hoakley September 8, 2022 Macs, Technology

What shouldn’t you see in your XProCheck results?

I’m delighted that so many of you have tried out my new free utility XProCheck for checking the results of macOS anti-malware scans. Until this week none of us had any idea of what results were being recorded in our Mac’s log, and we’re now rapidly gaining experience. Here’s an interim guide to what XProCheck can show.

No scans at all in the last day

XProtect Remediator scans aren’t scheduled by the clock, but run opportunistically. They’re most likely to occur when your Mac is awake, but not interacting with the user or performing heavyweight background tasks like large Time Machine backups. They certainly can’t occur when your Mac is shut down, although they can be the cause of DarkWakes from sleep.

If you only check for the last day and don’t see any scan results, increase the period to 3 or 4 days. If you still don’t see any scans, leave your Mac idling but awake for a couple of hours, then run XProCheck again.

If you keep seeing reports of there being no scans at all, day after day, then is the time to suspect that XProtect Remediator may not be working properly, or may not be running at all. Assuming that it has been installed correctly, the next subsystem to look at is the dispatching mechanism DAS-CTS, which is supported by a readymade log scheme in Mints.

Private results

A few of you have now reported that some entries shown in XProCheck contain multiple lines like
2022-09-06 11:52:34.654 DubRobber ⚠️<private>

What has happened there is that the DubRobber scan has resulted in a log entry containing only protected, potentially private information. The Unified log is strict about what content should be revealed in full, and tends to err on the safe side. The information protected by the <private> marking doesn’t exist in the log, though, as it’s not hidden there and censored from the output, it isn’t even saved in the log files. Although it’s possible to turn that protection off, that’s a drastic measure and completely unsuitable in this case.

All you can do is assume that, if a scan had information you needed to see, it would write it plainly in the log. Try again a day or so later. Updating macOS might also help, as there’s a suggestion that some of these occur in macOS 12.4 rather than 12.5.1.

What should worry me?

Lines which don’t carry the ⚠️ sign contain reports that include any of the following:

the text NoThreatDetected,
a status code of 20,
a status code of 0.

Thus, any status code other than 0 and 20, coupled with a status message reporting the detection of a threat or its remediation, should be marked with the ⚠️ sign, and you should check that line.

Other than with message entries consisting just of <private>, the only common situation in which you may encounter ⚠️ is with SnowDrift scans. These typically report in pairs, such as
⚠️{"path":{"path":"\/System\/Library\/PrivateFrameworks\/SkyLight.framework\/Versions\/A\/Resources\/WindowServer","modificationDate":681893078,"creationDate":681893078},"status":null,"action":"report"}
followed by
{"caused_by":[],"status_message":"NoThreatDetected","status_code":20,"execution_duration":0.30660498142242432}

Read those carefully, and you’ll see the first of those two isn’t a report on detection or remediation, but tells you the modification and creation dates of WindowServer, in this case being the same. It’s the second line that reveals the status of that scan, which clearly states that no threat has been detected. Although it’s worth checking the first message, it’s the second that reveals the conclusion. Note that, following the version 72 update of 7 September, this no longer happens, and you only see the second of those entries.

Any scan report returning a status_message different from NoThreatDetected, or a status_code that isn’t 20 (most scans) or 0 (MRTv3) is a good indication of a detection or a significant problem.

xprocheck2

Idioms

Several of the scanners usually follow reporting patterns or idioms:

DubRobber is the most frequent scanner, and the duration of its scans vary considerably as if it were performing different types of scan in sequence.
SnowDrift scans tend to report in pairs, as explained above (no longer, following the version 72 update).
Trovi scans occur in triplets, reporting that it’s unable to find a Plist.
Geneio reports that it has skipped running in some way, but still takes a little time to scan and gives a status: {"caused_by":[{"description":"Skipped running on older versions","causedBy":[],"code":20}],"status_message":"NoThreatDetected","status_code":20,"execution_duration":0.72696900367736816}.

XProCheck keeps crashing

Just in case you’re wondering whether XProCheck will ever work for you, as it keeps crashing, please move the app to a location such as your main Applications folder and run it from there. It’s the result of macOS security.

