[Workaround in description] Mac is detecting Docker as a malware and keeping it from starting

[acassioaraujo]

Description

Whenever Docker is started, this error is shown:

Malware Blocked. “com.docker.socket” was not opened because it contains malware. this action did not harm your Mac.

Reproduce

1. Start Docker
2. See the error

Workaround

Tip

If you face this issue, try the following procedure:

1. Quit Docker Desktop and check that no remaining docker processes are running using the Activity Monitor
2. Run the following commands:

#!/bin/bash

# Stop the docker services
echo "Stopping Docker..."
sudo pkill '[dD]ocker'

# Stop the vmnetd service
echo "Stopping com.docker.vmnetd service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist

# Stop the socket service
echo "Stopping com.docker.socket service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist

# Remove vmnetd binary
echo "Removing com.docker.vmnetd binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd

# Remove socket binary
echo "Removing com.docker.socket binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.socket

# Install new binaries
echo "Install new binaries..."
sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/

3. Restart Docker Desktop.

If that still doesn't work, download one of the currently supported release from the Release notes and re-apply step 2.

As suggested running this command is working for most of people that had this problem.

Original issue details

### docker version

Client:
 Version:           26.1.4
 API version:       1.45
 Go version:        go1.21.11
 Git commit:        5650f9b
 Built:             Wed Jun  5 11:26:02 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux
Cannot connect to the Docker daemon at unix:///Users/admin/.docker/run/docker.sock. Is the docker daemon running?

(Can't get docker started to check more details)

----
Asked for a friend running Docker in the same version and this is the output:

Client:
 Version:           27.0.3
 API version:       1.46
 Go version:        go1.21.11
 Git commit:        7d4bcd8
 Built:             Fri Jun 28 23:59:41 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.32.0 (157355)
 Engine:
  Version:          27.0.3
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.11
  Git commit:       662f78c
  Built:            Sat Jun 29 00:02:44 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.18
  GitCommit:        ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc:
  Version:          1.7.18
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

lient:
 Version:    27.0.3
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.15.1-desktop.1
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.28.1-desktop.1
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.32
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.14
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.10.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-scout

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 41
 Server Version: 27.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.32-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 12
 Total Memory: 7.657GiB
 Name: docker-desktop
 ID: 1e75072f-7d8f-47c3-917a-43dc08d31755
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/lorenzo/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

Diagnostics ID

Can't get a Diagnostics ID because I'm not able to open docker, the error is from MacOS

Additional Info

I tried installing older versions of Docker but the error is the same to all of them.

[luckystreak96]

If it helps, I have the same issue and am running this version of MacOS M3: macOS Sequoia 15.1 (24B83)

[jpbriend]

can you tell us how old is the vmnetd executable on your machines?
it's located here: /Library/PrivilegedHelperTools/com.docker.vmnetd

[luckystreak96]

Running ls -lrt /Library/PrivilegedHelperTools/ gives this:

-r-xr--r--  1 root  wheel  5636768 31 May  2024 com.docker.vmnetd

[mat007]

Hi,

Which version(s) of Docker Desktop have you tried? Which one is the highest one? Did you download it fresh?
What happens if you do

sudo rm /Library/PrivilegedHelperTools/com.docker.vmnetd

then start Docker Desktop again? (Docker Desktop should re-install it on-demand when it needs it)

Thanks, and sorry this happened to you!

[mancha-24]

I deleted the com.docker.vmnetd but now I get this opening docker again

[luckystreak96]

I uninstalled after the issue happened and re-installed the latest version available on the website - since deleting com.docker.vmnetd the application hangs (the window never opens), there is no visible error message, the file com.docker.vmnetd is still missing and trying to open the application multiple times yields an error of the likes of "Cannot start Docker because the application is not responding" (same as the post above)

[mat007]

Ah maybe you need to (sudo) kill -9 the vmnetd process, actually. Does

ps aux | grep vmnetd

show it running?

