https://github.com/osquery/osquery logo
#kolide
Title
# kolide
o

oneiroi

09/02/2022, 2:38 PM
Hi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within
~Library/Logs/DiagnosticReports
), then an augeas lense to parse the json values to catch these reports ? I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅
t

terracatta

09/02/2022, 5:05 PM
Hi oneiroi, I was never able to reproduce that bug report.
xprotect_reports
table works correctly on macOS 12 when I wrote that article. I tested it by running a malware test sample and saw that it created the diagnostic report as expected and that osquery parses it correctly.
If you are interested in learning more, see this companion article: https://www.kolide.com/blog/do-macs-need-third-party-antivirus-for-soc-2-compliance
o

oneiroi

09/05/2022, 3:36 PM
Thanks @terracatta ,oddly, I saw the opposite on 12.5.1 🤔 I'll t.a.l at the companion article you linked, thanks!
On the above thanks, though I can confirm when following the test steps in https://github.com/osquery/osquery/issues/6588 I can confirm I do not get an entry in
xprotect_reports
running theory is the test might be a skipped pattern, but I do not presently have any evidence of this, happy to hear anything you may be able to offer on this. Thanks!
t

terracatta

09/09/2022, 4:19 PM
curious if you setup your device as new or if it’s been upgraded from older versions of macOS
o

oneiroi

09/09/2022, 4:22 PM
M1 Pro 2021, iirc I've done minor version updates, but no major version jumps iirc
t

terracatta

09/09/2022, 4:23 PM
I will retest over this weekend and see if it still generates reports
i used the EICAR file to test, if you do that, do you get a report?
like download a file with eicar magic string, set it as executable and then try to run it
o

oneiroi

09/09/2022, 4:24 PM
👍 will test this now
t

terracatta

09/09/2022, 4:24 PM
curious if this is malware specific
o

oneiroi

09/09/2022, 4:27 PM
Copy code
➜  /tmp curl <https://www.eicar.com/download/eicar-com-2/>\?wpdmdl\=8842\&refresh\=631b68bd773ad1662740669 -L -so eicar-test
➜  /tmp chmod +x eicar-test 
➜  /tmp ./eicar-test 
./eicar-test: line 1: syntax error near unexpected token `P^'
./eicar-test: line 1: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
Throws string errors, I'm presuming your test was different ?
(tried the com file also, no change 😩 )
t

terracatta

09/09/2022, 4:33 PM
try double clicking the file from the UI
not running it via the CLI
o

oneiroi

09/09/2022, 4:33 PM
opens with textedit 😩
t

terracatta

09/09/2022, 4:40 PM
ok cool
now click an action and move to the bin
and see if it gens a report
o

oneiroi

09/09/2022, 4:44 PM
Same process as eicar, selected "move to bin" && "Report malware to Apple" ... no entry 🤔
t

terracatta

09/09/2022, 4:44 PM
might be a bug in Apple’s side
and they keep testing the EICAR file and not real malware
when you run that test file do yo see any errors in the console app related to diagnostic reports failing to generate or anything like that?
perhaps it is trying to generate a report but something fails
and maybe the console app will give you more insight
o

oneiroi

09/09/2022, 4:52 PM
Copy code
default	17:50:07.911772+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out' has no CMS blob?
default	17:50:07.911782+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out': Unrecoverable CT signature issue, bailing out.
default	17:50:08.669773+0100	syspolicyd	GK evaluateScanResult: 2, PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE), 0, 0, 1, 0, 0, 0, 11
default	17:50:08.670181+0100	syspolicyd	Prompt shown (2, 0), waiting for response: PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE)
default	17:50:12.176692+0100	kernel	ASP: Security policy would not allow process: 45006, /Users/aegishjalmur/Documents/samples/a.out
As the
team
is
null
suspecting this is not creating the entry
t

terracatta

09/09/2022, 4:57 PM
eicar doesn’t have a team either so I don’t think that’s it
o

oneiroi

09/09/2022, 4:58 PM
iirc the
team
holds the malware signature, in this case that would be the mapping needed for eicar; question would be why this test is triggering xprotect as it seems evident there's no signature (current theory)
t

terracatta

09/09/2022, 4:58 PM
oh i see
o

oneiroi

09/12/2022, 6:26 PM
To update here my observations, where the event has a
team
set that is not 'null', an xprotect_report is generated; where xprotect triggers but
team
is 'null' a report is not generated e.g.:
Copy code
{
  "message": {
    "Count": 3,
    "allowed": false,
    "authority": "none",
    "blockType": 2,
    "cdhash": "7a190612b115d9d243c309100df0acce7531c3b3",
    "class": 0,
    "evaluationPath": 2,
    "filename": "a.out",
    "matchedRuleName": "MACOS.b17a97e",
    "result": 11,
    "signingID": "a.out",
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
Though ^ was pulled from the
/Library/Logs/DiagnosticReports/
folder 🤔
vs:
Copy code
{
  "message": {
    "Count": 1,
    "allowed": false,
    "authority": "no usable signature",
    "blockType": 2,
    "cdhash": null,
    "class": 0,
    "evaluationPath": 1,
    "filename": "<http://eicar.com|eicar.com> 2",
    "matchedRuleName": "OSX.eicar.com.i",
    "result": 11,
    "signingID": null,
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
(which has an xprotect_reports entry)
t

terracatta

09/12/2022, 7:00 PM
@oneiroi in the original test case (from the issue) was a diagnostic report always generated?
(assuming you selected report to apple)
o

oneiroi

09/12/2022, 7:02 PM
@terracatta afaict, yes, I've ones from the 7th, && 12th:
Copy code
grep -i 'a\.out' /Library/Logs/DiagnosticReports/*                                                                                     
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-07-010545.0003.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"01ed682b45eb68e5556a4db398d706fa0b0f1671","fileIdentifier":"gh","fileSize":36404706,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b15fdb648373983d4ef8d31265abf12c2f9cb04b5afebdc44d66b2d9d7be478a","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1661418460,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"df10de17e78f17c3ccbf2a827fab9e7154f0629a","fileIdentifier":"gh","fileSize":36114658,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b9612ab3d0f2e56fd8f20597bca81c18ffed327149bcdac1319872163f7f12e2","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1657819043,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":3,"allowed":false,"authority":"none","blockType":2,"cdhash":"7a190612b115d9d243c309100df0acce7531c3b3","class":0,"evaluationPath":2,"filename":"a.out","matchedRuleName":"MACOS.b17a97e","result":11,"signingID":"a.out","teamID":null},"name":"XProtectAssessmentResultData3","sampling":100,"uuid":"47718d33-c81e-4953-8931-3d0b6631f538_2"}
4 Views