hoakley Macs, Technology

Interpreting XProCheck’s results and problems

With the release of XProCheck 1.1 and its new feature to perform XProtect Remediator malware scans on demand, I’m getting more experienced at interpreting their results. Here are my current suggestions.

No scans at all in the last day

XProtect Remediator scans aren’t scheduled by the clock, but run opportunistically. They’re most likely to occur when your Mac is awake, but not interacting with the user or performing heavyweight background tasks like large Time Machine backups. They certainly can’t occur when your Mac is shut down, although they can be the cause of Dark Wakes from sleep.

If you only check for the last day and don’t see any scan results, increase the period to 3 or 4 days. If you still don’t see any scans, try clicking on the Run XProtect button, wait until the busy spinner has gone, and check again. You should then see the results of that manual scan.

If automatic scans don’t appear to be occurring, but a manual scan does, the next subsystem to look at is the dispatching mechanism DAS-CTS, which is supported by a readymade log scheme in Mints.

If you don’t see any results of automatic scans, and a manual scan also appears to do nothing, the next thing to check is whether your log is working correctly. For this you’ll need a copy of Ulbow, and the instructions here.

If your log is working correctly, then is the time to suspect that XProtect Remediator may not be working properly. When you perform a manual scan, XProCheck does check that its main binary is in the expected location, and should report an error if it can’t find it. If you don’t see any error and still don’t see any reports from XProtect Remediator, follow the instructions below for using SilentKnight to check that it’s up to date.

Private results

Several have now reported that some entries shown in XProCheck contain multiple lines like
2022-09-06 11:52:34.654 DubRobber ⚠️<private>

What has happened there is that the DubRobber scan has resulted in a log entry containing only protected, potentially private information. The Unified log is strict about what content should be revealed in full, and tends to err on the safe side. The information protected by the <private> marking doesn’t exist in the log, though, as it’s not hidden there and censored from the output, it isn’t even saved in the log files.

There are two likely causes for these odd results. The first is that your Mac still has a very old version of XProtect Remediator installed, the other is that you have a custom log profile installed; in the latter case, you should be able to remove that in the Profiles pane.

Early versions of XProtect Remediator were still work in progress, and may not write normal reports to the log. To discover whether your Mac still has such an old version, check the version number of XProtect.app in /Library/Apple/System/Library/CoreServices. That should be at least 72 now. There’s no way to download an installer for this, as it should be delivered through Software Update.

The easy way to address this is to download my free SilentKnight, unarchive it, and move the app into an Applications folder. Run it from there, and it should show you the version number of XProtect Remediator and other security software, and look for outstanding updates to them. Provided the list of available updates doesn’t include anything large like a macOS update, you can safely install those, and they should bring your security software up to date. If there is a larger update waiting, SilentKnight can download and install individual updates, as described here.

One not infrequent problem with those updates can occur when you’re using a local Content Caching server. You may find that security updates download correctly but fail to install. You should then quit SilentKnight, disable the Content Caching server, open SilentKnight and try again, as explained here. That’s a known bug which has been reported to Apple.

What should worry me?

Lines which don’t carry the ⚠️ sign contain reports that include any of the following:

  • the text NoThreatDetected,
  • a status code of 20,
  • a status code of 0.

Thus, any status code other than 0 and 20, coupled with a status message reporting the detection of a threat or its remediation, should be marked with the ⚠️ sign, and you should check that line.

Older versions of XProtect Remediator used to trigger the ⚠️ sign when scanning for SnowDrift. As of version 72, no normal scan result should now cause the display of that sign. Any scan report returning a status_message different from NoThreatDetected, or a status_code that isn’t 20 (most scans) or 0 (MRTv3) is a good indication of a detection or a significant problem.

xprocheck2

Idioms

Several of the scanners follow reporting patterns or idioms:

  • DubRobber is the most frequent scanner, and the duration of its scans vary considerably as if it were performing different types of scan in sequence.
  • SnowDrift scans tend to report in pairs.
  • Trovi scans occur in triplets, reporting that it’s unable to find a Plist. In some scans, the third of those may report that it wasn’t performed as root user; those occur in manual scans, which are only run with user privileges.
  • Geneio reports that it has skipped running in some way, but still takes a little time to scan and gives a status: {"caused_by":[{"description":"Skipped running on older versions","causedBy":[],"code":20}],"status_message":"NoThreatDetected","status_code":20,"execution_duration":0.72696900367736816}.

XProCheck keeps crashing

Just in case you’re wondering whether XProCheck will ever work for you, as it keeps crashing, please move the app to a location such as your main Applications folder and run it from there. It’s the result of macOS security.