[mat007]

Or any other docker process running?

ps aux | grep [dD]ocker

[luckystreak96]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

$ps aux | grep vmnetd
user        25212   0.0  0.0 410733072   1664 s000  S+    1:16pm   0:00.01 grep vmnetd
$ps aux | grep "[dD]ocker"
user        24255   0.0  0.2 412151024  73200   ??  S     1:05pm   0:00.15 /Applications/Docker.app/Contents/MacOS/com.docker.backend run

[akerouanton]

It'd be helpful to get some system logs to see why macOS is rejecting vmnetd.

1. Make sure that no docker process are running -- or kill them through the Activity Monitor.
2. Note the current time.
3. Start Docker Desktop
4. Run the following command in a terminal and replace the time with what you noted in step 2. (this command might be really slow).

$ log show --start '2025-01-07 X:Y:00' | grep 'com.docker'

[luckystreak96]

I see this at the end of the log output that looks suspicious:

trustd: [com.apple.securityd:SecWarning]
Entitlement com.apple.application-identifier=9BNSXJN65R.com.docker.docker is ignored because of invalid application signature or incorrect provisioning profile
    "group.com.docker"

docker-log-output.txt

[mat007]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case.
You can do

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

[EricCrete]

This worked for me ^

[luckystreak96]

That also worked for me!

[codeech]

I uninstalled, and then reinstalled using the command line, and things seem to be working properly

[akerouanton]

If someone is facing this issue, before removing the broken vmnetd or socket binary, could you please try to run these two commands and paste the output here:

$ codesign -d --extract-certificates  /Library/PrivilegedHelperTools/com.docker.vmnetd
$ for file in $(ls codesign*); do security verify-cert -vv -c $file; done
$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0

[voidd7]

This wasn't working for me

sudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

but reinstalling from command line worked.

[zioproto]

I have the same problem but with a small different detail. In the screenshot the file mentioned is com.docker.socket:

@acassioaraujo your screenshot shows com.docker.vmnetd but in your issue description you also write com.docker.socket, could you please confirm which file is affected for you ? thanks

[akerouanton]

@zioproto I think both are affected since they were signed with the same certificate. If you have a chance, could you try to run the commands I posted in this comment please? This would help us a lot. #7520 (comment)

[zioproto]

@akerouanton It seems the signature cannot be verified:

security verify-cert -vv -c codesign0
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
---
Certificate chain
 0: Developer ID Application: Docker Inc (9BNSXJN65R)
    <cert(0x15c80d000) s: Developer ID Application: Docker Inc (9BNSXJN65R) i: Developer ID Certification Authority>
---
Certificate errors
 0: Developer ID Application: Docker Inc (9BNSXJN65R)
    Unable to find next certificate in the chain [MissingIntermediate]
---
Certificate chain properties
(
        {
        error = "CSSMERR_TP_NOT_TRUSTED";
        title = "Developer ID Application: Docker Inc (9BNSXJN65R)";
    }
)
---
Trust evaluation results
{
    TrustEvaluationDate = "2025-01-07 19:30:03 +0000";
    TrustResultDetails =     (
                {
            MissingIntermediate = 0;
            StatusCodes =             (
                "-2147409622"
            );
        }
    );
    TrustResultValue = 5;
}
---
Trust evaluation errors
Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=\u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d certificate is not trusted, NSUnderlyingError=0x600000f1cba0 {Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=Certificate 0 \u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d has errors: Unable to build chain to root (possible missing intermediate);}}}

[acassioaraujo]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case. You can do

sudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

This worked for me on version 4.32

[akerouanton]

@zioproto I just added two other commands to my comment, ie. openssl ocsp … and openssl x509. Could you paste their output too please? 🙂

EDIT: Let me re-add them here for clarity.

$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0

[zioproto]

@akerouanton the certificate has been revoked:

openssl x509 -in codesign0 -ocsp_uri -noout
http://ocsp.apple.com/ocsp03-devidg201

Question: I am not familiar with this, is it normal that the verification url is plaintext http and not https ?

and

openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
Response verify OK
codesign0: revoked

here is the full certificate in text form:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:16:fd:12:7d:9a:57:15:17:65:91:f8:5f:fc:3c:66
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Developer ID Certification Authority, OU=G2, O=Apple Inc., C=US
        Validity
            Not Before: Feb  8 12:56:54 2024 GMT
            Not After : Feb  8 12:56:53 2029 GMT
        Subject: UID=9BNSXJN65R, CN=Developer ID Application: Docker Inc (9BNSXJN65R), OU=9BNSXJN65R, O=Docker Inc, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:55:31:8d:a3:31:c4:99:12:84:a4:3b:1c:38:
                    f5:27:ac:df:4e:4b:88:8e:c3:07:00:13:a5:ab:82:
                    2c:ae:93:5f:f3:f1:9a:aa:bc:51:f9:9b:32:25:85:
                    6a:33:fe:0b:62:af:47:41:63:bf:41:d8:bb:18:8d:
                    33:35:68:3c:43:03:df:b5:05:c5:ac:cc:a5:e1:ad:
                    e7:91:c6:b1:dc:80:0b:f3:9d:f1:99:05:ac:8d:f2:
                    e7:5c:e2:f8:c2:6e:01:02:08:bc:d7:b1:f8:14:e7:
                    b9:06:b2:47:49:5c:6d:39:73:26:38:cf:c7:16:bf:
                    ab:b6:64:e9:b7:22:09:c9:af:b4:05:3e:0f:2d:e0:
                    fc:90:ba:5e:89:e5:15:63:df:9b:85:84:25:90:11:
                    10:02:15:bc:22:97:f4:12:2b:f0:f6:2a:7e:f0:86:
                    54:3a:b6:f4:85:60:90:a8:93:b8:32:b7:b0:08:41:
                    46:89:c9:35:a8:fd:72:83:16:8c:9f:91:1b:36:4c:
                    df:7d:ee:3f:a5:e2:f5:62:62:ba:c1:0a:5f:a0:e1:
                    f7:49:bf:f9:f1:44:cc:c7:5d:57:5b:5a:89:4f:61:
                    29:01:a6:24:af:14:7a:cc:ce:dc:3a:b5:7b:c3:fd:
                    70:aa:10:a9:00:b2:a0:9b:25:71:f7:6b:fb:a3:bf:
                    2e:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                F8:3A:0C:69:11:76:E0:ED:AC:D1:EB:A6:59:FA:37:D5:C4:55:B0:1E
            Authority Information Access:
                CA Issuers - URI:http://certs.apple.com/devidg2.der
                OCSP - URI:http://ocsp.apple.com/ocsp03-devidg201
            X509v3 Certificate Policies:
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: https://www.apple.com/certificateauthority/
            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Subject Key Identifier:
                21:58:40:59:A0:20:1A:5B:6D:97:AE:14:CD:2D:AC:0E:03:A1:23:66
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.1.33:
                ..20140507000000Z
            1.2.840.113635.100.6.1.13: critical
                ..
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c4:ea:d3:c2:92:b8:aa:01:c3:45:9a:95:27:16:8f:ff:03:1e:
        14:f9:ae:fa:6a:6f:1b:ef:3e:5a:94:59:f3:63:b0:32:e7:34:
        a2:0d:02:6a:b6:c4:bf:7e:12:fe:2f:db:7d:84:ae:79:d9:3e:
        20:4c:11:d8:4c:d7:27:9e:f5:d2:8a:19:22:11:30:52:33:40:
        36:93:ca:14:65:22:68:1a:82:f0:0c:72:d5:7e:03:d1:92:1e:
        92:da:96:15:a6:e2:80:ea:0e:32:f8:fd:5c:2e:bd:08:31:64:
        d5:1c:9c:71:68:ac:94:e8:c7:97:fe:b9:07:f4:10:93:12:1f:
        7c:71:00:0a:e6:b6:81:5b:91:50:c5:a4:fd:5a:2a:c1:db:ff:
        00:39:49:a8:74:72:86:0b:b1:fa:4b:cb:fe:bb:c1:85:14:83:
        33:1d:96:65:99:93:92:69:52:98:7d:1a:3e:04:e4:f2:12:1d:
        a1:88:14:26:b9:80:01:02:ac:bb:06:a6:73:9a:05:e7:d0:2e:
        f1:f8:df:0e:8a:21:fd:08:f4:4b:e2:d1:ad:c5:08:26:43:93:
        65:70:0c:b9:67:3f:3b:16:b0:c5:45:0b:17:da:62:e3:52:b1:
        0d:10:70:1b:be:66:c6:fe:c5:47:36:6e:9e:c8:0d:91:9b:54:
        1b:59:9b:2a

[akerouanton]

@zioproto Thanks a lot! Last batch of questions:

• Which version of Docker Desktop do you have?
• Can you upload com.docker.vmnetd and com.docker.socket?

