hoakley May 1, 2023 Macs, Technology, Updates

SilentKnight 2.5 and XProCheck 1.5 are better focussed

Last week’s short-lived update to XProtect Remediator version 96 resulted in many being warned unnecessarily about the results of its scans. These new versions of SilentKnight and XProCheck use more reliable techniques to distinguish the importance of their reports, and should make life easier for all users.

In macOS Catalina, Big Sur and Monterey, the only way to access XProtect Remediator’s scan reports is in their log entries. Although Ventura also makes them accessible to apps monitoring them using Endpoint Security, relatively few apps can do that at present, and all those that I know of are intended for enterprise use and priced accordingly. Both SilentKnight and XProCheck thus obtain and analyse log extracts to reveal the results of those scans.

Previous versions have analysed those log entries as text, which is quick and effective, but not always robust. XProtect Remediator version 96 thus resulted in over-reporting of problems. For example, on one of my Macs here the WaterNet scanner took a dislike to an old folder buried in Application Support, and now reports that item every time that it runs. However, that scanning module doesn’t count this as a malware detection, and concludes NoThreatDetected.

Although it’s helpful for the user to be aware of these and similar reports, previous versions of SilentKnight and XProCheck placed undue emphasis on them, flagging them as a detection or remediation, which they clearly aren’t. While it’s good to err on the side of caution, it’s better to be more balanced.

These new versions now analyse scan reports as JSON data, making more detailed assessments practical. While XProCheck still includes those reports in its information, they’re no longer flagged as detections in either app.

XProCheck now uses the following classification:

if the report contains “NoThreatDetected”, or has a status_code of 0 or 20, it’s counted as a normal scan
if the report contains a status_code of 31, it’s an incomplete scan that was abandoned because the signatures didn’t match following an update; this isn’t counted as a warning, though
if the report contains a status_code of 23, it’s an ⛔️ alert to a detection or remediation
if the report merely reports a finding, such as a potentially suspicious file or folder, it’s counted as a 👉 report and marked for your attention
if the report contains none of those, it’s counted as a ⚠️ warning and merits closer consideration.

All clear scan reports should now be much easier to check with their regular structured layout.

This is a good illustration of a succession of warnings culminating in a successful detection and remediation, here for KeySteal malware using XProtect Remediator version 95.

SilentKnight presents a numeric summary on the same lines; if you want to see more detail, then use XProCheck. SilentKnight also fixes a minor but long-standing issue in the presentation of firmware versions in the full report.

These new versions have been tested against XProtect Remediator versions 95 and 96, and a range of malware samples as well as healthy Macs.

SilentKnight version 2.5 is now available from here: silentknight205
from Downloads above, from its Product Page, and through its auto-update mechanism.

XProCheck version 1.5, which I believe remains the only utility for viewing XProtect Remediator scans, is now available from here: xprocheck15
from Downloads above, from its Product Page, and through its auto-update mechanism.

Both require macOS 10.15 or later, but as XProtect Remediator does too, that shouldn’t be surprising.

27Comments

Add yours

1

EcleX on May 1, 2023 at 6:34 am

The best got better. Thanks!

LikeLiked by 1 person
2

Bill Smith on May 1, 2023 at 12:15 pm

Howard, once again I send you my gratitude. I also thank you for conveying your knowledge to us in such a well written manner. I often point others to your blogs as the best answer. Cheers.

LikeLiked by 1 person
- 3
  
  hoakley on May 1, 2023 at 2:59 pm
  
  Thank you.
  Howard.
  
  LikeLike
4

Bens on May 1, 2023 at 2:07 pm

An echo to Bill Smith’s post.

Invaluable for the security these programmes provide and for the understanding the text gives us.

A million thanks.

LikeLiked by 1 person
- 5
  
  hoakley on May 1, 2023 at 2:59 pm
  
  Thank you.
  Howard.
  
