Skip to content

xprotect_reports table does not work on macOS Sequoia #8573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alirezaghey opened this issue Mar 20, 2025 · 1 comment
Open

xprotect_reports table does not work on macOS Sequoia #8573

alirezaghey opened this issue Mar 20, 2025 · 1 comment

Comments

@alirezaghey
Copy link

Bug report

What operating system and version are you using?

❯ osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = 15.3.2
   build = 24D81
platform = darwin

What version of osquery are you using?

❯ osqueryi --line "SELECT version from osquery_info;"
version = 5.16.0

What steps did you take to reproduce the issue?

  1. Downloaded eicar.com.
  2. Renamed it to eicar.
  3. Made it executable chmod +x eicar.
  4. Executed it open ./eicar.
  5. System saw it as a malware and removed the file

This can be seen in the following screenshot:
Image

And also in the log stream:

❮ log stream --predicate 'subsystem == "com.apple.xprotect"'
Filtering the log data using "subsystem == "com.apple.xprotect""
Timestamp                       Thread     Type        Activity             PID    TTL
2025-03-20 14:16:22.183921+0100 0xa705f    Default     0x0                  17097  0    XprotectService: [com.apple.xprotect:xprotect] Using meta-plist from: /var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.meta.plist
2025-03-20 14:16:22.212264+0100 0xa705f    Default     0x0                  17097  0    XprotectService: [com.apple.xprotect:xprotect] Using XProtect rules location: /var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.yara
  1. There is no trace of it in the xprotect_reports table
osquery> select * from xprotect_reports;
osquery>
...
❯ osqueryi --line "SELECT * from xprotect_reports;"

What did you expect to see?

Expected some record in the xprotect_reports table.

What did you see instead?

Nothing

Related to: #6588
@nonpunctual nonpunctual mentioned this issue Mar 21, 2025
Closed
@nonpunctual
Copy link
Contributor

nonpunctual commented Mar 21, 2025
edited
Loading

Based on the thread in the previous closed ticket for this, I think the standard for closing this should be that the data expressed in the xprotect_reports table should be as useful / complete as what's currently available from the silnite binary: https://eclecticlight.co/lockrattler-systhist/ @ksatter

#6588

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alirezaghey @nonpunctual
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy