hoakley September 5, 2022 Macs, Technology, Updates

XProCheck: a new utility to inspect anti-malware scans

We all have our daily routines. Among mine are checking for macOS and security updates using SilentKnight, and forcing the App Store to reveal whether it has anything new. Unless you run third-party anti-malware products, you’ve probably left it to macOS to tell you if anything’s amiss. That all changes with XProtect Remediator.

As I explained yesterday, this new scanning system provided in macOS Catalina and later gets on silently with its job. If it does find malware, whether or not it’s successful in removing it, it doesn’t even post an alert or notification. Although that might seem odd when you get notifications and more for the most trivial if not annoying of reasons, that’s the way it’s designed. In Ventura you’ll be able to use third-party software to keep tabs on what XProtect Remediator does, but it isn’t as simple with older versions of macOS.

Now that I’ve added support for checking XProtect Remediator scans to Mints, it’s time for a new utility dedicated to the purpose: XProCheck. I was intending to add this as a feature to SilentKnight, but I don’t think they fit well together. Many of us will want to check malware scans every day or two, but may not wish to check for updates so often. So XProCheck is its own app.

Another important design choice is whether to try analysing or parsing scan results, perhaps to produce a neat scrolling table. The danger in doing that so early in a software product’s cycle is that the format and content of scan results are still likely to change, and, as they are undocumented, could change without warning. I’d hate for us to update to a new version of XProtect Remediator one day, only to find that XProCheck was broken as a result. For the time being, I’ve therefore settled with:

providing the full list of reported scan results, without altering them in any way, and
flagging with a warning sign any which might warrant your attention, as they don’t contain clear indications that no malware was detected.

I hope you agree that works well in practice.

XProCheck has only one real setting: how many days of log records you want to scan. If you run it once a day, leave that set at 1. Although it will ask for log records for as long as 30 days ago, macOS automatically ages out old log entries, and you’ll probably not find any older than a few days, depending on the rate that new entries are added. On quieter systems, you might get away with a weekly check, but my Macs tend to fill their logs too quickly for that to work.

xprocheck1

Simply click the Check XProtect button, and a few seconds later XProCheck will list all reported scans over that period.

xprocheck2

You can save that report to a text file, search it, change the text size, and copy it. It comes with a comprehensive Help document, which is also provided as a separate RTF document.

XProCheck version 1.0 for Catalina and later is now available from here: xprocheck10
from Downloads above, and from its Product Page. Note: version 1.1 is now available from its Product Page, and will be formally announced shortly.

I hope you find it useful, and welcome your comments and suggestions.

40Comments

Add yours

1

Macintoshista on September 5, 2022 at 6:36 am

Another welcome addition to your suite of applications. Due to time pressures today, I have not installed it yet but have every confidence it will produce very useful results.

LikeLiked by 2 people
- 2
  
  hoakley on September 5, 2022 at 8:00 am
  
  Thank you.
  Howard.
  
  LikeLike
  - 3
    
    Macintoshista on September 5, 2022 at 9:06 am
    
    Installed and runs OK as expected. I’ve seen comments about “Snowdrift” so do not feel threatened 😊
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 5, 2022 at 10:20 am
      
      Thank you.
      Howard.
      
      LikeLike
5

mikebhm on September 5, 2022 at 7:06 am

Thank you very much! Only question is what kind of attention is appropriate for the entries with yellow triangle warning signs? Like you I have a few “Snowdrift” ones.

LikeLiked by 1 person
- 6
  
  mikebhm on September 5, 2022 at 7:26 am
  
  Cancel theat question….now seen comment in help rtf!
  
  LikeLiked by 1 person
  - 7
    
    hoakley on September 5, 2022 at 8:00 am
    
    No problem.
    Howard.
    
    LikeLike
8

David B. on September 5, 2022 at 7:12 am

Thank you for yet another useful tool, Howard. I have installed and run it.

I most certainly didn’t expect to see this result! https://jmp.sh/nnCd9KL

Some guidance will be welcomed!

LikeLiked by 1 person
- 9
  
  hoakley on September 5, 2022 at 8:08 am
  
  Thank you.
  There are no reports of any detections or remediations. I’ve not seen those <private> entries here, but don’t think there’s anything significant there to worry about. Those are inserted when the log entry contains potentially private data. Although it’s possible to do that, you can only change that prospectively, which then results in all private data being recorded in the log until you turn it off again, so it’s not a wise move in this case.
  Howard.
  