  LikeLike
6

Rob Jamison on May 1, 2023 at 8:06 pm

Thanks for providing this SilentKnight. I’ve installed it without issues (system shown below)

Could this indicate some Unicode trickery? I like the wording being literal and letting the viewer make the comparison. …. but assumption of version strings being filtered like this
\s+[0-9]{1,}(\.[.0-9])?\s+
# RWJ -> Is ‘;’ part of the version string that has been injected prior to rendering, or simply English grammar?
/ iBoot version found 8422.100.650; expected 8422.100.650 /

Here is the SilentKnight full log:
====================================

🍏 Mac model Mac14,7
Mac model Mac14,7
iBoot version found 8422.100.650; expected 8422.100.650
🍏 iBoot firmware appears up to date.
✅ XProtect 2167 should be 2167
❌ XPR 95 should be 96
✅ MRT 1.93 should be 1.93
✅ TCC 150.19 should be 150.19
✅ KEXT 18.0.0 should be 18.0.0
Apple Silicon Security:
🍏 Secure Boot: Full Security
🍏 System Integrity Protection: Enabled
🍏 Signed System Volume: Enabled
🍏 Kernel CTRR: Enabled
🍏 Boot Arguments Filtering: Enabled
🍏 Allow All Kernel Extensions: No
User Approved Privileged MDM Operations: No
DEP Approved Privileged MDM Operations: No
✅ XProtect assessments enabled
✅ FileVault is On.
XProtect Remediator scans not checked.
macOS Version 13.3.1 (Build 22E261)
Latest updates installed:
XProtectPlistConfigData 2023-04-08 16:10:53 +0000 : 2167
XProtectPayloads 2023-04-08 16:10:56 +0000 : 95
MRTConfigData 2023-03-24 20:00:23 +0000 : 1.93
⚠️ Software Update Tool

Finding available software
Software Update found the following new or updated software:
* Label: macOS Security Response 13.3.1 (a)-22E772610a
Title: macOS Security Response 13.3.1 (a), Version: 13.3.1 (a), Size: 302500KiB, Recommended: YES, Action: restart,

LikeLiked by 1 person
- 7
  
  hoakley on May 1, 2023 at 8:09 pm
  
  No trickery: just punctuation.
  Howard
  
  LikeLike
8

Rob Jamison on May 1, 2023 at 8:11 pm

Successfully Updated…SilentKnight now yields
======================
🍏 Mac model Mac14,7
Mac model Mac14,7
iBoot version found 8422.100.650; expected 8422.100.650
🍏 iBoot firmware appears up to date.
✅ XProtect 2167 should be 2167
❌ XPR 95 should be 96
✅ MRT 1.93 should be 1.93
✅ TCC 150.19 should be 150.19
✅ KEXT 18.0.0 should be 18.0.0
Apple Silicon Security:
🍏 Secure Boot: Full Security
🍏 System Integrity Protection: Enabled
🍏 Signed System Volume: Enabled
🍏 Kernel CTRR: Enabled
🍏 Boot Arguments Filtering: Enabled
🍏 Allow All Kernel Extensions: No
User Approved Privileged MDM Operations: No
DEP Approved Privileged MDM Operations: No
✅ XProtect assessments enabled
✅ FileVault is On.
XProtect Remediator scans not checked.
macOS Version 13.3.1 (a) (Build 22E772610a)
Latest updates installed:
XProtectPlistConfigData 2023-04-08 16:10:53 +0000 : 2167
XProtectPayloads 2023-04-08 16:10:56 +0000 : 95
MRTConfigData 2023-03-24 20:00:23 +0000 : 1.93
✅ Software Update Tool

Finding available software
No new software available.

LikeLiked by 1 person
- 9
  
  hoakley on May 1, 2023 at 9:47 pm
  
  Thank you.
  You actually don’t have to make your own comparison between iBoot versions: SilentKnight does that for you and here states “iBoot firmware appears up to date”, which is just as well as Apple doesn’t provide any list of which iBoot version your Mac should be running. The found and expected line tells you what my database thinks your Mac should be running.
  Howard.
  
  LikeLike
10

Ole on May 2, 2023 at 6:34 am

Hello Howard,
Thank you for your work and the tools you provide.

For some days I observe a crash with LockRattler 4.36: the ‘eficheck’ called by LockRattler produces a core dump on both my Intel machines (an iMac and a PowerBook)

“`
Hardware Model: iMac19,2
Process: eficheck [1830]
Path: /usr/libexec/firmwarecheckers/eficheck/eficheck
Identifier: eficheck
Version: ???
Code Type: X86-64 (Native)
Role: Unspecified
Parent Process: LockRattler [1818]
Coalition: co.eclecticlight.LockRattler [1501]
Responsible Process: LockRattler [1818]

Date/Time: 2023-05-02 08:07:29.8575 +0200
Launch Time: 2023-05-02 08:07:29.6731 +0200
OS Version: macOS 13.3.1 (22E772610a)
Release Type: User
Report Version: 104

Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Triggered by Thread: 0

Thread 0 Crashed:
0 0x110ba7070 _dyld_start + 0
1 0x103019000 ???

Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7bcee6b08
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x0000000110ba7070 rfl: 0x0000000000000200 cr2: 0x0000000000000000

Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0

Binary Images:
0x110ba2000 – 0x110c3dfff (*) ???
0x103019000 – 0x103024fff (*) ???

Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
“`

I’m wondering where the code signing went wrong. And if there could be a conflict with my own Developer signing certificates.

Best regards
Ole

PS: feel free to move this discussion to a different thread.

LikeLiked by 1 person
- 11
  
  hoakley on May 2, 2023 at 7:28 am
  
  Thank you. I apologise for that.
  First: a workaround. Please use SilentKnight instead, as that doesn’t call eficheck.
  From that crash report, it’s eficheck that is being crashed because it has an invalid signature, suggesting the problem rests with macOS. Could you please try
  /usr/libexec/firmwarecheckers/eficheck/eficheck –integrity-check
  (with a double hyphen for the option) in Terminal and see what that does. That’s the exact command being run by LockRattler, which has worked since High Sierra on Intel Macs without a T2 chip. Intel Macs with a T2 chip and Apple silicon Macs don’t use eficheck, so that isn’t called when LR runs on them.
  I’ve not had any other reports of this problem (yet). If the signature on eficheck is broken, then all I can do is omit that check, in a new version of LockRattler. There’s no way it can handle such a deliberate crash.
  Howard.
  
  LikeLike
  - 12
    
    Ole on May 2, 2023 at 9:56 am
    
    I think the problem is outside of LockRattler and the codesigning is not right.
    I tried your proposed eficheck –integrity-check with and without ‘sudo’ in normal and safe mode. This results also in that crash but with these lines in the crash log:
    Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
    Exception Codes: 0x0000000000000000, 0x0000000000000000
    Termination Reason: CODESIGNING 4 Launch Constraint Violation
    
    I will use SilentKnight for now.
    
    LikeLiked by 1 person
    - 13
      
      hoakley on May 2, 2023 at 11:08 am
      
      Thank you. I have put out a call on Twitter to see in anyone else has got the same problem, and will report back if I hear any more.
      Howard.
      
      LikeLike
    - 14
      
      hoakley on May 2, 2023 at 12:52 pm
      
      I have just made a new version, 4.37, of LockRattler which you should find fixes that bug, by removing the eficheck check.
      Thank you for helping me fix it.
      Howard.
      
      LikeLike
    - 15
      
      hoakley on May 2, 2023 at 4:54 pm
      
      I have written an article about eficheck for Friday morning. I think this is probably the side-effect of security changes in Ventura, and hope that it will be fixed before Ventura goes into maintenance. However, LockRattler won’t be using eficheck again, as I explain in that article.
      Howard.
      
      LikeLike
16

Ole on May 2, 2023 at 1:25 pm

I can confirm that the observed bug is resolved with LockRattler 4.37.
Thank you

LikeLiked by 1 person
17

artiste212 on May 4, 2023 at 10:03 pm

Howard,
Perhaps you could help. Silent Knight just showed me two yellow warnign signs for Bad Gacha in the past day. I ran XProCheck and received 3 warnings like this:
2023-05-04 02:35:08.938 BadGacha ⚠️ FailedToRemediate time 0.0001501 {“caused_by”:[],”status_message”:”FailedToRemediate”,”status_code”:24,”execution_duration”:0.00015008449554443359}
Given that it’s not red, I’m not sure how serious this is, but I’d love to know what you think is causing this.

Thanks!

Bruce

LikeLiked by 1 person
- 18
  
  hoakley on May 4, 2023 at 10:10 pm
  
  I’m sorry to hear that.
  I’ve never come across a status code of 24 for a failure to remediate: yours is the first report of that. I still don’t know what malware BadGacha is, and that message doesn’t reveal the reason, e.g. a file/folder in the wrong place.
  If you have time, I’d raise it with Apple Support, in the hope they’ll escalate it to a security engineer. Only they will be able to understand it, and they may well need a sysdiagnose, as they’ll explain. I suspect it’s a false positive, but I think it’s worth pursuing in case it isn’t.
  Sorry.
  Howard.
  
