I m trying to check if MalwareBytes realtime protection is e osquery #macos

I'm trying to check if MalwareBytes realtime prote...

ryan

04/16/2021, 5:55 PM

I'm trying to check if MalwareBytes realtime protection is enabled with the following query:

Copy code

SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemFSName == '<http://product.info|product.info>' && kMDItemTextContent == 'off'" WHERE f.path = "/Library/Application Support/Malwarebytes/MBAM/LogsEx/product.info";

If I remove

kMDItemTextContent

I get results:

Copy code

SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemFSName == '<http://product.info|product.info>'" WHERE f.path = "/Library/Application Support/Malwarebytes/MBAM/LogsEx/product.info";
+--------------------------------------------------------------------+
| path                                                               |
+--------------------------------------------------------------------+
| /Library/Application Support/Malwarebytes/MBAM/LogsEx/product.info |
+--------------------------------------------------------------------+

I see this with grep

Copy code

$ grep off /Library/Application\ Support/Malwarebytes/MBAM/LogsEx/product.info
    "actual" : "off(reason: notAllowedBySystem)",
    "actual" : "off(reason: notAllowedBySystem)",

Does that mean the metadata is only being indexed by spotlight but not the contents here? This used to work so I'm guessing something changed in the last major MacOS update. Any thoughts on a possible workaround here? Thanks!

Open in Slack

Previous Next