https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi guys :wave: , QQ Given this: <https://www.kolid...
# kolide
o
Hi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within 
~Library/Logs/DiagnosticReports
), then an augeas lense to parse the json values to catch these reports ? I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅
t
Hi oneiroi, I was never able to reproduce that bug report. 
xprotect_reports
table works correctly on macOS 12 when I wrote that article. I tested it by running a malware test sample and saw that it created the diagnostic report as expected and that osquery parses it correctly.
If you are interested in learning more, see this companion article: https://www.kolide.com/blog/do-macs-need-third-party-antivirus-for-soc-2-compliance
o
Thanks @terracatta ,oddly, I saw the opposite on 12.5.1 🤔 I'll t.a.l at the companion article you linked, thanks!
On the above thanks, though I can confirm when following the test steps in https://github.com/osquery/osquery/issues/6588 I can confirm I do not get an entry in 
xprotect_reports
running theory is the test might be a skipped pattern, but I do not presently have any evidence of this, happy to hear anything you may be able to offer on this. Thanks!
t
curious if you setup your device as new or if it’s been upgraded from older versions of macOS
o
M1 Pro 2021, iirc I've done minor version updates, but no major version jumps iirc
t
I will retest over this weekend and see if it still generates reports
i used the EICAR file to test, if you do that, do you get a report?
like download a file with eicar magic string, set it as executable and then try to run it
o
👍 will test this now
t
curious if this is malware specific
o
Copy code
➜  /tmp curl <https://www.eicar.com/download/eicar-com-2/>\?wpdmdl\=8842\&refresh\=631b68bd773ad1662740669 -L -so eicar-test
➜  /tmp chmod +x eicar-test 
➜  /tmp ./eicar-test 
./eicar-test: line 1: syntax error near unexpected token `P^'
./eicar-test: line 1: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
Throws string errors, I'm presuming your test was different ?
(tried the com file also, no change 😩 )
t
try double clicking the file from the UI
not running it via the CLI
o
opens with textedit 😩
t
ok cool
now click an action and move to the bin
and see if it gens a report
o
Same process as eicar, selected "move to bin" && "Report malware to Apple" ... no entry 🤔
t
might be a bug in Apple’s side
and they keep testing the EICAR file and not real malware
when you run that test file do yo see any errors in the console app related to diagnostic reports failing to generate or anything like that?
perhaps it is trying to generate a report but something fails
and maybe the console app will give you more insight
o
Copy code
default	17:50:07.911772+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out' has no CMS blob?
default	17:50:07.911782+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out': Unrecoverable CT signature issue, bailing out.
default	17:50:08.669773+0100	syspolicyd	GK evaluateScanResult: 2, PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE), 0, 0, 1, 0, 0, 0, 11
default	17:50:08.670181+0100	syspolicyd	Prompt shown (2, 0), waiting for response: PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE)
default	17:50:12.176692+0100	kernel	ASP: Security policy would not allow process: 45006, /Users/aegishjalmur/Documents/samples/a.out
As the 
team
is 
null
suspecting this is not creating the entry
t
eicar doesn’t have a team either so I don’t think that’s it
o
iirc the 
team
holds the malware signature, in this case that would be the mapping needed for eicar; question would be why this test is triggering xprotect as it seems evident there's no signature (current theory)
t
oh i see
o
To update here my observations, where the event has a 
team
set that is not 'null', an xprotect_report is generated; where xprotect triggers but 
team
is 'null' a report is not generated e.g.:
Copy code
{
  "message": {
    "Count": 3,
    "allowed": false,
    "authority": "none",
    "blockType": 2,
    "cdhash": "7a190612b115d9d243c309100df0acce7531c3b3",
    "class": 0,
    "evaluationPath": 2,
    "filename": "a.out",
    "matchedRuleName": "MACOS.b17a97e",
    "result": 11,
    "signingID": "a.out",
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
Though ^ was pulled from the 
/Library/Logs/DiagnosticReports/
folder 🤔
vs:
Copy code
{
  "message": {
    "Count": 1,
    "allowed": false,
    "authority": "no usable signature",
    "blockType": 2,
    "cdhash": null,
    "class": 0,
    "evaluationPath": 1,
    "filename": "<http://eicar.com|eicar.com> 2",
    "matchedRuleName": "OSX.eicar.com.i",
    "result": 11,
    "signingID": null,
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
(which has an xprotect_reports entry)
t
@oneiroi in the original test case (from the issue) was a diagnostic report always generated?
(assuming you selected report to apple)
o
@terracatta afaict, yes, I've ones from the 7th, && 12th:
Copy code
grep -i 'a\.out' /Library/Logs/DiagnosticReports/*                                                                                     
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-07-010545.0003.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"01ed682b45eb68e5556a4db398d706fa0b0f1671","fileIdentifier":"gh","fileSize":36404706,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b15fdb648373983d4ef8d31265abf12c2f9cb04b5afebdc44d66b2d9d7be478a","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1661418460,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"df10de17e78f17c3ccbf2a827fab9e7154f0629a","fileIdentifier":"gh","fileSize":36114658,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b9612ab3d0f2e56fd8f20597bca81c18ffed327149bcdac1319872163f7f12e2","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1657819043,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":3,"allowed":false,"authority":"none","blockType":2,"cdhash":"7a190612b115d9d243c309100df0acce7531c3b3","class":0,"evaluationPath":2,"filename":"a.out","matchedRuleName":"MACOS.b17a97e","result":11,"signingID":"a.out","teamID":null},"name":"XProtectAssessmentResultData3","sampling":100,"uuid":"47718d33-c81e-4953-8931-3d0b6631f538_2"}
4 Views
Open in Slack
PreviousNext
Powered by