  LikeLiked by 1 person
  - 19
    
    artiste212 on May 5, 2023 at 4:24 pm
    
    Howard, this is a follow up to our discussion of the Badgacha status_code 24 message. I contacted Apple Support and was referred from their online chat to a phone call with screen sharing. The rep was very professional and said he hadn’t seen this before and couldn’t find any reference to it. He agreed it “could be” due to the recent Rapid Security Response but doesn’t have any info on that.
    
    He said he would send this to a higher level and also recommended I run Malwarebytes. I ran XProCheck again today, and found that the last BadGacha error was at 2:36 am this morning. I ran XProtect again twice after that without errors. The XProCheck log now shows two “NoThreatDetected” status_code 20 entries for BadGacha at 10:24 am and 11:21 am today.
    
    I’m unable to find any issues with how my Mini is working (other than the perennial “Safari is using too much memory on some websites” error) so I’m going to wait for a reply from Apple.
    
    If it turns out this is just an issue with Apple’s updated malware protection, sorry to have sent you on this wild goose chase.
    
    LikeLiked by 1 person
    - 20
      
      hoakley on May 5, 2023 at 5:25 pm
      
      Thank you. I’m delighted that Apple is taking this seriously, and that this may have settled down. This also provides feedback to the engineers, which I’m sure will be invaluable to them. And please don’t apologise – I’m as interested in this as you must be.
      We’re all finding our way still here, and learning as we go.
      Howard.
      
      LikeLiked by 1 person
21

artiste212 on May 4, 2023 at 11:24 pm

Howard, Thanks so much for making the software that found this, and nothing to be sorry for. I’ll raise this with Apple and get back to you with anything I find. The good news is my Mac Mini is working as well as it did when brand new, but of course, I won’t take this for granted. Darn, BadGacha is a nasty name!

LikeLiked by 1 person
22

Joao on May 5, 2023 at 9:08 pm

When check I get this message

No XProtect Remediator scan log messages found in the last 5 days.
The oldest log entry has a datestamp of 2023-05-04T17_27_22Z, 1,151 days ago

Look like the last check was on 2023-05-04.

Is this a bug?

LikeLiked by 1 person
- 23
  
  hoakley on May 5, 2023 at 9:12 pm
  
  I think you’re misreading the number: it’s 1.151 days.
  Your log is turning over very quickly. What’s filling it up? I aim for a minimum of 2 days, and ideally over 2.5.
  Howard
  
  LikeLike
  - 24
    
    Joao on May 5, 2023 at 9:16 pm
    
    My mistake. Here in Brazil we use “.” as thousands separator.
    
    LikeLiked by 1 person
    - 25
      
      hoakley on May 5, 2023 at 10:11 pm
      
      That puzzles me.
      You just stated that you use a period or full stop as your thousands separator, and the number you posted here was 1,151, which uses a comma, which would then logically be used to mark the decimal point. Yet you interpreted it as being the thousands separator. I’m hopelessly confused.
      The formatting of that number should be based on your language localisation, in System Settings, which is why here in the UK I see that number with the conventional period/stop as the decimal point, and not the comma as you reported, given your different localisation.
      Howard.
      
      LikeLike
    - 26
      
      artiste212 on May 6, 2023 at 2:13 am
      
      Howard,
      
      Maybe we need LLMs much more than we’ve realized. You say apologise, I say apologize. And there are many other words. Joao and you are troubled by different usage of “,” and “.” as the thousands separator or decimal. Further, the two of you differ in calling “.” a “period” or “full stop.”
      
      With all the computing power available, we should be able to put a full stop to these issues. Period.
      
      LikeLiked by 1 person
    - 27
      
      hoakley on May 6, 2023 at 5:58 am
      
      We don’t “need” LLMs. The only people who need them are those who think they can make millions out of them. We’re all far smarter than any LLM can be, because we can distinguish between fact and fiction, and know what the word “honesty” means.
      A quick test: try putting an XPR report message into any LLM and ask it to interpret it, and recommend what you should do about it. Please post your results as I could do with a laugh.
      Howard.
      
      LikeLiked by 1 person