I hope these help you get the most out of XProtect Remediator and its new protection.

36Comments

Add yours

1

Macintoshista on September 8, 2022 at 6:39 am

Very useful information and hopefully will stop any paranoia developing over what are harmless log entries.

LikeLiked by 1 person
- 2
  
  hoakley on September 8, 2022 at 11:16 am
  
  Thank you.
  Howard.
  
  LikeLike
3

EcleX on September 8, 2022 at 7:10 am

Many thanks for the information. Highlighting with red color or otherwise suspicious entries would be also great, besides the exclamation-mark triangle, which could be harmless, like when reporting SnowDrift. That is just a suggestion for your consideration. And many thanks again for this site and great tools.

LikeLiked by 1 person
- 4
  
  hoakley on September 8, 2022 at 11:19 am
  
  Thank you.
  You asked me this only three days ago, on Monday. I explained that red text isn’t a good solution, as a significant percentage of users, up to 1 in 10, wouldn’t see the colour. In addition, red text is less easily readable than standard black-on-white or white-on-black, which would make it harder for others with visual problems to read that text.
  As neither of those has changed in the last 3 days, my answer remains the same. The current warning triangle is a much better solution. And you shouldn’t see any warning triangles now anyway.
  Howard.
  
  LikeLike
5

BenSar on September 8, 2022 at 1:42 pm

Your patience is saintly! Thank you for all you do for users – and for your unfailing politeness, even when silence or anger would be entirely understandable.

LikeLiked by 1 person
- 6
  
  hoakley on September 8, 2022 at 4:45 pm
  
  Thank you.
  Howard.
  
  LikeLike
7

John Gilbert on September 9, 2022 at 1:27 am

Thank you for your utilities, they incentivise me to probe a bit deeper.

A few comments on what I have found using XProCheck and Consolation3:

1) XProtect related messages seem to age very quickly in my logs. I can only see messages for 3 to 6 hours after the event. This ‘explains’ why I was initially getting nothing with XProCheck.

2) Consolation with “subsystem CONTAINS XProtect” shows (as you would expect) more messages, but again only from the last few hours.

3) DubRobber:

3a) As you say, is the most frequent scanner and from Consolation output is would seem the scanner is doing different things on each run. It also seems to be running in isolation from the other scanners.

3b) DubRobber scans often (but not always) end without a”caused by” message or anything else which is presented by XProCheck.

3c) Even when DubRobber scans do have a “caused by”, it reports multiple errors in Consolation. This morning it was failing to find the file “Resources” within many Apple frameworks – seems odd to me that it was even looking in Apple frameworks. As an example error (only part of the message):

Unexpected exception checking file (/Library/Apple/System/Library/StagedFrameworks/Safari/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.GPU.xpc/Contents/Resources): Error Domain=NSCocoaErrorDomain Code=260 “The file “Resources” couldn’t be opened because there is no such file.”

4) The other scanners run together (sequentially) but less often, always (if I catch them in time) showing up in XProCheck with “no threat detected”. Consolation confirms that they are running without errors, except for those XProCheck presents with yellow triangles for SnowDrift.

5) Do you know if these results are being sent to Apple? With or without our explicit approval.

LikeLiked by 1 person
- 8
  
  hoakley on September 9, 2022 at 7:21 am
  
  Thank you.
  1. Different log entries are retained for different periods, with weeding performed progressively. However, in my experience these entries are retained as long as the great majority of others. I suspect that your logs contain very few entries older than these, because the rate of entry of new entries is very high.
  2. I much prefer to use specific subsystem terms, rather than CONTAINS, which is far slower and tend to produce more clutter.
  3. DubRobber is run at a different frequency. You may see that has reduced after this last update – that’s what I’m seeing. I’d expect Apple to tweak frequencies according to threat. Clearly, DubRobber is considered most likely at present. Don’t read anything into such errors in the log – they’re extremely frequent in many subsystems. Inability to find files is one of the commonest. Remember that these log entries are intended for Apple’s engineers, not for users.
  4. Yes, that’s the way that DAS-CTS calls them off about once a day. SnowDrift’s yellow triangles should have disappeared with this latest update.
  5. I don’t think for a moment that negative results are being sent to Apple. However, I think positive detections and remediations are probably covered if you agreed to send Apple diagnostics etc., and are anonymised, so providing them with intelligence rather than info about your Mac specifically.
  Howard.
  
