Things that go bump in SilentKnight: serious security failures

Running SilentKnight for the first time can bring surprises. A steady stream of users discover their Mac is missing some of its critical security protection. The three most common problems are:

SIP is turned off.
XProtect is disabled.
Security data are badly out of date.

I’ll look at them in that order, and add a fourth, whether the SSV is enabled.

SilentKnight and its companion command tool silnite originated from LockRattler, which in turn was developed in response to a major security failure in batches of new MacBook Pros shipped in the autumn of 2016 with SIP turned off. At that time, the only way to determine whether SIP was on or off was in Terminal. From an initial AppleScript, I developed the first version of LockRattler, released just before that Christmas.

SIP is turned off

Since El Capitan, macOS has protected all its system files, even down to standard Mac apps, using System Integrity Protection (SIP). This should make it impossible for malware or even out-of-control software to change those protected system files.

You can turn SIP off, something very occasionally needed to perform certain important tasks. Doing so requires you to restart in Recovery mode, enter a command in Terminal there, and restart. Run SilentKnight with SIP disabled, and it will tell you of the problem.

To enable SIP, restart in Recovery mode, open Terminal, and type the following command:
csrutil enable
Once that’s done, restart in normal mode, and run SilentKnight again, to check that item reports correctly
SIP enabled.

If you ever do need to disable SIP, do yourself a favour and put a sticky note on your Mac’s display to remind you to turn it back on. This still applies to Big Sur and Monterey, with their protected System volumes, as SIP is essential for protecting system and other important files on your Data volume too. Although it does get in the way at times, it’s there to protect.

XProtect is disabled

XProtect is the only free built-in tool to check for many common types of malware. These checks don’t just apply to fresh downloads: every time you open a JPEG file, for example, XProtect takes a quick look to see whether it might be malicious.

As you don’t have to enter Recovery mode to do so, it’s comparatively easy to turn XProtect’s checks off, although I can’t think why anyone would want to do so: if you have to turn it off in order to open a file, then you should ask yourself whether you should be opening that file at all!

Disabling XProtect leaves your Mac vulnerable to malware. Open SilentKnight and check that it states XProtect enabled. If it’s disabled, when using LockRattler you could instead see an error, such as
Failed, error = 1

You may be able to fix this using the command
spctl --enable
but chances are that you will instead need to invoke
sudo spctl --global-enable
which requires you to authenticate using your admin password. Be careful with those commands: the hyphens before enable and global-enable aren’t long dashes, but two separate hyphens.

When you have done so, restart and check that SilentKnight reports that XProtect is enabled.

Security data are badly out of date

Occasionally, the first time someone runs SilentKnight it reveals that Mac hasn’t installed any security data updates for a long time. There are some old bugs which can cause this, and can block even SilentKnight from detecting updates which your Mac needs as soon as possible.

One useful trick which can often enable these updates is to open the Software Update pane, click on its Advanced… button, and ensure that it’s set to check for updates. You don’t need to download them when available, and it’s up to you if you want your Mac to install system data files and security updates, but at least checking for updates is important. If that box isn’t ticked, those updates could get blocked.

If that doesn’t enable your Mac to bring its security data files up to date, and you’re running macOS Catalina or earlier, you may need to reinstall macOS to see if that fixes it.

The SSV is disabled

If you’re running Big Sur or Monterey, it’s important that your Mac has booted from a signed and sealed System volume, the SSV. SilentKnight checks this, and should report that the SSV is enabled together with its SIP status. If your Mac is working in the English language, then the indication given there should be reliable. However, that doesn’t hold true if it’s using a different language.

This is because the command tool used by SilentKnight to obtain that information returns the answer in any one of the dozens of languages supported by macOS. That’s too much for SilentKnight to cope with, I’m afraid, so you’ll need to look at the full detail in the scrolling text view in the lower part of the window, where each result is given in your chosen language. I apologise for that, but there’s little else that I can do until Apple recognises this as a bug and fixes it.

So if you’re puzzled that SilentKnight is reporting that your SSV isn’t enabled, please check below to see whether it’s just a case of the wrong language.

Finally, if you have any questions about anything in SilentKnight, please use its most underused feature, its Help Reference, accessed through the Help menu. There are links to further articles about SilentKnight and the problems it detects on its Product Page.

7Comments

Add yours

1

Camden Narzt on January 26, 2022 at 3:27 pm

Have you tried setting the LANG env var for the command tool used by SilentKnight? Setting it to C should force english output.

LikeLiked by 1 person
- 2
  
  hoakley on January 26, 2022 at 3:30 pm
  
  Thank you. Yes I have and no it doesn’t. If you’d like to search back through my articles here you’ll discover I wasted several weeks trying to solve this and got nowhere. There’s a succinct summary here.
  Howard
  
  LikeLike
3

jtkelso on January 26, 2022 at 7:41 pm

Is there somewhere that explains the items in the “Apple Silicon Security” section?

LikeLiked by 1 person
- 4
  
  hoakley on January 26, 2022 at 10:23 pm
  
  Not really. Perhaps I should write an article about them!
  Secure Boot is the setting in Startup Security Utility, and should normally be Full Security.
  SIP is well-documented, I think.
  SSV is also featured in many articles here.
  Kernel CTRR refers to another aspect of kernel security, I think, and should always be enabled.
  Boot Arguments Filtering should always be enabled. If you don’t know what it is, then it doesn’t affect you!
  Allow All Kernel Extensions should normally be No, which blocks third-party kexts, as in Startup Security Utility.
  The two MDM items only apply if you’re managing the Mac using MDM (enteprise).
  Howard.
  
  LikeLike
5

jtkelso on January 26, 2022 at 11:57 pm

Thanks!

LikeLiked by 1 person
6

Anonymous on January 29, 2022 at 4:50 pm

Great article! Thank you

I’ve got the default 16″ M1 Max (32-core, 32GB RAM), I’ve just updated it to macOS 12.2 and after running your program I’m getting a warning telling me “🔸 Gatekeeper 94, 8.0 should perhaps be 181, 8.0”.

How do I update Gatekeeper? Do you have any idea what’s going on?

LikeLiked by 1 person
- 7
  
  hoakley on January 29, 2022 at 6:09 pm
  
  Thank you. You don’t need to update Gatekeeper, as it’s no longer used. For reasons known only to Apple, instead of leaving all Macs with the last released version, those which are set up now are given an ancient version instead, presumably to puzzle the user.
  This is explained in SilentKnight’s Help Reference, accessible through that command in its Help menu, where I write:
  “More recently, this has become disused. Because of that, newer Macs may now have very old versions of Gatekeeper installed. When that’s found, the version number is marked with a and can normally be ignored.”
  I hope that explains.
  Howard.
  
  LikeLike

Share this:

Like this:

Related