How a security update threw errors in XProtect Remediator

Many of you noticed that, following last Thursday’s update to XProtect Remediator (XPR), there were one or two warnings noted in SilentKnight and XProCheck. My own records showed this too, with:
2023-02-02 23:58:19.144 MRTv3 ⚠️{"caused_by":[],"status_message":"Unknown","status_code":31,"execution_duration":0.00016105175018310547} 2023-02-03 00:01:48.971 Genieo ⚠️{"caused_by":[],"status_message":"Unknown","status_code":31,"execution_duration":0.00013697147369384766}
If you looked again once XPR had run another set of scans, you’ll have noticed they’ve since returned to normal. This article explores how and why.

What happened in the log

If you were to look in the log around the times of those warnings, you might be even more puzzled. The first of those, occurring at 2023-02-02 23:58:19, contained the following notable entries.

Both appeared to come out of the blue, when XProtectPluginService had just started one of its periodic scans:
19.143590 com.apple.XProtectFramework.Plugin XProtectRemediatorMRTv3 PluginService has an invalid code signature, terminating

This resulted in the log entry you see in XProCheck:
19.144380 com.apple.XProtectFramework.PluginAPI XProtectRemediatorMRTv3 {"caused_by":[],"status_message":"Unknown","status_code":31,"execution_duration":0.00016105175018310547}
which gives nothing away. So how come a freshly updated copy of XPR had an invalid code signature? Could it have been malicious, or was that update broken?

Following log entries then show what happened. First, the offending scanner module inside XPR was exited, and its XPC communications with other processes, in particular XProtectPluginService, were cancelled.
19.144390 XProtectRemediatorMRTv3 CoreAnalytics Entering exit handler. 19.144416 XProtectRemediatorMRTv3 CoreAnalytics Cancelling XPC connection. Any further reply handler invocations will not retry messages 19.144446 XProtectRemediatorMRTv3 CoreAnalytics XPC connection invalidated (daemon unloaded/disabled) 19.274219+0000 Error XProtectPluginService com.apple.XProtectFramework.plugins.MRTv3 @ file:///Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorMRTv3 - BB9B968A-D632-49BC-9CC4-2F1A2363DB47 exited with .badPluginServiceSignature - exiting

This was propagated to XProtectPluginService, which runs these scans.
19.274224 XProtectPluginService CoreAnalytics Entering exit handler. 19.274267 XProtectPluginService CoreAnalytics Cancelling XPC connection. Any further reply handler invocations will not retry messages 19.274305 XProtectPluginService CoreAnalytics XPC connection invalidated (daemon unloaded/disabled) 19.274346 Error [XPC Server] managed connection recieved connection invalidated: Connection invalid 19.274523 Fault com.apple.XProtectFramework XProtect XPC connection interrupted 19.275667 system/com.apple.XprotectFramework.PluginService [1946] launchd launchd exited due to exit(0) 19.275694 system/com.apple.XprotectFramework.PluginService [1946] launchd launchd service state: not running 19.275699 pid/1946 [XProtectPluginS] launchd launchd shutting down 19.275708 launchd removing child: pid/1946
In the last two of those entries, that process ID (PID) is that of XProtectPluginService.

Then the underlying cause is revealed, and that attempt at a scan abandoned as complete.
19.278403 Fault XProtectPluginService connection error: Couldn’t communicate with a helper application. 19.278445 com.apple.XProtectFramework XProtect Finished system scan, ran as 0 19.278491 Fault com.apple.XProtectFramework XProtect XPC connection invalidated 19.278543 Completed XPC Activity: com.apple.XProtect.PluginService.daemon.scan (0x7fd016514e60)

As this is a periodic task, its next set of scans was set up with Duet Activity Scheduler (DAS), to run in 24 hours time.
19.282677 com.apple.duetactivityscheduler Submitted Activity: 0:com.apple.XProtect.PluginService.daemon.scan:15EF08 at priority 30 with interval 86400 (Fri Feb 3 23:54:02 2023 - Sat Feb 4 23:54:02 2023)

This occurred twice: once for the scan run as root (above), and once for that run as the current user, at 2023-02-03 00:01:48.971, generating the second warning message. Look for XProtectPluginService in Activity Monitor and you’ll see two processes, one owned by the current user and the other by root. These are background services set up by property lists in /Library/Apple/System/Library/LaunchAgents and LaunchDaemons, and left running all the time so they can periodically call off XPR scans by XPR’s plugins.

What should have happened

For macOS to update XPR, what should happen is that the current running XProtectPluginService processes for both the user and root are stopped, the update installed, and XProtectPluginService started up again and added to DAS for scanning using the new version of XPR later. That’s why, after each XPR update, its scan schedule is reset, and likely to be run at a different time of day. In this update, it appears that corners were cut, which led to the problem.