  LikeLike
  - 9
    
    John Gilbert on September 9, 2022 at 9:52 am
    
    Thank you for your comments. Whilst it is against my usual feelings, in this case I do hope that Apple is gaining insight from how XProtect is behaving as well as what it finds.
    
    LikeLiked by 1 person
10

gurple on October 14, 2022 at 7:52 am

No matter how long I let the system sit idly I never get that kickoff of the XPR scan. “…no scans in 24h”.

Mints seems to show that something private is active as a “long running” activity. What is that? Lulu? Cisco AnyConnect background processes? I’m stumped.

22-10-14 09:45:16.715 DuetAS Current load for group com.apple.dasd.default is 1.000000. Long running activities are
22-10-14 09:45:16.715 DuetAS 0:com.apple.XProtect.PluginService.daemon.fast.scan:55092D:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Must Not Proceed, Score: 0.00, Rationale: [{deviceActivity == 1}]}}
], FinalDecision: Must Not Proceed}

LikeLiked by 1 person
- 11
  
  hoakley on October 14, 2022 at 8:02 am
  
  What happens if you force a manual set of scans in XProCheck?
  Howard
  
  LikeLike
  - 12
    
    gurple on October 14, 2022 at 8:52 am
    
    It seems to work. 😉
    
    LikeLiked by 1 person
    - 13
      
      hoakley on October 14, 2022 at 8:56 am
      
      So that does seem like a scheduling or dispatch problem. Do you have Time Machine backups running automatically? Are they being dispatched normally?
      Unfortunately debugging problems with DAS-CTS is tricky.
      Howard
      
      LikeLike
- 14
  
  charlie on December 9, 2022 at 10:59 am
  
  I’m also in the same boat as gurple…From xProCheck, “XProtect Remediator scan log messages found in the last 7 days”. I use my laptop quite a lot so it is running most of the time. From mints,
  .
  .
  .
  22-12-09 14:12:41.005 DuetAS Current load for group com.apple.dasd.default is 1.000000. Long running activities are
  22-12-09 14:12:41.005 DuetAS 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B:[
  {name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Must Not Proceed, Score: 0.00, Rationale: [{deviceActivity == 1}]}}
  ], FinalDecision: Must Not Proceed}
  .
  .
  .
  Timemachine backups run fine. I have displays turning off after 10 minutes, but sleep turned off. Still playing with logging tools trying to see if I can catch a case where com.apple.dasd.default is NOT 1, but with no logs for 7 days not sure that is going to happen. Posting here wondering if anything new since these posts…
  
  LikeLiked by 1 person
  - 15
    
    hoakley on December 9, 2022 at 11:47 am
    
    All I can suggest is that you leave it on mains power for an hour, with sleep turned off, and no user activity. If it doesn’t result in a scan, then I suggest that you contact Apple Support and explain it to them.
    Howard.
    
    LikeLike
16

charlie on December 10, 2022 at 6:23 am

First, sorry for how this looks…pasting entries from mints doesn’t translate well…

So after about 20 minutes the deviceActivity == 1 go away and then I see a bunch of stuff like this in mints DAS-CTS logs:

22-12-09 14:47:04.333 DuetAS Activity 501:com.apple.mediaanalysisd.filesystem:A75A92 has been running for 0.544635667403539 minutes
22-12-09 14:47:04.334 DuetAS 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.83}}
] sumScores:45.134440, denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.930223}
22-12-09 14:47:04.334 DuetAS ‘501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA’ has compatibility score of -1.000000 with 501:com.apple.mediaanalysisd.filesystem:A75A92 (Started at Fri Dec 9 14:46:31 2022). Bailing out.

Which, when I wave the dead owl and perform the incantation of knowledge, tells me that mediaanalysisd is blocking xprotect at least in this case. Then I see

22-12-09 15:11:56.712 DuetAS 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.74}}
{name: ThermalPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
] sumScores:39.275750, denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.809475}
22-12-09 15:11:56.712 DuetAS ‘501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA’ has compatibility score of -1.000000 with 501:com.apple.proactive.ProactiveHarvesting.Harvest.DelayedBudgeted:FB3E5D (Started at ). Bailing out.

