Hi, wonder if anyone has got <https://osquery.io/s...
# macos
Hi, wonder if anyone has got xprotect_reports table working? I was testing a binary that would trigger xprotect to reject, but xprotect_reports table still empty, why? Maybe I miss some switches in Osquery to turn the report on?
If anyone’s willing to help, I could send the steps to trigger Xprotect.
I checked the source code about locations of the report log files, and realize I don’t have Xprotect related log files stored in these locations with Xprotect prefix on my Catalina, so I filed a bug => https://github.com/osquery/osquery/issues/6588
@Zhen I looked into this myself recently and also came up blank when attempting to find any records from XProtect for caught malware. I think you are right that something changed between minor OS releases and it wasn't caught.
[necro warning] however;
is non functional and seems like this has been the case for sometime; https://github.com/osquery/osquery/issues/6588 I added a comment today, that given this is planned for improvement in the next macOS release and that many are likely reliant on
for reporting capability via OSquery the table should be sought to be fixed, if not now, then when the revamped functionality becomes available.