Last Week on My Mac: Secret security

Apple is sadly no stranger to pulling updates. Ever since the days of classic Mac OS, there have been updates that have been rescinded faster than they appeared, sometimes leaving plenty of sick Macs in their wake. This week it seems to have been the turn of its latest anti-malware service XProtect Remediator to suffer this ignominy.

Not that this service officially exists. Since its tentative release in macOS Monterey 12.3 on 14 March 2022 and its rapid maturing during last summer, it has been given no more than an ambiguous byline in Apple’s Platform Security Guide, which doesn’t clearly differentiate the new malware scanner from the old XProtect. Until February we received secret updates every couple of weeks, and in the last couple of months alone it has gained another five new scanning modules with idiosyncratic names like BadGacha and FloppyFlipper.

At a little after 1700 GMT last Thursday, 27 April, Apple’s software update servers started offering an update labelled XProtectPayloads_10_15-96 which installed XProtect Remediator version 96 complete with its two new scanning modules for RankStank and RoachFlight. Within 12 hours, that was no longer available, and that new version has vanished without trace, notice or explanation. If you run a Content Caching server, you may have discovered that Apple has even retracted the update from that if it had already been downloaded and added to the local cache.

Without the assistance of Silent Knight, macOS normally checks for new updates like that to XProtect Remediator at least once every 24 hours. Assuming those checks are fairly evenly spread, and that version 96 was available for eight hours, that means that around a third of all Macs running macOS Catalina or later and in active daily use should now have an update that the remaining two-thirds can’t get.

As one of the third who did update, XProtect Remediator version 96 hasn’t been a catastrophe. It does seem to have one unpleasant habit, though, that might account for this sudden withdrawal: it likes to report odd items as being potentially malicious, although it doesn’t detect them as malware or try to remediate them. In my case, each scan performed for WaterNet reports the folder at ~/Library/Application Support/Alfred/Alfred.alfredpreferences/snippets/main, which hasn’t been changed for nearly four years, before concluding NoThreatDetected.

That’s reflected in Silent Knight’s quick check of scans, and in unexpurgated detail in XProCheck. The first time you see it, it looks worrying until you see NoThreatDetected on the following line. This is something I need to address in both apps, which have until now only performed basic parsing of the log entries made by each scan. Instead, those apps are going to have to do some smarter interpretation to discriminate between such bogus reports and real detections.

Few of the third who did update will even be aware of those warnings, or indeed of successful detection or remediation, as the strangest feature of XProtect Remediator remains its secrecy. It posts no entries in System Information, or any of the user-accessible logs, only in the Unified log, where they’re buried among millions of other entries and only available to those privileged enough to understand them. As a set of background scanning modules, XProtect Remediator doesn’t even post a notification when it has completed its tasks.

XProtect Remediator is fully supported in macOS Catalina, Big Sur, and Monterey, although in those the only way to access its scan results is in the Unified log. Ventura does at least make them available as Endpoint Security events, so if you happen to be using a third-party security system that can monitor those, there is an alternative to wrestling with log show commands, or a third-party browser. So far, though, the only security software that seems able to capture scans via Endpoint Security is aimed and priced for enterprise users.

Even if Apple were to change its policy and provide a convenient way to monitor anti-malware scans, with WWDC due in little over a month, it’s hardly going to appear in Ventura. That would still leave all those running macOS 10.15, 11, 12 and 13 without ready access to scan results. That’s likely to include every Intel Mac without a T2 chip.

So for most Mac users, an update they never knew occurred may have silently installed a security tool they didn’t know they had, whose reports of abnormalities they’ll never see won’t worry them in the slightest. Neither would they ever be aware of it detecting and remediating malicious software, something I find troubling. Is the best security really kept completely secret from the user?