  LikeLiked by 1 person
10

David B. on September 5, 2022 at 8:33 am

Thank you, Howard. I’d very much like to look at that which was hidden. Please will you tell me how to change the view? Unless the findings are of interest, I’ll not show them here. TIA.
David

LikeLiked by 1 person
- 11
  
  hoakley on September 5, 2022 at 10:33 am
  
  No, you can’t see it because it’s not hidden, it doesn’t even exist. Let me explain.
  The Unified log normally operates with privacy set to on. That means that a lot of the information which could be private isn’t recorded, but is shown in the log as <private>. Where that appears, it isn’t concealing anything – that potentially sensitive information simply doesn’t exist, it wasn’t recorded in the first place.
  The only way to change that is to install a special profile. When that’s installed, and not until it’s active, all the information that would have passed unrecorded is then recorded in the log. That’s everything – not just the bits you want to see. And that continues with every log entry until you remove that special profile.
  I spend a lot of the time browsing the log. I almost never disable its privacy protection, and if I do it’s for very short periods for compelling reasons.
  I strongly recommend that you don’t – it’s all or nothing. In this case, you’d have to leave privacy turned off until XProtect Remediator scans encountered a similar situation. That could be several days, or it may never do that again. All that time, all your private data would be recorded in the log, until you turned it off again.
  Howard.
  
  LikeLiked by 1 person
  - 12
    
    David B. on September 5, 2022 at 9:23 pm
    
    All understood, Howard. Thank you for taking the time and trouble to explain.
    I will leave everything just as it is! 🙂
    Kind regards,
    David
    
    LikeLiked by 1 person
13

Zak on September 5, 2022 at 9:17 am

Fantastic! Thank you so much for this, and the rest.
You mention forcing the App Store to reveal whether it has anything new: how is this done?

LikeLiked by 1 person
- 14
  
  Macintoshista on September 5, 2022 at 10:17 am
  
  I’ve always used softwareupdate -l in a Terminal window.
  
  LikeLiked by 1 person
- 15
  
  hoakley on September 5, 2022 at 10:23 am
  
  That depends what you’re looking for. For App Store apps, what I do is open the App Store app, select Discover at the top and wait until its front page loads. I then click Updates, and press Command-R. Wait 10-15 seconds and any updates should show up.
  For macOS and security updates, you might read this article which explains in detail.
  Howard.
  
  LikeLiked by 1 person
16

EcleX on September 5, 2022 at 3:40 pm

Many thanks!

LikeLiked by 1 person
17

Harald Striepe on September 5, 2022 at 4:20 pm

I am running the Developer Beta of Ventura. “No log found.”

LikeLiked by 1 person
- 18
  
  hoakley on September 5, 2022 at 4:26 pm
  
  If you’ve got a copy of Ulbow to hand, open that and use the Check Log command in its app menu. Clicking the button in that window runs a full diagnostic. I presume that you’re running as an admin user?
  Howard.
  
  LikeLike
  - 19
    
    Harald Striepe on September 5, 2022 at 4:36 pm
    
    Looks ok:
    Check of log files at /var/db/diagnostics:
    There are 11 items in that path.
    There are 51 files in the Persist folder.
    There are 1001 files in the Special folder.
    There are 250 files in the Signpost folder.
    There are 40 files in the timesync folder.
    There are 257 folders in the /var/db/uuidtext folder.
    
    log show –last 2 command returned 900 log entries.
    The log show command appears to be working correctly.
    
    LikeLiked by 1 person
    - 20
      
      hoakley on September 5, 2022 at 4:44 pm
      
      Thanks, Harald.
      Are you seeing this in an alert as soon as you open XProCheck, or is it being shown in the main window after you click on Check XProtect? If the latter, can you please paste the exact message – it may well be that there aren’t any scan reports there.
      Howard.
      
      LikeLike
    - 21
      
      Harald Striepe on September 5, 2022 at 4:46 pm
      
      Just a msg in the log window:
      No XProtect Remediator scan log messages found in the last day.
      Scanned at 2022-09-05T16_46_00Z
      
      LikeLiked by 1 person
    - 22
      
      hoakley on September 5, 2022 at 4:48 pm
      
      Try increasing the number of days to 5, say.
      That message means what it says: there aren’t any scan reports in the log in the last 24 hours. It does happen quite naturally at times. Or it could mean that XProtect Remediator isn’t completing scans properly.
      Howard.
      
      LikeLike
    - 23
      
      Harald Striepe on September 5, 2022 at 5:15 pm
      
      I just upgraded to Ventura. It might have flushed the logs in the process. I had tried 5 days, nada.
      
      LikeLiked by 1 person
    - 24
      
      hoakley on September 5, 2022 at 5:27 pm
      
      Worth keeping a watch over the coming days.
      Howard.
      
      LikeLike
- 25
  
  Harald Striepe on September 6, 2022 at 8:24 pm
  
  Got a log entry today. All good!
  