Waving the dead owl again tells me ProactiveHarvesting is now blocking xprotect. Then there are ones like this:

22-12-09 15:12:29.747 DuetAS 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.74}}
{name: ThermalPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
] sumScores:39.275750, denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.809475}
22-12-09 15:12:29.747 DuetAS ‘501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA’ has compatibility score of -1.000000 with 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B (Started at ). Bailing out.

Not sure I need the dead owl any more…seems xprotect is blocking another xprotect task. I did finally find this:

22-12-09 15:12:29.734 DuetAS 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.74}}
{name: ThermalPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
] sumScores:39.275750, denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.809475}
22-12-09 15:12:29.734 DuetAS ‘0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B’ CurrentScore: 0.809475, ThresholdScore: 0.100653 DecisionToRun:1

and

22-12-09 15:12:29.748 DuetAS Activity 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B has been running for 0 minutes
.
.
.
22-12-09 15:12:29.858 DuetAS Activity 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B has been running for 4.723270734151204e-05 minutes
22-12-09 15:12:29.858 DuetAS 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B:[
{name: DeviceActivityPolicy, policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.74}}
{name: ThermalPolicy, policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
] sumScores:39.275750, denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.809475}
22-12-09 15:12:30.918 DuetAS COMPLETED 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B at priority 30 !
22-12-09 15:12:30.918 DuetAS Stopped tracking activity for
22-12-09 15:12:30.918 DuetAS NO LONGER RUNNING 0:com.apple.XProtect.PluginService.daemon.fast.scan:0CDD0B …Tasks running in group [com.apple.dasd.default] are 5!
22-12-09 15:12:30.920 DuetAS ran for 0.0 minutes

So maybe xprotect IS running. Here is another block where it seems xprotect runs to completion…

22-12-09 15:12:41.065 DuetAS 22-12-09 15:12:41.066 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.162 DuetAS 22-12-09 15:12:41.163 DuetAS {name: DeviceActivityPolicy, {name: ThermalPolicy, ] sumScores:30.995575, 22-12-09 15:12:41.163 DuetAS 22-12-09 15:12:41.163 DuetAS 22-12-09 15:12:41.163 DuetAS 22-12-09 15:12:41.164 DuetAS 22-12-09 15:12:41.164 DuetAS 22-12-09 15:12:41.164 DuetAS 22-12-09 15:12:41.164 DuetAS 22-12-09 15:12:41.164 DuetAS 22-12-09 15:12:41.166 DuetAS 22-12-09 15:12:41.166 DuetAS 22-12-09 15:12:41.166 DuetAS {name: DeviceActivityPolicy, {name: ThermalPolicy, ] sumScores:39.275750, 22-12-09 15:12:41.498 DuetAS 22-12-09 15:12:41.808 DuetAS 22-12-09 15:12:41.808 DuetAS 22-12-09 15:12:41.808 DuetAS 22-12-09 15:12:41.810 DuetAS REQUESTING START: 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA
Setting timer (isWaking=1, activityRequiresWaking=0) between and for
STARTING:
STARTING activity 0:com.apple.timed.ntp.wanted:B2DF45 !
Activity has preventDeviceSleep 0. PluggedIn state: 1
With …Tasks running in group [com.apple.dasd.default] are 6!
Started tracking activity for
Activity 0:com.apple.timed.ntp.wanted:B2DF45 has been running for 6.67572021484375e-07 minutes
0:com.apple.timed.ntp.wanted:B2DF45:[
policyWeight: 2.000, response: {Decision: Can Proceed, Score: 0.74}}
policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
denominator:35.520000, FinalDecision: Can Proceed FinalScore: 0.872623}
COMPLETED 0:com.apple.timed.ntp.wanted:B2DF45 at priority 30 !
Stopped tracking activity for
NO LONGER RUNNING 0:com.apple.timed.ntp.wanted:B2DF45 …Tasks running in group [com.apple.dasd.default] are 5!
STARTING:
STARTING activity 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA !
Activity has preventDeviceSleep 0. PluggedIn state: 1
With …Tasks running in group [com.apple.dasd.default] are 6!
Started tracking activity for
Started =>
Activity 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA has been running for 2.94347604115804e-05 minutes
501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA:[
policyWeight: 20.000, response: {Decision: Can Proceed, Score: 0.74}}
policyWeight: 5.000, response: {Decision: Can Proceed, Score: 0.20, Rationale: }}
denominator:48.520000, FinalDecision: Can Proceed FinalScore: 0.809475}
Trigger: is now [0]
COMPLETED 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA at priority 30 !
Stopped tracking activity for
NO LONGER RUNNING 501:com.apple.XProtect.PluginService.agent.fast.scan:5B7BEA …Tasks running in group [com.apple.dasd.default] are 5!
ran for 0.0 minutes