What went wrong

XProtectPluginService is one of over 300 background services scheduled and dispatched by DAS-CTS. It communicates with the scanning modules using XPC. It has long been recognised that those communications could be vulnerable, allowing malicious software to hijack them. Imagine if you could replace one of XPR’s scanning modules with something that did the opposite, and maybe sent the contents of your keychain to a remote server. So it has become essential that XPC connections are secure, thus verifiable by signature. This has just been enhanced in Ventura, which now gives third-party developers access to signature-based checks in NSXPCConnection.

In this case, the previous XProtectPluginService was left running after the update had been installed. The next time that it tried to run a set of scans, it and the new scanning modules couldn’t agree on the signature expected to be used to secure their XPC connection. As a result, the scanning module was exited, followed by XProtectPluginService. As the latter is an expected service, when it was reinstated, it was running the newly installed version. When that was used to run the next scans, the signatures were all properly aligned, and no more errors occurred.

That’s true of Macs which are left running all the time. If you shut down or restarted your Mac in the period between the update being installed, and the next scheduled time to run XPR scans, then you wouldn’t have seen any errors or warnings, because the next scans would be performed completely with the new version of XPR, including XProtectPluginService.

Reporting

So why didn’t the report by XProtectFramework’s PluginAPI explain what the problem was, instead of giving “caused_by” as [], and “status_message” as "Unknown"? Probably because this isn’t intended to be its public interface, and users aren’t supposed to know gory details of internal matters. That seems like another vote in favour of log literacy.

9Comments

Add yours

1

Bill Smith on February 6, 2023 at 1:18 pm

Excellent investigation into this anomaly Howard. What I still find intriguing is why wasn’t it reported here as more widespread? Why such disparity in experiences, from an identical catalyst? This randomness just as you’ve experienced with content caching, lends itself to Apple’s apathy to do better.

Bill S

LikeLiked by 1 person
- 2
  
  hoakley on February 6, 2023 at 5:56 pm
  
  Thank you.
  I think this is down to when a Mac is next restarted. Normally, after one of the XPR updates, there’s no need to restart, as the installer handles it all smoothly. In this case, if your Mac ran its next set of XPR scans before it had been started up again, you were likely to see the two warnings.
  As with so much, it’s being able to work out why, and what they mean – as it was a self-correcting problem.
  Howard.
  
  LikeLike
3

xz4gb8 on February 6, 2023 at 2:21 pm

Bill Smith wrote, “What I still find intriguing is why wasn’t it reported here as more widespread?”
In my case, it is probably my learned automatic request for restart after making any possibly significant change to the OS or an application. The time for restart newer hardware has become insignificant in comparison to other parts of update or installation processes.

— Ancedote from ancient history (1980’s). Restarting a client’s Wintel notebook provided time to grind and brew coffee as well as drink it. Macs were somewhat faster at that time. But until faster CPUs and solid state storage, restarting was something to avoid.

— Today, there is no good reason for not restarting after changes to OS or apps. The tendency of programmers to assume correct initial conditions rather than verify/correct them is a good reason to restart.

LikeLiked by 1 person
- 4
  
  hoakley on February 6, 2023 at 5:59 pm
  
  Thank you.
  When you (try to) run a Content Caching server for your other Macs, there’s a good reason not wanting to restart that at least. If you do, you then have to restart all your other Macs twice for an update, once so they reconnect properly to the server, then again if you follow your adage.
  Security updates like these are intended to be installed without a restart, indeed without even interrupting your work. This is the first time this has happened with an XPR update, although we’ve now had something like 16 of them.
  Howard.
  
  LikeLike
  - 5
    
    xz4gb8 on February 6, 2023 at 6:48 pm
    
    That makes sense. Content Caching is terra incognita to me. Your explanation is new data.
    
    LikeLiked by 1 person
    - 6
      
      hoakley on February 6, 2023 at 9:24 pm
      
      I strongly recommend it for anyone running more than one Mac or device, despite its current problems with macOS security updates. It covers App Store apps, Apple content, and iCloud content too. Even if you have an excellent Internet connection, it’s valuable for iCloud syncs.
      Howard.
      
      LikeLike
7

John Gilbert on February 6, 2023 at 9:43 pm

I did notice the warnings 🙂 But did nothing about them 😦

Why did I do nothing about them? Because I don’t have confidence that Apple can get things right in the security space. Better to just wait and see if the problem recurs – it didn’t.

LikeLiked by 1 person
8

Myob on April 2, 2023 at 10:09 pm

FWIW, the same thing happened to me today. Thanks for the article/explanation.

After a reboot, everything was fine.

LikeLiked by 1 person
- 9
  
  Myob on April 2, 2023 at 10:12 pm
  
  I included this in my post inside angle brackets. WP must not like them:
  
  2023-04-02 17:52:00.436 Trovi {“caused_by”:[],”status_message”:”BadPluginServiceSignature”,”status_code”:31
  
  LikeLiked by 1 person

What happened in the log

What should have happened

What went wrong

Reporting

Share this:

Related