hoakley March 23, 2023 Macs, Technology, Updates

SilentKnight 2.4 improves XProtect Remediator reporting

Following hard on the heels of my updated version of XProCheck, here’s an update to SilentKnight to bring it to version 2.4, with similarly improved analysis and reporting of XProtect Remediator (XPR) anti-malware scans.

When all is going swimmingly, this is what the new version should look like, here on an Apple silicon Mac with a Mac Studio display attached. As before, at the upper right it states that 60 scans were completed by XPR without any warnings. In the full report below, you’ll see a little more detail, that those 60 scans completed without any alerts or warnings.

When it has been one of those days, you might, if you’re very unlucky, see something like this. While a total of 52 XPR scans have been reported, six of them are graded as alerts, indicating that XPR detected and/or remediated malware, according to its reports. This is again given in detail in the full report.

Because of the limited space available in the individual boxes in the upper part of the window, SilentKnight only reports the worst of results; if there are alerts and warnings, then the scan result will give the number of alerts. But a detailed breakdown of both alerts and warnings will be given below.

The many other warnings shown here are because this was obtained from one of my virtual machines, running with Permissive Security, SIP disabled, and Gatekeeper/XProtect checks disabled. I also deliberately keep it out of date for other security updates such as XProtect. I hope your Mac doesn’t look anything like that!

As with XProCheck, SilentKnight is now more nuanced in its interpretation of scan reports:

reports stating that malware was detected and/or remediated are counted as alerts, and given the sign ⛔️;
reports of signature errors that occur following XPR updates aren’t counted as scan reports, and don’t count as warnings;
reports of scans that report anything else, apart from a normal result, are counted as warnings with the sign ⚠️.

Should you see any alerts or warnings, then I recommend that you run a fuller check using XProCheck, to provide details of all scan results.

SilentKnight version 2.4 is now available from here: silentknight204
from Downloads above, from its Product Page, and via its auto-update mechanism.

In case you missed it, XProCheck 1.4 is now available from here: xprocheck14
from Downloads above, from its Product Page, and via its auto-update mechanism.

Both of these are Universal Apps for Catalina, Big Sur, Monterey and Ventura. Older versions of SilentKnight for older macOS remain available from its Product Page.

17Comments

Add yours

1

EcleX on March 23, 2023 at 8:04 am
Reply

Great! Thanks! The best gets even better!!!

LikeLiked by 1 person
- 2
  
  hoakley on March 23, 2023 at 12:01 pm
  Reply
  
  Thank you. I hope so.
  Howard.
  
  LikeLike
3

Javier Gallardo on March 23, 2023 at 12:23 pm
Reply

Thank you very much. (With new “components” being served from Apple and the finer knowledge you’re obtaining, I appreciate your effort & kindness to users community). Kudos.

LikeLiked by 1 person
- 4
  
  hoakley on March 23, 2023 at 2:43 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
5

Bill Smith on March 23, 2023 at 12:29 pm
Reply

Once more I am humbled by your graciousness, and dedication to excellence in providing such important tools to the community. Peace to you Howard.

LikeLiked by 1 person
- 6
  
  hoakley on March 23, 2023 at 2:44 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
7

artiste212 on March 23, 2023 at 2:21 pm
Reply

Once again, thank you so much for the very helpful (and necessary) software you create for us.

LikeLiked by 1 person
- 8
  
  hoakley on March 23, 2023 at 2:46 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
9

Dakotamoons on March 23, 2023 at 4:28 pm
Reply

A million thanks, as always. Flawless installation on my M1 Mac Studio running Ventura v13.2.1. I don’t know what I’d do without SilentKnight. Eternally grateful for everything you do Howard.

LikeLiked by 1 person
- 10
  
  hoakley on March 23, 2023 at 5:47 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike
11

Neil on March 23, 2023 at 5:42 pm
Reply

This is an excellent update to a very useful utility, thank you! One question I had when running this latest version of SilentKnight was that instead of stating that SIP and SSV is enabled, I get a “Platform Security Partial” result, although the SIP and SSV status is showing enabled later on. Is that because of the “Secure Boot: Reduced Security”, “File Vault is Off” results and XProtect / XPR / MRT versions are not the latest? The system language is English. I cannot find any information in the documentation that explains this. I ran LockRattler (another great utility, thank you!) to see if there were any results from that check that may provide additional info, but could not find anything. Thanks for your help with this.

LikeLiked by 1 person
- 12
  
  hoakley on March 23, 2023 at 5:49 pm
  Reply
  
  Thank you.
  The lower detailed report should explain: if your Mac is running at Reduced Security, then Platform Security should only be reported as Partial. Full Security requires that Secure Boot is at Full Security. It doesn’t require any of the tools are up to date, nor that File Vault is on, although I’d strongly advise you to enable File Vault.
  Howard.
  
  LikeLike
  - 13
    
    Neil on March 23, 2023 at 5:58 pm
    Reply
    
    Thanks Howard, appreciate it.
    
    LikeLiked by 1 person
  - 14
    
    Marc on March 23, 2023 at 6:57 pm
    Reply
    
    Why to you recommend having File Vault on? I understand that with Ventura and Apple Silicon chips that there is essentially no reduction/overhead in performance with File Vault. However, what are the advantages of having File Vault turned on with a desktop computer in a secure location.? (E.g. where there is no physical access to the computer by people other than the user.)
    
    LikeLiked by 1 person
    - 15
      
      hoakley on March 23, 2023 at 7:11 pm
      
      The Data volume in your Mac is already encrypted, but anyone can gain access to its contents, as that volume is automatically unlocked for every user. What happens in Apple silicon Macs (and Intel models with a T2 chip) is that the encryption key already being used is protected by your password as well. So it makes no difference at all to performance. What it does mean is that only those users with a Secure Token can unlock the Data volume – so only those user accounts you authorise to have that access.
      There are many ways of gaining access to a Mac that doesn’t have FileVault enabled – good hackers are happy to demonstrate them. But once FileVault has been turned on, unless they have the FileVault password they’re completely stuck. They only get ten guesses before the Mac locks them out for a while, then another few, until eventually the Mac is completely locked.
      I never used to use FileVault for the same reasons that you give. That changed completely with my first T2 Mac, and I now routinely enable it on Apple silicon Macs. As it’s completely free and has no side-effects or disadvantages, why not?
      Howard.
      
      LikeLike
16

jimgbuffalo on March 24, 2023 at 2:15 pm
Reply

Thanks Howard. Your work is first class as usual.

LikeLiked by 1 person
- 17
  
  hoakley on March 24, 2023 at 6:32 pm
  Reply
  
  Thank you.
  Howard.
  
  LikeLike