  LikeLiked by 1 person
  - 26
    
    hoakley on September 6, 2022 at 8:30 pm
    
    Excellent.
    Howard.
    
    LikeLike
27

Patrick Linnane on September 5, 2022 at 5:01 pm

Hi Howard. Thanks for this! I added Mints to homebrew-cask recently and would love to add this tool as well. Will this be added to the eclecticapps.plist on your GitHub so we can utilize Homebrew’s livecheck feature?

LikeLiked by 1 person
- 28
  
  hoakley on September 5, 2022 at 5:28 pm
  
  Thank you.
  Not just yet, I’m afraid. But I will aim to get that done once I have a chance, probably for its first update.
  Howard.
  
  LikeLike
  - 29
    
    Harald Striepe on September 5, 2022 at 5:49 pm
    
    Checked on my Apple Silicon MacBook Pro also just upgraded and the log entries are reported.
    Rebooted, but still no log on my Mac Studio.
    SilentKnight reports all in order.
    
    LikeLiked by 1 person
30

David B. on September 6, 2022 at 3:05 pm

Should “we” be concerned about this? It’s highlighted with ⚠️ in my LOG
Path: /System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer

Ref: https://www.fortinet.com/blog/threat-research/detailed-analysis-of-macos-ios-vulnerability-cve-2019-6231

Always wondering!
David

LikeLiked by 1 person
- 31
  
  hoakley on September 6, 2022 at 8:23 pm
  
  Thank you.
  If you read that linked article, you will see that particular vulnerability was fixed in macOS Mojave 10.14.3. I’m not aware of any malware which has attempted to exploit it.
  Howard.
  
  LikeLike
  - 32
    
    David B. on September 6, 2022 at 8:36 pm
    
    Indeed – but why is Skylight being highlighted with ⚠️ in YOUR Log as well as mine?!!
    
    David
    PS I did read the article!
    
    LikeLiked by 1 person
    - 33
      
      hoakley on September 6, 2022 at 10:21 pm
      
      Because the entry isn’t for a detection or remediation, and doesn’t report the result of one, but of a check comparing the creation and modification dates of WindowServer. The highlighting isn’t in the log – that’s added by my code in XProCheck to draw your attention to entries which you need to check, as they don’t contain the clear statement of NoThreatDetected, or its status code equivalent. That’s all. There’s nothing sinister there at all.
      Howard.
      
      LikeLike
34

dafoxe1 on September 6, 2022 at 3:46 pm

Howard, I just tried XProtCheck 1.0. It woks quickly and well. I like the idea of simply flagging enries needing attention and “vote” for its continued use.

LikeLiked by 1 person
- 35
  
  hoakley on September 6, 2022 at 8:13 pm
  
  Thank you. I think it’s going to remain on my menu.
  Howard.
  
  LikeLike
36

David B. on September 6, 2022 at 6:59 pm

Howard – have you read here?

https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/

How do you KNOW that your Apple computers have not been compromised?

You have the ⚠️ in your LOG!

Just sayin’
David

LikeLiked by 1 person
- 37
  
  hoakley on September 6, 2022 at 8:29 pm
  
  Thank you.
  If you follow my articles here, you’ll know that CloudMensis is the malware that is detected and remediated by the SnowDrift module in XProtect Remediator. Referring to my scan results, I see that SnowDrift makes two reports: the first isn’t a detection or remediation, but refers to the creation and modification dates of WindowServer, which are identical. The second contains the result of the detection scan, which reads:
  {“caused_by”:[],”status_message”:”NoThreatDetected”,”status_code”:20,”execution_duration”:0.30660498142242432}
  So a scan for CloudMensis has returned that no threat was detected.
  That’s good reassurance to me that my Mac doesn’t have CloudMensis. Why would you think otherwise?
  Howard.
  
  LikeLike
38

Dean Marshall on November 4, 2022 at 3:04 pm

Should I be concerned that Im running Ventura and only get ⚠️ from every item? I verified I am running the latest xProtect it actually was released today.

LikeLiked by 1 person
- 39
  
  hoakley on November 4, 2022 at 3:15 pm
  
  Ventura installs version 62 of XPR, which is so old that it does that. It then depends on when your Mac is updated to the current version, which can take a day or two, unless you force it using SilentKnight, for example. Then you should start seeing normal reports, in the scans after that update. The old ones will age from the log over the coming days.
  Howard.
  
  LikeLike
  - 40
    
    dmode55 on November 4, 2022 at 3:23 pm
    
    I did update a little while before running but now I understand the logs will update over time. I forced a check and it didn’t change. Thank you. Great stuff your doing!
    
    LikeLiked by 1 person