SilentKnight 2.5 and XProCheck 1.5 are better focussed

Last week’s short-lived update to XProtect Remediator version 96 resulted in many being warned unnecessarily about the results of its scans. These new versions of SilentKnight and XProCheck use more reliable techniques to distinguish the importance of their reports, and should make life easier for all users.

In macOS Catalina, Big Sur and Monterey, the only way to access XProtect Remediator’s scan reports is in their log entries. Although Ventura also makes them accessible to apps monitoring them using Endpoint Security, relatively few apps can do that at present, and all those that I know of are intended for enterprise use and priced accordingly. Both SilentKnight and XProCheck thus obtain and analyse log extracts to reveal the results of those scans.

Previous versions have analysed those log entries as text, which is quick and effective, but not always robust. XProtect Remediator version 96 thus resulted in over-reporting of problems. For example, on one of my Macs here the WaterNet scanner took a dislike to an old folder buried in Application Support, and now reports that item every time that it runs. However, that scanning module doesn’t count this as a malware detection, and concludes NoThreatDetected.

Although it’s helpful for the user to be aware of these and similar reports, previous versions of SilentKnight and XProCheck placed undue emphasis on them, flagging them as a detection or remediation, which they clearly aren’t. While it’s good to err on the side of caution, it’s better to be more balanced.

These new versions now analyse scan reports as JSON data, making more detailed assessments practical. While XProCheck still includes those reports in its information, they’re no longer flagged as detections in either app.

XProCheck now uses the following classification:

  • if the report contains “NoThreatDetected”, or has a status_code of 0 or 20, it’s counted as a normal scan
  • if the report contains a status_code of 31, it’s an incomplete scan that was abandoned because the signatures didn’t match following an update; this isn’t counted as a warning, though
  • if the report contains a status_code of 23, it’s an ⛔️ alert to a detection or remediation
  • if the report merely reports a finding, such as a potentially suspicious file or folder, it’s counted as a 👉 report and marked for your attention
  • if the report contains none of those, it’s counted as a ⚠️ warning and merits closer consideration.


All clear scan reports should now be much easier to check with their regular structured layout.


This is a good illustration of a succession of warnings culminating in a successful detection and remediation, here for KeySteal malware using XProtect Remediator version 95.


SilentKnight presents a numeric summary on the same lines; if you want to see more detail, then use XProCheck. SilentKnight also fixes a minor but long-standing issue in the presentation of firmware versions in the full report.

These new versions have been tested against XProtect Remediator versions 95 and 96, and a range of malware samples as well as healthy Macs.

SilentKnight version 2.5 is now available from here: silentknight205
from Downloads above, from its Product Page, and through its auto-update mechanism.

XProCheck version 1.5, which I believe remains the only utility for viewing XProtect Remediator scans, is now available from here: xprocheck15
from Downloads above, from its Product Page, and through its auto-update mechanism.

Both require macOS 10.15 or later, but as XProtect Remediator does too, that shouldn’t be surprising.