I’m not surprised that many are confused: we all are. For many years, XProtect decided whether the Flash and Java we had installed were safe, and that freshly downloaded apps didn’t match the signatures of known malware. It was MRT that tried to repair any damage caused by malware, or fix mass vulnerabilities like flawed web servers installed without our knowing.

Then along comes XProtect.app to start scanning our Macs to detect and remediate malware. Is it just old XProtect getting a bit big for its boots, or MRT in disguise?

This article, thanks to a couple of log artefacts, might help you understand the difference between old XProtect and what is also known as XProtect Remediator, from the names of its scanning modules.

It started with my free app to review the results of XProtect Remediator scans in the log, XProCheck. When first released, it drew attention to some scan reports from XProtectRemediatorSnowDrift which appeared quite innocent, like:
⚠️{"path":{"path":"\/System\/Library\/PrivateFrameworks\/SkyLight.framework\/Versions\/A\/Resources\/WindowServer","modificationDate":681893078,"creationDate":681893078},"status":null,"action":"report"}
Apple’s engineers addressed that in an update to XProtect Remediator, and with version 72 those messages disappeared from our logs.

But two regular readers begged to differ: their XProCheck results continued to contain similar reports, each marked with a yellow warning triangle. Together we checked everything, and couldn’t account for this phenomenon, until I read their reports more closely. The answer was in the paths being reported. In one, it was
/Volumes/Latest MacOS/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer
and in the other
/Users/bill/Documents/sysdiagnose_2020.08.24_12-53-22-0700_1586_Mac-OS-X_MacPro6-1_1962021/logs/loginwindow

So two of the actions undertaken by the SnowDrift scanner are to look for suspicious files named WindowServer and loginwindow in unusual paths. Thanks to the work of Stuart Ashenbrenner at Jamf, we know that SnowDrift looks for CloudMensis, first discovered by ESET back in April 2022, and detailed here. It also happens to have been added to the (old) XProtect Yara signatures file in version 2162. For the first time we can make a limited comparison between the approaches of (old) XProtect and (new) XProtect Remediator, with MRT not even in the game, as its last update in April couldn’t have known about CloudMensis.

The Yara rules to recognise SnowDrift (CloudMensis) require:

• a Mach-O binary file, and
• any two of the following three strings matched:
• https://api.pcloud.com/getfilelink?path=%@&forcedownload=1
• -[Management initCloud:access_token:]
• *.doc;*.docx;*.xls;*.xlsx;*.ppt;*.pptx;*.hwp;*.hwpx;*.csv;*.pdf;*.rtf;*.amr;*.3gp;*.m4a;*.txt;*.mp3;*.jpg;*.eml;*.emlx

The first of those refers to the cloud storage used by CloudMensis to deliver its second stage, and the second to its use of an access token for that storage. The last is the list of file extensions reported by ESET as occurring in the CloudMensis configuration at ~/Library/Preferences/com.apple.iTunesInfo29.plist. Thus, these strings are most likely to be found in the first stage of the malware.

When Gatekeeper checks a fresh file, if it decides that an XProtect check is required, then those rules determine whether it’s detected as SnowDrift (CloudMensis). If the malware evades checking against XProtect’s Yara rules, though, it then proceeds to download and install its active components, including a second-stage executable named WindowServer, reported by ESET as being installed to /Library/WebServer/share/httpd/manual/. Among other files described as being installed are ~/Library/Containers/com.apple.FaceTime/Data/Library/windowserver, and ~/Library/Containers/com.apple.languageassetd/loginwindow

While the XProtectRemediatorSnowDrift scanner appears to use the XProtect Yara rules to recognise the first stage component, it also looks for aberrant files named WindowServer and loginwindow from the second stage, and those are responsible for the flagged reports seen by those two Macs using XProCheck. This scanner is using more sophisticated techniques not just to detect the first stage of CloudMensis, but to search for later components of the malware, as we’d rather hope.

So should those two users still seeing flagged reports from XProCheck worry about those log entries?

In the case of
/Volumes/Latest MacOS/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer
that turns out to be a fallback bootable system, so it should be checked by the SnowDrift scanner.
/Users/bill/Documents/sysdiagnose_2020.08.24_12-53-22-0700_1586_Mac-OS-X_MacPro6-1_1962021/logs/loginwindow
could of course come from anything, and is another good catch by the scanner. So those two users should be reading those reports carefully, even though the SnowDrift scanner concluded that there wasn’t sufficient evidence to detect CloudMensis on their Macs.

When XProCheck flags a scan report with ⚠️, that doesn’t necessarily mean there has been a detection or remediation, but it should lead you to read the report carefully and think what might be its cause.