But still not getting anything back related to xprotect in XProCheck or Ulbow. Will continue to troubleshoot but a sanity check on the above would be appreciated 🙂

LikeLiked by 1 person
- 17
  
  hoakley on December 10, 2022 at 6:43 am
  
  That looks like it is running, just not writing reports to the log. That might be because the log’s settings exclude its entries, in which case you can correct that by removing the log config file stopping them.
  Which version of macOS is this, and which version of XProtect Remediator is currently installed?
  Howard.
  
  LikeLike
  - 18
    
    hoakley on December 10, 2022 at 6:45 am
    
    Log config files are located in /Library/Preferences/Logging/Subsystems/, listed by subsystem.
    Howard.
    
    LikeLike
  - 19
    
    charlie on December 10, 2022 at 9:36 am
    
    Thanks for the reply 🙂 Intel 15-inch 2018 MBP w/ Ventura 13.0.1. XProtect Remediator is XPR 86 updated yesterday after your post about it.
    
    Interestingly not much in the Logging subfolder you pointed to…
    
    (base) charlie@charliembpwired Subsystems % pwd
    /Library/Preferences/Logging/Subsystems
    (base) charlie@charliembpwired Subsystems % ls -la
    total 16
    drwxr-xr-x 4 root wheel 128 Oct 28 12:43 .
    drwxr-xr-x 4 root wheel 128 Nov 30 06:16 ..
    -rw-r–r– 1 root wheel 129 Oct 28 12:43 com.apple.WebBookmarks.plist
    -rw-r–r– 1 root wheel 143 Oct 28 12:43 com.apple.WebInspector.plist
    (base) charlie@charliembpwired Subsystems %
    
    I don’t have any other Ventura machines to compare to but I do have a parallels VM with Ventura. I checked that and it has the same two files in this folder. One commonality between the two is they were both updated from Monterey and not build from scratch.
    
    So what SHOULD be in that folder? If there should be more then I could build a new VM from scratch and see if I can recover them somehow…
    
    PS VM is on the beta program and is currently Ventura 13.0…just seeing that Ventura 13.1 beta is available…11.34 GB update. Updating now but don’t expect the logging files to change…
    
    LikeLiked by 1 person
    - 20
      
      hoakley on December 10, 2022 at 10:08 am
      
      Thank you.
      Then I’m mystified: there’s no setting there that could be omitting the subsystem from the log, but you’re clearly not seeing it there (presuming that you are looking).
      That needs to go to Apple Support, in the hope that they’ll connect you with one of the engineers from Security.
      Howard.
      
      LikeLike
21

charlie on December 10, 2022 at 10:36 am

I sent something via Feedback app on MacOS… have not had much luck getting any responses via that interface however. Any other recommendations for where to report?

LikeLiked by 1 person
- 22
  
  hoakley on December 10, 2022 at 12:10 pm
  
  Apple Support for one-to-one. It’ll need to be escalated, and require patience, but I think that’s the only way to get this resolved.
  Howard.
  
  LikeLike
  - 23
    
    charlie on December 11, 2022 at 2:15 pm
    
    Interesting observation. Yesterday I used xProCheck “Run xProtect” to force a couple of scans, which did show when I clicked the “Check XProtect” button. I have check for last 7 days selected, and when I click on said button today, I get no logs. So I’m wondering if the logs are getting purged before I can see them?
    
