Title
#kolide
o

oneiroi

09/02/2022, 2:38 PM
Hi guys 👋 , QQ Given this: https://www.kolide.com/blog/new-inventory-windows-defender-and-xprotect-reports && given this issue is presently unsolved https://github.com/osquery/osquery/issues/6588 , I presume Kolide have opted to use file_events to intercept when the report file is generated (within
~Library/Logs/DiagnosticReports
), then an augeas lense to parse the json values to catch these reports ? I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅
terracatta

terracatta

09/02/2022, 5:05 PM
Hi oneiroi, I was never able to reproduce that bug report.
xprotect_reports
table works correctly on macOS 12 when I wrote that article. I tested it by running a malware test sample and saw that it created the diagnostic report as expected and that osquery parses it correctly.
5:07 PM
If you are interested in learning more, see this companion article: https://www.kolide.com/blog/do-macs-need-third-party-antivirus-for-soc-2-compliance
o

oneiroi

09/05/2022, 3:36 PM
Thanks @terracatta ,oddly, I saw the opposite on 12.5.1 🤔 I'll t.a.l at the companion article you linked, thanks!
9:13 AM
On the above thanks, though I can confirm when following the test steps in https://github.com/osquery/osquery/issues/6588 I can confirm I do not get an entry in
xprotect_reports
running theory is the test might be a skipped pattern, but I do not presently have any evidence of this, happy to hear anything you may be able to offer on this. Thanks!
terracatta

terracatta

09/09/2022, 4:19 PM
curious if you setup your device as new or if it’s been upgraded from older versions of macOS
o

oneiroi

09/09/2022, 4:22 PM
M1 Pro 2021, iirc I've done minor version updates, but no major version jumps iirc
terracatta

terracatta

09/09/2022, 4:23 PM
I will retest over this weekend and see if it still generates reports
4:23 PM
i used the EICAR file to test, if you do that, do you get a report?
4:24 PM
like download a file with eicar magic string, set it as executable and then try to run it
o

oneiroi

09/09/2022, 4:24 PM
👍 will test this now
terracatta

terracatta

09/09/2022, 4:24 PM
curious if this is malware specific
o

oneiroi

09/09/2022, 4:27 PM
➜  /tmp curl <https://www.eicar.com/download/eicar-com-2/>\?wpdmdl\=8842\&refresh\=631b68bd773ad1662740669 -L -so eicar-test
➜  /tmp chmod +x eicar-test 
➜  /tmp ./eicar-test 
./eicar-test: line 1: syntax error near unexpected token `P^'
./eicar-test: line 1: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
Throws string errors, I'm presuming your test was different ?
4:32 PM
(tried the com file also, no change 😩 )
terracatta

terracatta

09/09/2022, 4:33 PM
try double clicking the file from the UI
4:33 PM
not running it via the CLI
o

oneiroi

09/09/2022, 4:33 PM
opens with textedit 😩
terracatta

terracatta

09/09/2022, 4:40 PM
ok cool
4:40 PM
now click an action and move to the bin
4:40 PM
and see if it gens a report
o

oneiroi

09/09/2022, 4:44 PM
Same process as eicar, selected "move to bin" && "Report malware to Apple" ... no entry 🤔
terracatta

terracatta

09/09/2022, 4:44 PM
might be a bug in Apple’s side
4:44 PM
and they keep testing the EICAR file and not real malware
4:49 PM
when you run that test file do yo see any errors in the console app related to diagnostic reports failing to generate or anything like that?
4:49 PM
perhaps it is trying to generate a report but something fails
4:49 PM
and maybe the console app will give you more insight
o

oneiroi

09/09/2022, 4:52 PM
default	17:50:07.911772+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out' has no CMS blob?
default	17:50:07.911782+0100	kernel	AMFI: '/Users/aegishjalmur/Documents/samples/a.out': Unrecoverable CT signature issue, bailing out.
default	17:50:08.669773+0100	syspolicyd	GK evaluateScanResult: 2, PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE), 0, 0, 1, 0, 0, 0, 11
default	17:50:08.670181+0100	syspolicyd	Prompt shown (2, 0), waiting for response: PST: (vuid: 5257C4CD-05BE-460F-BC9F-E79D41385D01), (objid: 9366778), (team: (null)), (id: a.out), (bundle_id: NOT_A_BUNDLE)
default	17:50:12.176692+0100	kernel	ASP: Security policy would not allow process: 45006, /Users/aegishjalmur/Documents/samples/a.out
4:56 PM
As the
team
is
null
suspecting this is not creating the entry
terracatta

