Title
#macos
z

Zhen

08/05/2020, 10:22 PM
Hi, wonder if anyone has got xprotect_reports table working? I was testing a binary that would trigger xprotect to reject, but xprotect_reports table still empty, why? Maybe I miss some switches in Osquery to turn the report on?
4:50 PM
If anyone’s willing to help, I could send the steps to trigger Xprotect.
3:22 AM
I checked the source code about locations of the report log files, and realize I don’t have Xprotect related log files stored in these locations with Xprotect prefix on my Catalina, so I filed a bug => https://github.com/osquery/osquery/issues/6588
f

fritz

08/18/2020, 1:03 PM
@Zhen I looked into this myself recently and also came up blank when attempting to find any records from XProtect for caught malware. I think you are right that something changed between minor OS releases and it wasn't caught.
o

oneiroi

09/02/2022, 2:20 PM
[necro warning] however;
xprotect_reports
is non functional and seems like this has been the case for sometime; https://github.com/osquery/osquery/issues/6588 I added a comment today, that given this is planned for improvement in the next macOS release and that many are likely reliant on
xprotect_reports
for reporting capability via OSquery the table should be sought to be fixed, if not now, then when the revamped functionality becomes available.
f

fritz

09/02/2022, 2:22 PM
🧟