    LikeLiked by 1 person
    - 24
      
      hoakley on December 11, 2022 at 5:06 pm
      
      Yes, that’s possible, but I’ve never seen that in a Mac before. Even when the logs are very busy, they should be retained for 2-3 days before they become thinned. You can check this by looking at the datestamps on the log files in /var/db/diagnostics/persist. If they cover less than the last 2-3 days, then you could be right. I’d then want to know why your Mac is writing so much to its log, that it’s having to purge it so soon.
      Howard.
      
      LikeLike
    - 25
      
      John Gilbert on December 11, 2022 at 10:12 pm
      
      That is my experience too. For my Mac, XProCheck only ‘sees’ scans in the last few hours. After that they vanish.
      As Howard suggests, I looked in /var/db/diagnostics/persist and there is nothing older than about 6 hours.
      
      LikeLiked by 1 person
26

charlie on December 12, 2022 at 5:40 am

I can confirm about 7 hours worth of files in /var/db/diagnostics/persist, each is about 10 MB in size, and each has about 10 minutes give or take worth of logs. They are filled with about 75% com.apple.cache_delete (using Ulbow to grab a couple of random 10 minute slices, dumping to text file, then using grep and wc -l).

Researching now why there are so many of these messages…

LikeLiked by 1 person
- 27
  
  charlie on December 12, 2022 at 8:25 am
  
  After a bunch of looking around RE com.apple.cache_delete, I found a couple of sites that recommended deleting ~/Library/Caches. After doing so, my logs are no longer full of com.apple.cache_delete messages. Where before I was getting 1 x 10MB .tracev3 file every 6-8 minutes, now I’m getting one every 30ish minutes.
  
  No where was I?!?!?!? Oh yeah leave my machine be and see if xprotect and I can view logs…
  
  LikeLiked by 1 person
  - 28
    
    hoakley on December 12, 2022 at 10:08 am
    
    Well done. I wonder what caused the problems with that folder, and whether a visit to Safe mode might have fixed it.
    Howard.
    
    LikeLike
    - 29
      
      charlie on December 12, 2022 at 11:29 am
      
      Well not sure…I use my MBP quite a lot, but typically it “just works”. Of course, as this little exercise has shown, it may not always be working 100% and issues aren’t always obvious to the casual observer…which is why I follow your blog at poke at the things you talk about and ask questions 🙂 BTW your unified log discussions were helpful as was the bit about unmasking …
      
      To be honest, I’m not really up to speed with what all safe mode might be helpful with beyond debugging kernel panics and driver issues. I did try running Cocktail and Onyx to clean up caches but that didn’t seem to help.
      
      One feature that might be handy in XProCheck is to enumerate the start and stop times of the available log files….
      
      LikeLiked by 1 person
    - 30
      
      hoakley on December 12, 2022 at 5:24 pm
      
      Thank you. This problem is exceptionally unusual, and I wonder if it’s a recent bug perhaps. Prior to this week, I don’t think I had ever heard of running out of log!
      Howard.
      
      LikeLike
- 31
  
  hoakley on December 12, 2022 at 10:07 am
  
  Ouch!
  Howard.
  
  LikeLike
- 32
  
  John Gilbert on December 13, 2022 at 4:56 am
  
  charlie, Thank you for describing your experience. It has encouraged me to better understand why I also don’t see much XProtect logging.
  
  My 6 hours worth of /var/db/diagnostics/persist is filled up with iStat Menus Status messages. The worst offenders are messages like (or related to):
  
  (CacheDelete) [com.apple.cache_delete:client] CacheDeleteVolume disk for /Volumes/Fusion : /dev/disk9s2 : disk9
  
  And that is multiple messages for every disk volume. Adds up to thousands of messages every minute.
  
  I did try completely (and I do mean completely) uninstalling and removing all traces of iStat Menus before reinstalling. No difference!
  
  The solution is to turn off all monitoring of disks in iStat Menus. A pity because I do use that to discover which disks are loaded.
  
  From hints on StackExchange relating to older versions of iStat Menus this may be related to the asking the system for size usage with and without purgeable space – not something that I use.
  
