hoakley February 5, 2024 Macs, Technology, Updates

Troubleshooting your Mac’s security with Skint 1.02

Skint version 1.02 adds the following new features to this app that keeps a watchful eye on your Mac’s key security features:

a Help book
support for those running beta-releases of macOS
the ability to disable XPR log checks, so it can be run in a standard user account
a log time check to XPR log checks
support for auto-update.

This new version is available from here: skint102
from Downloads above, from its Product Page, and it supports auto-update for future versions.

Its ReadMe file and Help book explain each of the checks that it makes, and what you can do to address any problems it finds. The rest of this article steps through them, as a reference.

macOS

Skint checks that your Mac is running the current minor version and patch of the major version of macOS installed on it. If either is older than the current one, it will point that out to you, so you can update using Software Update. This version also tolerates running beta-releases of the next macOS updates: although it will note that a pre-release version is running, it won’t try to get you to change.

Note that Skint is as happy as you are if your Mac is still running Monterey or Ventura, but does expect you to keep up to date with their security updates.

SIP

System Integrity Protection (SIP) was introduced in 2015, long before the modern SSV, to provide additional protection for system and some other critical files, including many that aren’t part of the SSV. This feature also has some other functions such as hardening, used by notarised apps. Sometimes it’s necessary to disable it, and you may forget to enable it afterwards. It’s also a common requirement to be able to use Open Core Legacy Patcher (OCLP) on older Macs, in which case you’ll need to leave it turned off.

To enable SIP, start your Mac up in Recovery, enter Terminal there, and use the command
csrutil enable; reboot
When you press Return, your Mac will restart with SIP enabled. Apple silicon Macs will then normally need to be started again in Recovery, and Startup Security Utility used to return their Boot Security to full.

SSV

The Signed System Volume (SSV) was introduced in Big Sur, and has greatly improved security and reliability of macOS. In the great majority of Macs, Skint should be able to confirm that the SSV is enabled. It may be necessary on older models using OCLP to disable this, but Macs that run supported installations of macOS 11 or later should always have it enabled. In some cases, when there’s more than one bootable system available to a Mac, Skint may be unable to assess SSV status.

If the SSV isn’t enabled, you’ll need to change settings in Startup Security Utility (in Recovery), or install macOS again.

Gatekeeper/XProtect checks

When Gatekeeper and XProtect are enabled, security checks are made on all executable code and apps when they’re run, to ensure they don’t contain known malware. You shouldn’t need to disable that, but if you do and forget to turn it back on, enter the command
sudo spctl --global-enable
which requires you to authenticate using your admin password. Be careful with that command: the hyphens before global-enable aren’t long dashes, but two separate hyphens. That doesn’t need to be done in Recovery, and should have immediate effect.

XProtect

XProtect is a bundle containing security data used by macOS during Gatekeeper checks. Apple updates that data relatively frequently, and Skint checks that the version installed is the latest. If it isn’t, use SilentKnight to check for and install an update.

XProtect Remediator

XProtect Remediator (XPR) is separate, and every day or so runs scans to detect known malware on your Mac, and remediate any found. Skint runs two checks, the first to ensure this is up to date. If it reports that XPR is out of date, use SilentKnight to check for and install an update.

When XPR runs its scans, it doesn’t alert you if it detects or remediates any malware, but records that in the log. Skint will normally check your Mac’s log for the last 36 hours for results of those scans. If it reports any irregularities, use XProCheck to obtain full details so you can decide what to do.

Obtaining these log extracts requires that you run Skint from an admin account; if that’s not possible, there is an option to skip checking XPR’s scans, as explained later.

The most common reasons for not finding any XPR scan reports are that your Mac hasn’t been awake but inactive at the right time for the scans to run, or that its log records don’t go back far enough to find them. When this version of Skint can’t find any scan records in the last 36 hours, it now reports how long the log records are. If they’re less than 24 hours, then records may already have been removed from the log. You can then run XPR manually using XProCheck if you wish, or adjust the time that Skint checks your Mac.

XPR scans are normally run at about the same time each day, when your Mac is awake but is not being used. You can work out when they’re being run by checking more often with XProCheck; when you’ve found them, quit Skint and open it an hour or two after the time that the next scans are run. Then in its daily check, Skint should still be able to read the reports from the last XPR scans.

