What should you do when LockRattler returns a worrying error?

LockRattler’s Help Book outlines how to address some of the problems which it can reveal, but here is some more detailed advice, which also applies to anyone using other tools, including those in Terminal.

SIP

If System Integrity Protection (SIP) is disabled, you will want to enable it as quickly as possible, so that all your system files are properly protected. The standard way to do that is to boot into Recovery mode, open Terminal, and there use the
csrutil enable
command. Once that is done, restart normally and check again using LockRattler.

In Sierra 10.12.2 and later, you may also be able to do this more conveniently, by opening Terminal and typing in
sudo csrutil clear
then entering your admin password. Restart, check with LockRattler, and if necessary resort to the standard method in Recovery mode if that didn’t work.

XProtect blacklists, security subsystem policy

If XProtect blacklists are shown as being disabled, or this returns an error, try opening Terminal and typing the following command
spctl --status
You can also get slightly fuller information with
spctl --status -v

If that also returns an error, or a report that the service is disabled, you can try enabling the whole system using
sudo spctl --master-enable
which then requires you to authenticate with your admin password.

These commands should return the standard success code of 0, if they deliver anything more than the text result. A code of 1 indicates that the operation failed, 2 that the arguments in the command were incorrect, and 3 that the operation was denied but no other error has occurred.

It is worth checking the General tab in your Security & Privacy pane: that should allow one of two options in Sierra, either App Store, or App Store and identified developers. If it reads Anywhere (or anything else) that will disable XProtect blacklists, something which Sierra is supposed not to permit. Set that control back to one of the two standard options and protection should be restored.

If you still cannot turn security assessment on, make a careful note of the above results and report them to Apple support. You may find yourself applying the latest Combo updater or re-installing macOS to try to restore their function. They should still work normally when FileVault is turned on, and FileVault does not make this part of your Mac’s security unnecessary.

FileVault disk encryption

lockratsec

If FileVault is shown as being off when you think it should be on, open the Security & Privacy pane, and select the FileVault tab. You will then need to click on the padlock icon to authenticate, following which you should be able to turn FileVault on. If this says that FileVault is on but LockRattler reports that it is not, try restarting and repeating. If there remains a conflict, try the Terminal command
fdesetup status

If you still cannot resolve the issue, make a note of the results of these, and report them to Apple support, or make an appointment at your nearest Genius Bar.

Out of date security data

If any of the version numbers are lower than those shown here for Sierra, follow the routines for automatic software updates below, to force an update and correct that. Updates don’t arrive instantly, but should be delivered within minutes or a couple of hours at most.

If any version numbers are missing or corrupt, then this suggests that you have disk corruption or file loss. Restart in Recovery mode, run Disk Utility, and there apply First Aid to your startup drive. You may end up having to reinstall macOS to correct this, or the latest Combo updater might do the trick.

Automatic software updates

If Software update shows that automatic check is not on, open the App Store pane. Ensure the Automatically check for updates and Install system data files and security updates items are ticked.

lockratappstore2

You can force an update by clicking on the Check Now button, and/or by typing in Terminal
sudo softwareupdate --background-critical
then entering your admin password at the prompt. In my experience, the command line tends to result in a more rapid response.

After action

With any security anomaly, you should ask carefully what might have resulted in that anomaly occurring. Have you recently installed any software from an untrusted source? Have you run anything which might not be completely legitimate? Could you have malware installed which has tampered with your Mac’s security systems, perhaps?

A high index of suspicion could save your data.

3Comments

Add yours

1

CADE on March 27, 2017 at 2:33 pm

Darn it, I can’t use Lock Rattler and several newer applets (?) tools since i am still on El Capitan.

Okay here’s a prelim question: should i upgrade from 10.11.6 to Sierra on my 5k imac?

I’m afraid i will lose capacity to use one of the super ancient apps i use for work that still buggily works on El Capitan.

AND THIS feels like an urgent question:

I ran the openssl version check in terminal. Mine shows: OpenSSL 0.9.8zh 14 Jan 2016
so clearly that is woefully out of date and vulnerable?

How do i upgrade it since I found nothing on Apple’s security updates page and I am all up to date on updates for 10.11.6.

What to do? If you can advise please?

THANK YOU !!!!

Note:
You don’t have to post this if it would leave my imac open to attack (i have no idea about these things, if someone can tell from my online post, other than you)?

LikeLike
- 2
  
  hoakley on March 27, 2017 at 4:15 pm
  
  If you still need to use an app which runs in El Cap but not in Sierra, then upgrading to Sierra will stop you from using that – there is no way around that unless you have a bootable external drive which you can keep with El Cap on it, and run a dual-boot system.
  Users cannot (readily) upgrade OpenSSL independently of macOS. The good news is that OS X / macOS and developers also provide more up-to-date versions which are accessible to apps – you can only see the version accessible to the command line. The other thing is that Apple tends to fix vulnerabilities in old versions by jiggling the letters (e.g. zh) rather than the whole version.
  Provided that you keep El Cap up to date with Apple’s security updates, it is reasonably secure. Not as good as Sierra, perhaps, but acceptable. There are still plenty of Mac running El Cap out there quite safely.
  Howard.
  
  LikeLike
  - 3
    
    CADE on March 27, 2017 at 4:17 pm
    
    Thank you! Very helpful. Really appreciate your prompt response and all your shared experiences and insights. What great resources you provide.
    
    LikeLike

Share this:

Like this:

Related