=6KALSAFZJC Runtime Version=15.0.0 Sealed Resources=none Internal requirements count=1 size=180 -$ shasum fscscannermanagerd de4b47a6174e80725d05d5906d705c6037ab838a fscscannermanagerd -$ shasum -a 256 fscscannermanagerd e43087a425e8805badbcd0bbbba7f46c33e18a805f5ec7404f9f2466c12be8da fscscannermanagerd -$ cd ../lib/UpstreamKit.framework -$ cd Versions/A -$ ls -l total 280 drwxr-xr-x 2 whoiam staff 64 15 Gen 21:07 Headers drwxr-xr-x 2 whoiam staff 64 15 Gen 21:07 Modules drwxr-xr-x 2 whoiam staff 64 15 Gen 21:07 PrivateHeaders drwxr-xr-x 3 whoiam staff 96 15 Gen 21:07 Resources -rwxr-xr-x 1 whoiam staff 140592 15 Gen 21:07 UpstreamKit drwxr-xr-x 3 whoiam staff 96 15 Gen 21:07 _CodeSignature -$ codesign --verify --verbose UpstreamKit UpstreamKit: valid on disk UpstreamKit: satisfies its Designated Requirement -$ codesign --display --verbose=4 UpstreamKit Executable=/Users/whoiam/Downloads/fsecure/mpkg-extract/bedrock-extract/Library/F-Secure/Bedrock/lib/UpstreamKit.framework/Versions/A/UpstreamKit Identifier=com.f-secure.bedrock.UpstreamKit Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=428 flags=0x10000(runtime) hashes=6+3 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=983040 Hash type=sha256 size=32 CandidateCDHash sha256=dff002f89bb5178dbc65e9c483f3bccab7bd004c CandidateCDHashFull sha256=dff002f89bb5178dbc65e9c483f3bccab7bd004c0a3425ab8bac99c676f37f9d Hash choices=sha256 CMSDigest=dff002f89bb5178dbc65e9c483f3bccab7bd004c0a3425ab8bac99c676f37f9d CMSDigestType=2 Executable Segment base=0 Executable Segment limit=8192 Executable Segment flags=0x0 Page size=4096 CDHash=dff002f89bb5178dbc65e9c483f3bccab7bd004c Signature size=9080 Authority=Developer ID Application: F-Secure Corporation (6KALSAFZJC) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=17 Dec 2024 at 13:52:04 Info.plist entries=19 TeamIdentifier=6KALSAFZJC Runtime Version=15.0.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=192 -$ shasum UpstreamKit dc69b50bd09baec42ad3c8dca5a240dc1bb0b1f0 UpstreamKit -$ shasum -a 256 UpstreamKit d528db1cb5055a33e682d454397c41110bfa91e13af2e1b2011108479f40bae3 UpstreamKit
The files are identical to those in the installation package, the F-Secure updater did not touch them either.
The files are taken directly from the mpkg package which is sealed (signed) and "UpstreamKit" has this hash (sha256):
d528db1cb5055a33e682d454397c41110bfa91e13af2e1b2011108479f40bae3
It cannot be otherwise.
-
I think I understood part of the problem. The component "fscscannermanagerd" runs in hardened runtime and it uses the entitlement "com.apple.security.cs.disable-library-validation". If I understand how it works: Gatekeeper enforces additional checks with this setting and in the case a library is loaded improperly, the binary crashes and this crash is due to DYLD. This happens even through "Library validation" is disabled in a system.
As I already said above, in my case OCLP requires "Library validation" to be disabled to apply root patching. Keep in mind, "Library validation" can be disabled. If it is disabled by the user or worse bypassed by some malware exploiting a vulnerability, problem still emerges.
This is the entitlement used by "fscscannermanagerd":
-$ codesign -d --entitlements - fscscannermanagerd Executable=/Users/whoiam/Downloads/fsecure/mpkg-extract/bedrock-extract/Library/F-Secure/Bedrock/bin/fscscannermanagerd [Dict] [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true
This is the hardened runtime for "fscscannermanagerd":
[...] CodeDirectory v=20500 size=6206 flags=0x10000(runtime) hashes=179+11 location=embedded [...]
The loading of the "UpstreamKit" dependency causes "fscscannermanagerd" to crash with this specific error: "Library violates process". I have no found anything similar online for DYLD. There is a post "Resolving Library Loading Problems" in the Apple Developer forum where they talk about this mechanism, the failure to load library can depend on several things.
It should be easier for you at F-Secure to understand the problem and find a solution. I am just a user. I can solve the problem using another antivirus product that works on my system, but the problem with your product remains. I hope you can solve it.
If your "official" line is not to support any system using a configuration that differs from the factory default, there is no point in continuing down this path. The F-Secure app does not work and no one knows for what precise reason. It is up to you to decide what to do.
-
Hello @ejegumqo
Thank you for sharing your findings and detailed analysis. Your insights are very helpful, and I’d like to provide some additional context from our product team that might explain the issue further.
The error you’ve encountered is caused by a macOS security feature called the hardened runtime. This feature enforces strict security checks on how libraries are loaded. While the entitlement
com.apple.security.cs.disable-library-validation
allows some flexibility (like loading non-Apple-signed libraries), it doesn’t bypass all the security rules.In this case, the issue occurs because the
UpstreamKit
library doesn’t meet the strict security requirements of the hardened runtime. This triggers the error ("Library violates process") and prevents the library from being loaded properly.Our product team mentioned that this behavior is due to macOS protecting against libraries that don’t match its security rules. For more details, Apple explains this in their WWDC 2023 session:
We also understand that OCLP changes system settings, such as disabling library validation for root patching. These changes can interfere with our software, which relies on standard macOS security settings to function correctly. For now, we recommend using a regular macOS installation for the best experience.
If you can reproduce this issue on a standard macOS system without OCLP, we’d be happy to take another look. Please don’t hesitate to reach out if you have more questions—we’re here to help.
Firmy
Community Manager | F-Secure Community
🔐 Strengthening digital security through knowledge and collaboration
🌐 Explore our User Guides | Knowledge Base for self-help resources
💻 Empower yourself with Cybersecurity Insights and protect what matters
📢 Help Shape Our New Homepage! Share your input in our design survey.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!