terracatta

09/09/2022, 4:57 PM
eicar doesn’t have a team either so I don’t think that’s it
o

oneiroi

09/09/2022, 4:58 PM
iirc the
team
holds the malware signature, in this case that would be the mapping needed for eicar; question would be why this test is triggering xprotect as it seems evident there's no signature (current theory)
terracatta

terracatta

09/09/2022, 4:58 PM
oh i see
o

oneiroi

09/12/2022, 6:26 PM
To update here my observations, where the event has a
team
set that is not 'null', an xprotect_report is generated; where xprotect triggers but
team
is 'null' a report is not generated e.g.:
{
  "message": {
    "Count": 3,
    "allowed": false,
    "authority": "none",
    "blockType": 2,
    "cdhash": "7a190612b115d9d243c309100df0acce7531c3b3",
    "class": 0,
    "evaluationPath": 2,
    "filename": "a.out",
    "matchedRuleName": "MACOS.b17a97e",
    "result": 11,
    "signingID": "a.out",
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
Though ^ was pulled from the
/Library/Logs/DiagnosticReports/
folder 🤔
6:28 PM
vs:
{
  "message": {
    "Count": 1,
    "allowed": false,
    "authority": "no usable signature",
    "blockType": 2,
    "cdhash": null,
    "class": 0,
    "evaluationPath": 1,
    "filename": "<http://eicar.com|eicar.com> 2",
    "matchedRuleName": "OSX.eicar.com.i",
    "result": 11,
    "signingID": null,
    "teamID": null
  },
  "name": "XProtectAssessmentResultData3",
  "sampling": 100,
  "uuid": "47718d33-c81e-4953-8931-3d0b6631f538_2"
}
(which has an xprotect_reports entry)
terracatta

terracatta

09/12/2022, 7:00 PM
@oneiroi in the original test case (from the issue) was a diagnostic report always generated?
7:00 PM
(assuming you selected report to apple)
o

oneiroi

09/12/2022, 7:02 PM
@terracatta afaict, yes, I've ones from the 7th, && 12th:
grep -i 'a\.out' /Library/Logs/DiagnosticReports/*                                                                                     
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-07-010545.0003.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"01ed682b45eb68e5556a4db398d706fa0b0f1671","fileIdentifier":"gh","fileSize":36404706,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b15fdb648373983d4ef8d31265abf12c2f9cb04b5afebdc44d66b2d9d7be478a","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1661418460,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":1,"bundleIdentifier":null,"bundleVersion":null,"cdhash":"df10de17e78f17c3ccbf2a827fab9e7154f0629a","fileIdentifier":"gh","fileSize":36114658,"isLibrary":false,"isQuarantined":false,"isSigned":true,"isUsed":true,"isValid":true,"mainExecutableHash":"b9612ab3d0f2e56fd8f20597bca81c18ffed327149bcdac1319872163f7f12e2","responsibleFileIdentifier":"<http://Terminal.app/Contents/MacOS/Terminal|Terminal.app/Contents/MacOS/Terminal>","signatureTimestamp":1657819043,"signingIdentifier":"a.out","teamIdentifier":null},"name":"ExecutableMeasurementRawAggregatedData3","sampling":100,"uuid":"3052871a-7d51-4087-b1e2-513a25236db7_2"}
/Library/Logs/DiagnosticReports/Analytics-Daily-2022-09-12-092438.0004.core_analytics:{"message":{"Count":3,"allowed":false,"authority":"none","blockType":2,"cdhash":"7a190612b115d9d243c309100df0acce7531c3b3","class":0,"evaluationPath":2,"filename":"a.out","matchedRuleName":"MACOS.b17a97e","result":11,"signingID":"a.out","teamID":null},"name":"XProtectAssessmentResultData3","sampling":100,"uuid":"47718d33-c81e-4953-8931-3d0b6631f538_2"}