[Chekote]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case. You can do

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

It also worked for Docker 4.32.0, which we are stuck on due to the issue outlined here.

[zioproto]

• Which version of Docker Desktop do you have?

difficult to say for sure because I am not able to start docker anymore.

• Can you upload com.docker.vmnetd and com.docker.socket?

Can you give me the full path to those files ?
I found /Library/PrivilegedHelperTools/com.docker.socket but I cannot find com.docker.vmnetd at the same path.

Do you need the full file ? this is my hash:

MD5 (com.docker.socket) = 8c166046e4c4b8a864c2941067b16428

[akerouanton]

It should be:

• /Library/PrivilegedHelperTools/com.docker.vmnetd
• /Library/PrivilegedHelperTools/com.docker.socket

But if one is missing on your system, don't worry and just upload what you have 🙂

[shreyas-sriram]

Seeing similar issues. Downloaded the specific MacOS version (4.29.0) from https://desktop.docker.com/mac/main/arm64/145265/Docker.dmg and Apple wouldn't even let me install the dmg, with message “Docker.dmg” was not opened because it contains malware. This action did not harm your Mac.

When I use spctl to verify the dmg, this is what I get

$ spctl -a -v ~/Downloads/Docker.dmg
/Users/shreyas.sriram/Downloads/Docker.dmg: CSSMERR_TP_CERT_REVOKED
``

[Baptiste-Leterrier]

Hello,

We also have the issue reported on computer in our fleet. We have JAMF and this is the error reported by JAMF protect for com.docker.socket

I provide here the screenshot and JSON alert from JAMF protect if it is of any help.

