At my wits end: unable to remove virus Trojan.GenericKD.71025853 from InstallerSandboxes directory

Mac Studio M1

Mac OS Ventura 13.6.3



Bitdefender found a virus which it cannot remove/quarantine and instructs the user to manually remove.

Bitdefender Report:

We identified a threat that needs to be manually removed.

Threat name: Trojan.GenericKD.71025853

Path: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/

What I tried and did not remove the threat (confirmed by repeat Bitdefender scans)

• despite having administrator privileges and using "show hidden files" in Finder, I am unable to open the /Library/InstallerSandboxes/.PKInstallSandboxManager/ folder, and all efforts to unlock the folder via File → info which did not work despite the face I have read and write privileges.

• reboot

• reboot in safe mode

• reinstall Ventura

• clear all caches (using Clean My Mac)

I never access web sites which could be suspicious in any way, and I always have Bitdefender running.

Thanks very much for your time and help


Best Answer

  • Flexx
    edited January 1 Answer ✓

    Here are the steps to attempt manual removal:

    1. Disable System Integrity Protection (SIP) temporarily:
      • Restart your Mac in Recovery Mode (hold Command + R during startup).
      • Open Terminal from the Utilities menu.
      • Type csrutil disable and press Enter.
      • Restart your Mac normally.
    2. Atempt to delete the file:
      • Open Finder and press Command + Shift + G.
      • Paste the exact path to the file: /Library/InstallerSandboxes/.PKInstallSandboxManager/DB631B72-5247-4751-8065-DEC981672912.activeSandbox/Root/Applications/
      • Right-click the file and select "Move to Trash."
      • If prompted, enter your administrator password.
    3. Re-enable SIP:
      • Repeat steps 1 and 2 from Recovery Mode, but use csrutil enable instead.

    If manual removal fails, consider these additional measures:

    • Reinstall Xcode: If the threat is associated with Xcode, reinstalling it might help.
    • Restore from a backup: If you have a clean backup from before the infection, restore your system to eliminate the threat.

    If issue persists, kindly contact Bitdefender support by visiting

    Depending on the product you've selected and the issue you're facing, you can reach a support representative via email, chat, or phone.

    If you choose email support, you will receive a ticket number in your registered email. Kindly generate and attach the following logs to the ticket for macOS:

    Bitdefender BDsysLog for macOS:

    Bitdefender BDProfiler log for macOS:

    If the generated logs are larger than 25 MB, which is the attachment limit for most email vendors, you can upload the logs to and share the link with the support team.


    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)


  • Thank you very much. I followed your excellent explanations, and can't understand why in recovery → terminal mode, neither of the two "authorized user" names are accepted, although I tried many time, checked the spelling and tried with and without quotes. Would you have an idea ?

    Also, I tried so many times that I would like to be sure that SIP is indeed disabled. Is there a way to ascertain the status of SIP with a terminal command ?

    thanks a million ! Your detailed and very intelligent explanations are greatly appreciated !!

  • @Flexx

    thanks again very much for your most instructive and well written answer.

    As soon as I disabled the SIP and rebooted Bitdefender put the file in quarantine where I deleted it (not via Finder).

    Thank you very much. I am very grateful for your help.