How to deal with XProtect Remediator (XPR) problems

Over the last few weeks, some of the commonest questions you have asked are about problems with XProtect Remediator (XPR). Although its scans are normally run and reported silently, two of my most popular free apps, SilentKnight and the new Skint, should alert you to any unusual results. This article explains what you can and should do in the event that they show a warning.

XPR is separate from the traditional XProtect, which only checks executable code when it’s about to be run. XPR sits quietly in the background, then once every 24 hours or so it runs two complete sets of scans, one as root, the other as the current user. In total it currently runs 22 different scanning modules, from Adload to WaterNet, although some may be skipped and others run more than once, according to its schedule. Scans only take place when your Mac is awake, but it avoids running them when you’re busy using your Mac. Generally, these take place at roughly the same time each day, although that can change for no apparent reason.

No scans

The most common reason for SilentKnight or Skint drawing your attention to XPR is that they’ve not found any scans in the last day or so. Here, Skint looks for a period of 36 hours, while SilentKnight currently only looks back 24 hours. There may be a good reason for the scans being delayed, and on some Macs records in the log may not go back far enough to find the last reports. When Skint can’t find any scans in the last 36 hours, it automatically checks how far the log records go and reports that.

If your logs aren’t long enough, there’s no way to recover old records, but you can always open XProCheck and run a manual check there, following which XProCheck, SilentKnight and Skint should all find those reports. The only disadvantage with doing that is that XProCheck only runs one set of checks, as the user, and doesn’t run them again as root.

xpr1

XPR updates

Older versions of SilentKnight used to report a problem when XPR was updated. This is because, once that new version of XPR is installed, it will trigger two error messages when it next runs. SilentKnight and Skint are both aware of that, and try to avoid troubling you when they see those reports, while XProCheck explains what they mean.

Detection and remediation

If SilentKnight or Skint suggest there’s a problem with XPR reports, follow that up by checking with XProCheck. If it reports there have been detections and remediations, these are the sort of entries you should expect to see.

xpro013

The first line with the yellow warning triangle reports the successful detection of DubRobber in a copy of the Xcode app. That’s followed by a second entry reporting success with macos_dubrobber_payload, in other words, XPR has found that malicious software. You may also see a report that it has been remediated.

This is the time that you need to do a bit more research to discover how malicious that malware is, and to establish the risk to that Mac and any others you have. I’m sure that Apple Support will be able to help you deal with this.

False positives

Periodically, XPR scanning modules start reporting false positives, where files that are definitely not malicious are picked up as being suspicious. These normally result in warning reports rather than detections or successes. Sometimes they don’t reveal the name of the file thought to be suspicious, but they often give details of a software component in a major third-party app. Recently those have included 1Password-Crash-Handler, SnagitHelper2024, crashpad_handler and GoogleSoftwareUpdateAgent, each of which has triggered a report by the BadGacha module in XPR.

When you can identify which file has triggered that report, it should be straightforward to look inside that app’s bundle and confirm that everything appears to be in order there.

What you do next is up to you, and depends on how suspicious you are. At the very least, you should keep a careful watch for any unusual behaviour of your Mac, and check its XPR reports carefully over the following days. If you think you need more advice, or should report this, then please contact Apple Support, who should be able to pass this on to one of Apple’s security engineers. That ensures they’re aware of the problem of what’s almost certainly a false positive. You should also contact the support service of the third-party product that’s triggering these reports, and let them know.

If you’re in any doubt, and Apple Support hasn’t helped resolve the problem, you’re most welcome to add it as a comment to the latest article reporting an XProtect or XPR security update here. I’ll always try to be as helpful as I can be, but remember there’s only one of me, and I do have to sleep occasionally.

Summary

Use XProCheck to follow up warnings about XPR scans.
When there are no scans found, consider leaving your Mac awake and inactive for an hour or two to see if they’ll run.
If your Mac’s log doesn’t go back far enough, consider a manual scan in XProCheck.
Successful detection and remediation of malware should be taken seriously, and followed up.
Try to identify the file causing any false positive from the report in XProCheck.
If you’re concerned about what may be a false positive, consult Apple Support and report it to the third-party app support.

Links

XProCheck
SilentKnight & Skint

6Comments

Add yours

1

Maurizio on February 9, 2024 at 11:36 am

Hello Howard , there is a way outside of your app to initiate a check via terminal ?

LikeLiked by 1 person
- 2
  
  hoakley on February 9, 2024 at 11:51 am
  
  Have you tried running the XProtect binary in XProtect.app/Contents/MacOS/ ?
  Otherwise, I’m afraid I don’t have any suggestions. Scans are scheduled using DAS-CTS, so you can’t really meddle with them there.
  Howard.
  
  LikeLike
  - 3
    
    Maurizio on February 9, 2024 at 12:01 pm
    
    Good catch , I did not think about it
    
    LikeLiked by 1 person
    - 4
      
      hoakley on February 9, 2024 at 2:44 pm
      
      Thank you. Does that work, though?
      Howard.
      
      LikeLike
5

Maurizio on February 10, 2024 at 7:46 am

It works ! , no stdout on terminal , but the result are logged on unified log

Thanks

default 08:44:04.917390+0100 XProtect Scanner [com.apple.XProtectFramework.plugins.WaterNet] – Status: NoThreatDetected
default 08:44:04.917470+0100 XProtect Scanner [com.apple.XProtectFramework.plugins.GreenAcre] – Status: NoThreatDetected
default 08:44:04.917565+0100 XProtect Scanner [com.apple.XProtectFramework.plugins.Adload] – Status: NoThreatDetected
default 08:44:04.917613+0100 XProtect Scanner [com.apple.XProtectFramework.plugins.SnowBeagle] – Status: NoThreatDetected
default 08:44:04.917774+0100 XProtect Finished system scan, ran as 501

LikeLiked by 1 person
- 6
  
  hoakley on February 10, 2024 at 9:27 am
  
  Hurrah! Well done.
  Howard.
  
  LikeLike