{
  "host": {
    "os": "Version 15.2 (Build 24C101)",
    "ips": [],
    "serial": "YV6L9VT97Q",
    "hostname": "MacBook Pro de XXXXXXXX”,
    "protectVersion": "6.3.3.5",
    "provisioningUDID": "00006000-001C14311A62801E"
  },
  "match": {
    "tags": [
      "Gatekeeper"
    ],
    "uuid": "462f6d1c-b1bf-490f-894c-88fc3592775d",
    "event": {
      "pid": 564,
      "name": "com.docker.socket",
      "path": "/Library/PrivilegedHelperTools/com.docker.socket",
      "uuid": "38a90e8e-b833-457a-9655-32bd1cdadeb6",
      "sender": "AppleSystemPolicy",
      "process": "kernel",
      "category": "",
      "subsystem": "",
      "timestamp": 1737360248.33944,
      "composedMessage": "ASP: Security policy would not allow process: 564, /Library/PrivilegedHelperTools/com.docker.socket",
      "senderImagePath": "/System/Library/Extensions/AppleSystemPolicy.kext/Contents/MacOS/AppleSystemPolicy",
      "processImagePath": "/kernel",
      "processIdentifier": 0
    },
    "facts": [
      {
        "name": "GatekeeperBlockedRevoked",
        "tags": [
          "Gatekeeper"
        ],
        "uuid": "b83111e8-9f75-419a-8513-d625c6b64cb4",
        "human": "Gatekeeper blocked a revoked app",
        "actions": [
          {
            "name": "Report"
          }
        ],
        "context": [],
        "version": 1,
        "severity": 2,
        "matchReason": ""
      }
    ],
    "custom": false,
    "actions": [
      {
        "name": "Report"
      }
    ],
    "context": [],
    "version": 1,
    "severity": 2
  },
  "related": {
    "files": [],
    "users": [
      {
        "uid": 0,
        "name": "root",
        "uuid": "YV6L9VT97Q0"
      }
    ],
    "groups": [
      {
        "gid": 0,
        "name": "wheel",
        "uuid": "YV6L9VT97Q0"
      }
    ],
    "binaries": [
      {
        "gid": 0,
        "uid": 0,
        "fsid": 16777230,
        "mode": 33225,
        "path": "/Library/PrivilegedHelperTools/com.docker.socket",
        "size": 1416400,
        "inode": 96168049,
        "xattrs": [],
        "changed": 1712239851,
        "created": 1712239851,
        "sha1hex": "b352b7fa85f014ac957d9113b9e4a31812ef121a",
        "accessed": 1737123389,
        "modified": 1712239851,
        "sha256hex": "fb1e198a387995f70e5cc791fe854e94fa3d8afabc18686bdaaf1806f1841232",
        "isDownload": false,
        "objectType": "GPSystemObject",
        "isAppBundle": false,
        "isDirectory": false,
        "signingInfo": {
          "appid": "com.docker",
          "cdhash": "AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
          "status": -2147409652,
          "teamid": "9BNSXJN65R",
          "signerType": 3,
          "authorities": [],
          "entitlements": [],
          "statusMessage": "CSSMERR_TP_CERT_REVOKED",
          "informationStage": "extended"
        },
        "isScreenShot": false
      }
    ],
    "processes": [
      {
        "gid": 0,
        "pid": 564,
        "uid": 0,
        "args": [
          "/Library/PrivilegedHelperTools/com.docker.socket",
          "/Users/XXXXXXXXXX/.docker/run/docker.sock",
          "/var/run/docker.sock"
        ],
        "name": "com.docker.socket",
        "path": "/Library/PrivilegedHelperTools/com.docker.socket",
        "ppid": 1,
        "rgid": 0,
        "ruid": 0,
        "uuid": "a85c666b-4673-4d8f-8f5b-9f76a6c84f8c",
        "flags": [],
        "objectType": "GPSystemObject",
        "processType": "GPSystemObject",
        "signingInfo": {
          "appid": "com.docker",
          "cdhash": "AAAAAAAAAAAAAAAAAAAAAAAAAAA=",
          "status": -2147409652,
          "teamid": "9BNSXJN65R",
          "signerType": 3,
          "authorities": [],
          "entitlements": [],
          "statusMessage": "CSSMERR_TP_CERT_REVOKED",
          "informationStage": "extended"
        },
        "groupLeaderPID": 564,
        "inheritedFlags": [],
        "responsiblePID": 564,
        "startTimestamp": 1737360244,
        "isPlatformBinary": false,
        "originalParentPID": 1,
        "processIdentifier": 1524
      }
    ]
  },
  "eventType": "GPGatekeeperEvent"
}

[pandas9]

got this error popup after updating macos to 15.2 (24C101), clicked "Done", downloaded docker desktop again and installed, the issue was gone after that

[amreeshjg]

It moved Docker app to bin, so when tried to open this I saw this message.

After downloading latest docker desktop, I am getting this while installing. And Mac i continuously showing this even after Cancelling it. Very strange.

[DanDuart]

I’m using a Mac Pro with the M3 Pro chip, and downloading the latest version from this link solved all my problems:
https://docs.docker.com/desktop/release-notes/

[f4rih]

It moved Docker app to bin, so when tried to open this I saw this message.

After downloading latest docker desktop, I am getting this while installing. And Mac i continuously showing this even after Cancelling it. Very strange.

This command should fix your problem:
sudo xattr -rd com.apple.quarantine /Applications/Docker.app
You can change Docker to any other app for fix this problem.

[charlescrain]

Successfully fixed by combining 2 of the above suggestions:

First:
#7520 (comment)

sudo rm /Library/PrivilegedHelperTools/com.docker.vmnetd

And then:
#7520 (comment)

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

[SitesDoneRight]

This was mentioned earlier, but just so it isn't clear... This was patched in 4.37.2.