Skint updates

Each time Skint runs its checks, it also looks to see whether a new version of Skint is available. If it is, it will offer to download that version from this blog using your default browser. As this feature is new with version 1.02, it will work first when Skint 1.03 is released.

Hidden preferences

Skint’s preference file ~/Library/Preferences/co.eclecticlight.Skint contains three settings you can change using a Property List editor. Avoid trying to change these using a text editor, as they are managed by cfprefsd and those are likely to fail.

To disable XPR log checks, set the key dontXPR to <true/> To help you do this, a copy of the property list is supplied with the app.

To change the frequency at which Skint’s checks are run, set the key updateCheckInt to the number of seconds between checks. The default is 86400, which is 24 hours. Setting it to less than 1 will return it to the default.

To change the tolerance for when checks are run, set the key updateCheckTol to the number of seconds. The default is 300, which is 5 minutes. Setting it to less than 1 will return it to the default.

Please feel free to add your comments about this new version. If it’s now fairly complete in its features, I’ll move on to giving it a more convenient interface so you can check your Mac’s status at a glance.

22Comments

Add yours

1

EcleX on February 5, 2024 at 7:58 am
Reply

Thanks!

LikeLiked by 1 person
2

Enzo Vincenzo on February 5, 2024 at 10:12 am
Reply

Good morning Howard!
So, the command “sudo spctl –global-enable” also disables XProtect and not just Gatekeeper?
Until now I only knew and used the command “sudo spctl –master-enable” to make the third choice appear in System Settings to be able to open Apps from any source and not just from Apple and recognized developers.

[P.S.: Are there any other options for the “spctl” command? I’m curious, but I can’t find anything around…]

LikeLiked by 1 person
- 3
  
  hoakley on February 5, 2024 at 11:40 am
  Reply
  
  That command doesn’t disable, it enables.
  The checks affected are essentially those Apple groups under the term Gatekeeper, and includes checks again the Yara list of signatures of known malware that comes in the XProtect bundle. (Although that’s completely different from XProtect Remediator, of course.)
  You should never disable Gatekeeper/XProtect protection under any circumstances, as that will allow your Mac to run malicious software without any detection until it’s too late.
  I don’t know why you’re running spctl: an Intel Mac will run completely unsigned software if you wish it to. You don’t have to fiddle with its security settings to allow that. Apple silicon Macs have a requirement for all executable code to be signed, and the only unsigned code that they can run is through Rosetta 2.
  But the only unsigned software that you should ever run is that built on your own Mac. Never run anything that isn’t properly signed and notarized from any external source, as it’s highly likely to be malicious.
  Howard.
  
  LikeLiked by 1 person
  - 4
    
    Enzo Vincenzo on February 5, 2024 at 2:43 pm
    Reply
    
    Thanks for the in-depth response. I see that I’m confused, perhaps because I’m a little dizzy from the recovering flu 😉 . I mistook “enable” for “disable”, since I’m the victim of the habitual use, on my Intel Macs, of ” sudo spctl — master-disable”.
    I know, Howard, it’s a bad habit… In any case I never (ever) use new or unknown software, only popular and well-known Apps. Sometimes, however, it happens that some software, regularly purchased by me in cumulative offers (e.g.: BundleHunt) and with a “lifetime” license (even if not from the official website) suddenly refuses my license code; for example if I use them for the first time after a long time after purchase and in the meantime a new version has been released or after initializing the Mac, etc.
    In these circumstances, if I encounter obstacles with Assistance or they ask me for money that they are not entitled to and I should not pay, I certainly cannot file a lawsuit… After all, these are never software I use for work, but only utilities or programs for hobby use.
    So, feeling good from the point of view of honesty, instead of wasting time arguing via email with people with asian names who manage said Supports on behalf of the manufacturer, I download a patched version and off we go…
    So far, after many years, even when I did some checks to verify the presence of Agents and Demons, I never had any problems but, above all, I use the macOS Firewall well, the very powerful “Little Snitch” and if necessary I also intervene directly in the /etc/hosts file.
    But you’re completely right!!!! 🙂
    
    LikeLiked by 1 person
    - 5
      
      hoakley on February 5, 2024 at 8:10 pm
      
      Enzo,
      There are two high-risk activities a Mac owner should never get involved in: downloading ‘patched’ versions of commercial apps, and downloading or using crypto software. Both carry an extremely high risk of bringing with them malicious software. There’s nothing in macOS that will then protect you from that, if you’ve disabled your Mac’s security checks. It’s like playing Russian roulette.
      Howard.
      