  Even with the ‘CacheDeleteVolume’ stopped, iStat Menus is pretty chatty in the logs – either directly or indirectly from macOS components like runningboardd or bluetoothd.
  
  Just to confirm this is with macOS 13.0.1 and latest iStat Menus. But the lack of XProtect history is since June. I have only just worked out how to diagnose the cause.
  
  LikeLiked by 1 person
33

charlie on December 15, 2022 at 7:33 am

Well, I can now confirm that I’ve seen XProtect work in the wild…twice even. I updated to Ventura 13.1 last night and it would appear that it ran after the update and then again this morning after I headed out for morning walk.

I whipped up a little jupyter notebook to collect some statistics about the log files in /var/db/diagnostics/persist. I’m using file last modified time and assuming similar file sizes, so it’s not perfect especially for first and last. Anyway, I currently have 52 log files, most of which are around 10 MB each, that cover slightly under 22 hours give or take. So not even one days worth of logs is save currently. I also plotted the number of minutes per log file using delta between modification dates of the files…again not perfect. At night when I’m not using the computer the log files contain roughly 50 minutes worth of logs each. During the day the time per log file varies between 10 and 30 minutes with an average of maybe 15 minutes per log (that’s all using the mark 1 mod 1 eyeball).

WRT iStat Menus impact, I have my internal laptop drive and one external SSD with a data volume and time machine volume. I would guess the more disks and volumes you have mounted the more log messages you’d get. It’s hard to quantify who is responsible for which log messages as John has pointed out. Now that I can track the logs a little better through my python script, I might try shutting down iStatMenus for a day or two and see how that affects my logs…

Wondering if it is possible with your logging tools to build a table with message type and total counts (something like SQL ‘select message_type, count(1) as cnt from table group by message_type order by cnt desc’) for all messages in /var/db/diagnostics/persist. The goal would be to try to identify the sources of the chatty processes so that one would could start looking at how to shut said processes up. I could use your command line tool blowhole (awesome name by the way) to generate something like that I’m guessing. A related idea would be an addition to your Ulbow chart window where you could add message count to the show popup list and then sort the popup by number of messages descending such that chatty loggers would pop to te top of the list.

Finally, wondering if you’ve played with osquery (https://github.com/osquery/osquery) for working with Apple Unified Logs? Apparently support was added fairly recently (Aug 2022). Will probably take a look at that in the near future…this might be another path forward toward understanding chatty loggers…

LikeLiked by 1 person
- 34
  
  hoakley on December 15, 2022 at 1:02 pm
  
  I’m sorry, I’m not sure what you’re trying to do with the log. You’ve found your log is full of entries from a particular process/subsystem. No amount of searching through those millions of entries is going to give you any clue as to why they’re occurring – that’s like inspecting a raging torrent of water to determine its cause. Once you’ve identified the process/subsystem, all you can do is look at what might be causing that.
  If you want, log stats can provide you with statistics covering your whole log. When it first became available, I was keen to use it in Ulbow, but the more I looked at its info, the less useful it became for exploring the log and diagnosing problems. Ulbow’s histograms are far more useful, as they let you examine temporal relationships, and hone in on events.
  Or am I misunderstanding what you’re trying to do?
  Howard.
  
  LikeLike
  - 35
    
    Charlie on December 15, 2022 at 3:08 pm
    
    Initially my idea was to try to characterize the logging on my MBP to try to understand if the quantity of logs indicated some kind of issue, and if I could identify and possibly clear out some of the cruft that might be possible. I was somewhat successful finding the source of com.apple.cache_delete msgs….but that one was pretty obvious from the immense quantity of messages relative to everything else.
    
    I think you may have convinced me to back off…at least a little…especially now that I have answered my initial question…xprotect IS working.
    
    From your reply it sounds like you’ve done a fair amount head banging on everyone’s behalf already…thanks for sharing 🙂
    
    LikeLiked by 1 person
    - 36
      
      hoakley on December 15, 2022 at 6:40 pm
      
      Thank you. Yes, I’ve spent too much of my life struggling through hundreds of thousands of log entries in log storms. They’re fine when there’s an obvious event that triggers them, which the histogram is great for, but when they just seem to go on and on, I now give up and try other approaches.
      Howard.
      
      LikeLike