What shouldn’t you see in your XProCheck results?

I’m delighted that so many of you have tried out my new free utility XProCheck for checking the results of macOS anti-malware scans. Until this week none of us had any idea of what results were being recorded in our Mac’s log, and we’re now rapidly gaining experience. Here’s an interim guide to what XProCheck can show.

No scans at all in the last day

XProtect Remediator scans aren’t scheduled by the clock, but run opportunistically. They’re most likely to occur when your Mac is awake, but not interacting with the user or performing heavyweight background tasks like large Time Machine backups. They certainly can’t occur when your Mac is shut down, although they can be the cause of DarkWakes from sleep.

If you only check for the last day and don’t see any scan results, increase the period to 3 or 4 days. If you still don’t see any scans, leave your Mac idling but awake for a couple of hours, then run XProCheck again.

If you keep seeing reports of there being no scans at all, day after day, then is the time to suspect that XProtect Remediator may not be working properly, or may not be running at all. Assuming that it has been installed correctly, the next subsystem to look at is the dispatching mechanism DAS-CTS, which is supported by a readymade log scheme in Mints.

Private results

A few of you have now reported that some entries shown in XProCheck contain multiple lines like
2022-09-06 11:52:34.654 DubRobber ⚠️<private>

What has happened there is that the DubRobber scan has resulted in a log entry containing only protected, potentially private information. The Unified log is strict about what content should be revealed in full, and tends to err on the safe side. The information protected by the <private> marking doesn’t exist in the log, though, as it’s not hidden there and censored from the output, it isn’t even saved in the log files. Although it’s possible to turn that protection off, that’s a drastic measure and completely unsuitable in this case.

All you can do is assume that, if a scan had information you needed to see, it would write it plainly in the log. Try again a day or so later. Updating macOS might also help, as there’s a suggestion that some of these occur in macOS 12.4 rather than 12.5.1.

What should worry me?

Lines which don’t carry the ⚠️ sign contain reports that include any of the following:

  • the text NoThreatDetected,
  • a status code of 20,
  • a status code of 0.

Thus, any status code other than 0 and 20, coupled with a status message reporting the detection of a threat or its remediation, should be marked with the ⚠️ sign, and you should check that line.

Other than with message entries consisting just of <private>, the only common situation in which you may encounter ⚠️ is with SnowDrift scans. These typically report in pairs, such as
followed by

Read those carefully, and you’ll see the first of those two isn’t a report on detection or remediation, but tells you the modification and creation dates of WindowServer, in this case being the same. It’s the second line that reveals the status of that scan, which clearly states that no threat has been detected. Although it’s worth checking the first message, it’s the second that reveals the conclusion. Note that, following the version 72 update of 7 September, this no longer happens, and you only see the second of those entries.

Any scan report returning a status_message different from NoThreatDetected, or a status_code that isn’t 20 (most scans) or 0 (MRTv3) is a good indication of a detection or a significant problem.



Several of the scanners usually follow reporting patterns or idioms:

  • DubRobber is the most frequent scanner, and the duration of its scans vary considerably as if it were performing different types of scan in sequence.
  • SnowDrift scans tend to report in pairs, as explained above (no longer, following the version 72 update).
  • Trovi scans occur in triplets, reporting that it’s unable to find a Plist.
  • Geneio reports that it has skipped running in some way, but still takes a little time to scan and gives a status: {"caused_by":[{"description":"Skipped running on older versions","causedBy":[],"code":20}],"status_message":"NoThreatDetected","status_code":20,"execution_duration":0.72696900367736816}.

XProCheck keeps crashing

Just in case you’re wondering whether XProCheck will ever work for you, as it keeps crashing, please move the app to a location such as your main Applications folder and run it from there. It’s the result of macOS security.

I hope these help you get the most out of XProtect Remediator and its new protection.