      LikeLiked by 1 person
    - 6
      
      Enzo Vincenzo on February 5, 2024 at 8:46 pm
      
      I thank you from the bottom of my heart!
      I treasure your words even if it will lead me to clean out my Macs of a multitude of stuff, 90% purchased, which I have never used and which I have collected out of pure doubt in thinking: “Maybe one day it could be useful…”.
      The fact is that in addition to TextEdit, Safari and Mail I use only Pages and Numbers (but I also purchased all versions of Office for Mac, from the first to the last…), Photoshop (with a subscription), PDFSqueezer, Parallels Desktop with Winzozz 11 Pro (for humiliate Winzozz in a Mac window, where he is under control, better than alone in a PC box 😂), the exceptional VueScan by Ed Hamrick (another great person with intelligence and acumen equal to you) and little else.
      Yet, for example, despite always using PS, I also purchased Affinity Photo and the other two apps, various Luminar software, etc., always with the false idea that they might be useful to me sooner or later.
      So, FROM TODAY ON I WILL TRY TO BE INSPIRED BY YOUR WORDS AND I WILL PUT THE NEED OF KEEPING MY MAC CLEAN FIRST.
      And after reading your latest articles I also think that I will soon abandon my Intel Macs (6, between 2 iMac, 1 Mini and 3 MBP) to switch to the new Silicon. But I wait for March or June first since on these dates Apple often updates its machines while maintaining the price or even lowering it.
      
      LikeLiked by 1 person
    - 7
      
      hoakley on February 5, 2024 at 9:15 pm
      
      I hope your patience for M3 Macs is rewarded.
      Howard.
      
      LikeLiked by 1 person
    - 8
      
      Enzo Vincenzo on February 5, 2024 at 9:22 pm
      
      Of course, definitely 😊 And thank you for existing 🙏
      
      LikeLiked by 1 person
9

rgl7194 on February 5, 2024 at 4:59 pm
Reply

Hi Howard, thank you so much for the quick turnaround on the ability to run Skint in a user account. Works like a charm!

LikeLiked by 2 people
- 10
  
  hoakley on February 5, 2024 at 8:16 pm
  Reply
  
  Thank you – I’m delighted to hear it.
  Howard.
  
  LikeLiked by 1 person
11

artiste212 on February 5, 2024 at 8:13 pm
Reply

Howard, thanks for Skint. I just saw your email about these updates to XProtect and XProtect Remediator, and had the thought it would be nice if Skint, which is usually hidden, could trigger a notification or just pop up to the front (or even a badge on the dock icon) to let us know there’s an update available. It could even be an option in the settings (I know there would be issues when watching videos full screen, typing in a text box, etc. ) So if this would make the software too complicated, I could just wait for emails to arrive from that very thoughtful fellow at The Eclectic Light Company.

LikeLiked by 2 people
- 12
  
  hoakley on February 5, 2024 at 8:19 pm
  Reply
  
  Thank you.
  Once the engine in Skint is ready, I intend adding two key elements to its interface: a custom Dock icon that displays its status using colour and a symbol (for those with limited colour vision), and a widget as an alternative. But I believe in getting the app to work right before refining its interface.
  And there will be no notifications. Never!
  Howard.
  
  LikeLiked by 2 people
13

artiste212 on February 5, 2024 at 8:36 pm
Reply

Sounds great. RIght now, the Dock ion’s gray color is very inconspicuous, so a color would be very noticeable. Also, I’m impressed you wrote about “getting the app to work right…”That’s not always the priority among other developers.

LikeLiked by 2 people
- 14
  
  hoakley on February 5, 2024 at 9:16 pm
  Reply
  
  Thank you. Yes, the intention is that Skint’s icon will be grey until it gets its first results, then it will automatically change the icon’s colour as its status changes each day.
  Howard.
  
  LikeLiked by 1 person
15

Andrew on February 12, 2024 at 10:34 pm
Reply

I’m not sure Skint is working properly. I have v1.02 with XPR scan checks disabled (dontXPR set to true) since I use non-admin accounts for normal use. Skint’s box remained green this evening after its 20:50 (I think that was the time) check, but I realise this may have been before you updated your database for the latest XProtect release.

