Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
o
oneiroi
09/02/2022, 2:38 PMHi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within
~Library/Logs/DiagnosticReportst
terracatta
09/02/2022, 5:05 PMHi oneiroi, I was never able to reproduce that bug report.
xprotect_reportsIf you are interested in learning more, see this companion article: https://www.kolide.com/blog/do-macs-need-third-party-antivirus-for-soc-2-compliance
o
oneiroi
09/05/2022, 3:36 PMThanks @terracatta ,oddly, I saw the opposite on 12.5.1 🤔 I'll t.a.l at the companion article you linked, thanks!
On the above thanks, though I can confirm when following the test steps in https://github.com/osquery/osquery/issues/6588 I can confirm I do not get an entry in
xprotect_reportst
terracatta
09/09/2022, 4:19 PMcurious if you setup your device as new or if it’s been upgraded from older versions of macOS
o
oneiroi
09/09/2022, 4:22 PMM1 Pro 2021, iirc I've done minor version updates, but no major version jumps iirc
t
terracatta
09/09/2022, 4:23 PMI will retest over this weekend and see if it still generates reports
i used the EICAR file to test, if you do that, do you get a report?
like download a file with eicar magic string, set it as executable and then try to run it
o
oneiroi
09/09/2022, 4:24 PM👍 will test this now
t
terracatta
09/09/2022, 4:24 PMcurious if this is malware specific
o
oneiroi
09/09/2022, 4:27 PM➜ /tmp curl <https://www.eicar.com/download/eicar-com-2/>\?wpdmdl\=8842\&refresh\=631b68bd773ad1662740669 -L -so eicar-test
➜ /tmp chmod +x eicar-test
➜ /tmp ./eicar-test
./eicar-test: line 1: syntax error near unexpected token `P^'
./eicar-test: line 1: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'(tried the com file also, no change 😩 )
t
terracatta
09/09/2022, 4:33 PMtry double clicking the file from the UI
not running it via the CLI
o
oneiroi
09/09/2022, 4:33 PMopens with textedit 😩
t
terracatta
09/09/2022, 4:40 PMok cool
now click an action and move to the bin
and see if it gens a report
o
oneiroi
09/09/2022, 4:44 PMSame process as eicar, selected "move to bin" && "Report malware to Apple" ... no entry 🤔
t
terracatta
09/09/2022, 4:44 PMmight be a bug in Apple’s side
and they keep testing the EICAR file and not real malware
when you run that test file do yo see any errors in the console app related to diagnostic reports failing to generate or anything like that?
perhaps it is trying to generate a report but something fails
and maybe the console app will give you more insight
o
oneiroi
09/09/2022, 4:52 PMdefault 17:50:07.911772+0100 kernel AMFI: '/Users/aegishjalmur/Documents/samples/a.out' has no CMS blob?
default 17:50:07.911782+0100 kernel AMFI: '/Users/aegishjalmur/Documents/samples/a.out': Unrecoverable CT signature issue, bailing out.
default 17:50:08.669773+0100 syspolicyd GK evaluateScanResult: 2, PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE), 0, 0, 1, 0, 0, 0, 11
default 17:50:08.670181+0100 syspolicyd Prompt shown (2, 0), waiting for response: PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE)
default 17:50:12.176692+0100 kernel ASP: Security policy would not allow process: 45006, /Users/aegishjalmur/Documents/samples/a.outAs the
teamnullt
terracatta
09/09/2022, 4:57 PMeicar doesn’t have a team either so I don’t think that’s it
o
oneiroi
09/09/2022, 4:58 PMiirc the
teamt
terracatta
09/09/2022, 4:58 PMoh i see
o
oneiroi
09/12/2022, 6:26 PMTo update here my observations, where the event has a
teamteam{
"message": {
"Count": 3,
"allowed": false,
"authority": "none",
"blockType": 2,
"cdhash": "7a190612b115d9d243c309100df0acce7531c3b3",
"class": 0,
"evaluationPath": 2,
"filename": "a.out",
"matchedRuleName": "MACOS.b17a97e",
"result": 11,
"signingID": "a.out",
"teamID": null
},
"name": "XProtectAssessmentResultData3",
"sampling": 100,
"uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}/Library/Logs/DiagnosticReports/vs:
{
"message": {
"Count": 1,
"allowed": false,
"authority": "no usable signature",
"blockType": 2,
"cdhash": null,
"class": 0,
"evaluationPath": 1,
"filename": "<http://eicar.com|eicar.com> 2",
"matchedRuleName": "OSX.eicar.com.i",
"result": 11,
"signingID": null,
"teamID": null
},
"name": "XProtectAssessmentResultData3",
"sampling": 100,
"uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}t
terracatta
09/12/2022, 7:00 PM@oneiroi in the original test case (from the issue) was a diagnostic report always generated?
(assuming you selected report to apple)
o
oneiroi
09/12/2022, 7:02 PM@terracatta afaict, yes, I've ones from the 7th, && 12th:
grep -i 'a\.out' /Library/Logs/DiagnosticReports/*
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-07-010545.0003.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"01ed682b45eb68e5556a4db398d706fa0b0f1671","fileIdentifier":"gh","fileSize":36404706,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b15fdb648373983d4ef8d31265abf12c2f9cb04b5afebdc44d66b2d9d7be478a","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1661418460,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"df10de17e78f17c3ccbf2a827fab9e7154f0629a","fileIdentifier":"gh","fileSize":36114658,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b9612ab3d0f2e56fd8f20597bca81c18ffed327149bcdac1319872163f7f12e2","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1657819043,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":3,"allowed":false,"authority":"none","blockType":2,"cdhash":"7a190612b115d9d243c309100df0acce7531c3b3","class":0,"evaluationPath":2,"filename":"a.out","matchedRuleName":"MACOS.b17a97e","result":11,"signingID":"a.out","teamID":null},"name":"XProtectAssessmentResultData3","sampling":100,"uuid":"47718d33-c81e-4953-8931-3d0b6631f538_2"}