While it may not fix all installations, I recommend updating to 4.37.2 and see if that resolves it. (It did for me)

Patch notes: #7527

[elenad00]

I had the same issue after upgrading my Mac - I found one of the issues was that I had Docker running on login. I turned that off and the endless error loops have stopped and I've been able to reinstall Docker by following the instructions above

[maximilianfixl]

FYI: Yesterday the problem occurred randomly after hibernation under MB Sequoia 15.2. The Docker Deamon was not running and I received a similar message that malware had been detected in com.docker.socket.

"com.docker.socket" was not opened because it contains malware. Your Mac has not been damaged by this action.

After a restart it did not happen again. After starting Docker 4.7.32 there was still no message.

[varaprasadh2]

i just re-installed with 3 commands as mentioned here https://docs.docker.com/desktop/setup/install/mac-install/#install-from-the-command-line

sudo hdiutil attach Docker.dmg
sudo /Volumes/Docker/Docker.app/Contents/MacOS/install
sudo hdiutil detach /Volumes/Docker

It's working on my Mac M3 pro with command line. Thanks.

[sebastian-xlabs]

In my case, I left my MacBook Pro (M2 Pro) on all night running a task and this morning I wanted to use the computer and it asked me for the login password instead of the Touch ID. It didn't work so I had to restart the computer and then the password worked again but I saw this malware message: "com.docker.socket" was not opened because it contains malware. Your Mac has not been damaged by this action
I solved it by removing the current version of Docker from my MB Pro and then downloaded the latest one and installed it. It works fine and I have no more problems. 🍀

[ElPezRojo]

Hello everyone, I got this exact problem (on Sonoma 14.6) today: it was working fine yesterday, but the CLI docker commands suddenly stopped responding, and after a restart, the error messages came up.

1. I tried re-installing the newest version of docker desktop,
   which led to a lot of messages relating to "docker cannot be opened because it was not installed from the app store". I forcibly got rid of the errors with sudo xattr -d com.apple.quarantine [path-to-file], still did not work, GUI wouldn't open and the daemon wouldn't start
2. Using sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/ gave me the exact same "com.docker.vmnetd is malware and will harm your computer" message even after (also did not work)

In the end, I had to manually clear the override it with sudo xattr -d com.apple.quarantine [path-to-com.docker.vmnetd], and the GUI finally started and it worked out

[Ali-Razmjoo]

I am on MacBook Pro M3 MacOS 15.2

The worst part was the Defender popping up every 5second, even when I uninstalled Docker… until I forcefully rebooted, and I just got it one last time.

Has anyone figured out what’s causing this?

[myathinzar]

it's popping every 5 seconds and i cannot do anything on my machine, it's annoying. It happened to me yesterday, and i've done uninstalled and reinstalled, I've updated the os, i've restarted my machine, but none solved the problem. i've been using docker on my machine over a year and why suddenly this error pops up?

[Andreaux]

Guys, I guess there's no use re-posting the same alert box again and again. Read the thread, don't contribute to the noise. Honestly, nobody here is responsible for what's happening to you.

See my solution to the issue here: #7520 (comment)

Since then I believe there's been a new version available that solves this anyway, so maybe download that, install it, it will resolve this issue.

[foysal-preqin]

Fixed my issue aswell.

[levrik]

I'm getting the same error but with com.docker.socket instead of com.docker.vmnetd. Is this the same issue or legit malware?

[PILIX123]

I'm getting the same error but with com.docker.socket instead of com.docker.vmnetd. Is this the same issue or legit malware?

@levrik i had the issue with both of them, i think its probably related

[Oceloteater]

Resolved today macOS Sonoma v14.7.2

I took inspiration from this github post and the forum linked below to resolve my issue without losing my images or volumes, despite a lot of advice falling back on a full uninstall and reinstall.

https://forums.docker.com/t/malware-blocked-com-docker-vmnetd-was-not-opened-because-it-contains-malware/145930

Going to outline my steps here:

1. Follow all the commands from the bash script above, but STOP at this point:

# Install new binaries echo "Install new binaries..." sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/ sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/

2. Restart your machine and you'll notice the messages about com.docker.vmnetdand com.docker.socket are gone, that's a good sign, but you will continue to get the messages about moving Docker Desktop to the bin, that's fine ignore and Cancel for now.

3. Install the latest version v4.37.2 with the patch from command line as per the documentation:
   https://docs.docker.com/desktop/release-notes/#4372

4. Now, regenerate the binaries as per the code snippet above, the final step in the original workaround, because it's using the latest installation binaries which is what you want for com.docker.vmnetdand com.docker.socket.

5. Your mac will still be giving your prompt warnings for Docker Desktop, go into your Privacy & Security settings and look for this:
   

Click "Open Anyway and accept everything", at this point my Docker Desktop came to life, I updated my version to the latest without losing any data.

6. During this process I was running sudo xattr -rd com.apple.quarantine /Applications/Docker.app to remove any services that were put into quarantine and double check the permissions on those .vmnetd and .socket files after creation. A lot of blogs I read also mentioned checking /Library/LaunchDaemons/ com.docker.vmnetd.plist and com.docker.socket.plist but in the end I didn't need to make any changes here, but double check permissions here also.

Really hope this helps someone, I've struggled with this for 2 days and was desperate not to lose my volumes. Good luck!

[yang-yihao]

The following worked for me with Sonoma 14.7.1:

Step 1 - Trash Docker.app from Applications

Step 2 - Kill any running Docker containers (if it errs out, none was running): sudo docker kill $(docker ps -q)

Step 3 - Remove any vmnetd or other Docker privileged helper (if it errs out, none was present): sudo rm /Library/PrivilegedHelperTools/com.docker.*

Step 4 - Reboot the Mac (VERY IMPORTANT!)

Step 5 - Download the latest Docker.dmg from Docker.com

Step 6 - Install Docker from the command line: cd ~/Downloads sudo hdiutil attach Docker.dmg sudo /Volumes/Docker/Docker.app/Contents/MacOS/install sudo hdiutil detach /Volumes/Docker

Step 7 - Launch Docker.app from the Finder (normally) and it should work fine.

No containers and/or images should be affected by this.

Drop a smile if it was helpful so it gets to more people.

It works for me! Thanks!!! My macOS is Sequoia 15.2

[cyberguroo]

In my case, nothing worked from above and I consistently got the popup,

and when I asked it to move to bin, it said couldn't move and I have to do that manually and then I was stuck in the loop.

Later it hit me, that I have dualboot and maybe Its picking up the one on another volume, so I logged into that OS and uninstalled the existing docker, I don't use that OS anyway. But that solved the issue, and then when I log back in on my primary OS, that annoying popup is no more ;)

Obviously I also had to update the docker on my primary OS to the latest one.

[devAbreu]

i just re-installed with 3 commands as mentioned here https://docs.docker.com/desktop/setup/install/mac-install/#install-from-the-command-line

sudo hdiutil attach Docker.dmg
sudo /Volumes/Docker/Docker.app/Contents/MacOS/install
sudo hdiutil detach /Volumes/Docker

It's working on my Mac M3 pro with command line. Thanks.

This worked for me. +1

[vhscom]

It's possible the shell script provided will fail on step:

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

As a result of the user having already uninstalled the affected Docker Desktop.app file. Users who are not comfortable with Running terminal commands could cause harm to their systems if they're not careful, so I was surprised to land here from the closed discussion forums as it essentially cuts out all non-technical users who are seeing the error described in OP.

[yakoveka]

Completely reinstalling docker via brew worked for me:

brew uninstall --cask docker --force
brew uninstall --formula docker --force
brew install --cask docker

[sushi4lyfe]

@yakoveka your solution was the only one that worked for me

[ricardoyang00]

I got a similar issue here as well, but it was for com.docker.socket. It appeared after the boot screen. However, Im able to open the docker without any trouble,

[levrik]

@ricardoyang00 I had the exact same issue and followed the steps outlined at https://docs.docker.com/desktop/cert-revoke-solution/#upgrade-to-docker-desktop-version-4372-recommended.

[ricardoyang00]

@levrik yea thats what I did, just updated and solved

[rafaelmaia8384]

For me, the problem was only resolved after I deleted the old Docker.app from the trash. Strange!