I have just run SilentKnight 2.7 followed by restarting Skint 1.02… sk reports the updated XProtect 2185 but skint still says everything is fine.

Is the dontXPR flag also disabling XProtect checks?

LikeLiked by 1 person
- 16
  
  hoakley on February 12, 2024 at 10:51 pm
  Reply
  
  No. All the dontXPR flag affects are the XPR log checks. XProtect and XPR version checks are performed the same regardless of that flag setting.
  But what you’ve observed sounds right. Unfortunately, my GitHub records don’t give a precise time of their update, but that would have been around the time that you think it made its evening check. We don’t know what version of XProtect your Mac had at that time, and because we don’t know precise times, we don’t know what data Skint obtained from my GitHub either.
  All we do know is that now that your Mac is running XProtect 2185, since the update to Skint’s data, your copy of Skint is correctly reporting that your Mac is up to date. So I’m not sure why you think Skint isn’t checking the XProtect version number.
  Howard.
  
  LikeLike
  - 17
    
    Andrew on February 12, 2024 at 11:06 pm
    Reply
    
    But my Mac isn’t up to date! I haven’t updated in the hope I could work out what Skint was doing. SilentKnight is reporting XProtect 2184 and Software Update still offers 2185.
    
    SilentKnight…
    XProtect 2184 should be 2185
    
    Skint’s output…
    Green Box
    XProtect Remediator scans not checked.
    Completed at 2024-02-12T23_01_57Z
    
    LikeLiked by 1 person
    - 18
      
      hoakley on February 12, 2024 at 11:14 pm
      
      Sorry, in your previous message, you wrote “sk reports the updated XProtect 2185”. I understood that to mean that SilentKnight was reporting that your Mac had been updated to XProtect version 2185. Now you’re telling me that it wasn’t, but was reporting 2184.
      I have rechecked the Skint source code, and what I said is correct. That flag *only* affects XPR log checks. The code used to check XProtect versions in SK and Skint is essentially the same. And Skint is working fine here.
      Howard.
      
      LikeLike
  - 19
    
    Andrew on February 12, 2024 at 11:26 pm
    Reply
    
    Apologies for not being clearer, I had intended to communicate that SK was letting me know that XProtect 2185 was available.
    
    I can do no more than let you know that, on my system, SilentKnight continues to reports XProtect is out of date, with Software Update continuing to offer the 2185 update whilst Skint gives me a green box and an accurate completed time.
    
    I have found much of your software wonderful and run silentknight daily on both of my Macs. At this point Skint doesn’t appear to be working for me and I will continue with manual SilnetKnight operation.
    
    LikeLiked by 1 person
    - 20
      
      hoakley on February 13, 2024 at 7:46 am
      
      Thank you for your persistence. I think that I have found the bug – which is of course intermittent, and seems infrequent! Essentially, when Skint fails to download the data from my GitHub server, it may skip some of the checks for which it doesn’t have that data. This invariably seems to resolve by quitting Skint and running it again.
      I have a fix in place now, and will be testing today (Tuesday) with the aim of releasing an update first thing on Wednesday.
      Thank you again for reporting this, even if it was met with my disbelief!
      Howard.
      
      LikeLike
21

Bruce on February 13, 2024 at 3:57 pm
Reply

I’m wondering why a managed Mac would have Gatekeeper turned off (spctl –status returns assessments disabled)? This is on my employer-provided Mac with VMWare Workspace ONE Intelligent Hub MDM, and it also has Symantec Endpoint Protection (maybe the latter does not work with Gatekeeper?).
Using sudo spctl –global-enable will enable Gatekeeper temporarily, but within an hour, it becomes disabled again. Of course this makes Skint “red” (no other warnings besides Gatekeeper disabled).
I’m not trying to hack my MDM but trying to understand the reason for disabling a security feature. (MacBook Pro 16.1 on Sonoma 14.3.1 but this situation goes back the entire 2 years I’ve had this).
-Bruce

LikeLiked by 1 person
- 22
  
  hoakley on February 13, 2024 at 4:42 pm
  Reply
  
  Sadly, this is often corporate ‘security’ policy at work, that disables built-in features and tries to substitute expensive services that then turn out to be trash. The only folk who can help you on that are your sysadmins, I’m afraid. I think it’s utterly nuts.
  Howard.
  
  LikeLike