https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey y'all, I've been playing around with some quer...
# fleet
m
Hey y'all, I've been playing around with some queries, and I think the docs for the 
xprotect_meta
table might be wrong: https://fleetdm.com/tables/xprotect_meta 
min_version
- The minimum allowed plugin version.
But when I query some Macs, I see "com.viewanysearch", which looks pretty sketchy, with its minimum version listed as "any". Should this actually say: 
min_version
- The minimum banned plugin version
It might also be that we just have insufficient schema here. Like rather than "any", min_version should only be set if the type of ban is for an extension or plugin BELOW a specific version, rather than a ban of an extension or plugin altogether (e.g. this 
com.anysearch
thing which is presumably effectively a virus)
Went ahead and tracked an issue here about it: https://github.com/fleetdm/fleet/issues/9545
z
Maybe better for #macos channel?
It does seem like the docs should say "minimum blocked plugin version"
m
Seems like it should be the opposite though, right? I would think "minimum ALLOWED plugin version" If it was a block, I would think "maximum banned version" e.g. if com.anysearch has a vulnerability ≤v4.0.2, then we'd want to allow only versions above that version. (Not ban) But if com.anysearch is inherently something that should be blocked, then it should be banned at any version (and no version should be allowed- not any version)
z
Apple doesn't document this but people's analysis generally seems to be that this is a blocklist of safari extensions based on known malware. I think the reason for a minimum version is because of some extensions that have started out good but then later introduced malware.
Although the file on my machine doesn't actually set a version for any of these, so it might be just that the versions are used in a separate part of that file.
m
Ah, I see so then 
min_version
is actually min_version blocked Looks like it's set for some other random things like flash player and Java:
z
Since it's not documented, we can only speculate. They don't seem to set any versions for 
ExtensionBlacklist
entries (which is where the 
anysearch
is). They do set it for 
PluginBlacklist
where it might actually be correct as documented.
[This analysis}(https://nixhacker.com/security-protection-in-macos-2/) agrees with that interpretation that for some of these plugins it's a minimum required version.
m
👍 k, got it. Thanks! I'll unroll all those goodies into the issue so someone can grab it and run with it. If you're a contributor reading this and want to take a pass at updating the docs, feel free to jump in! (You can actually make the edit in the browser on fleetdm.com/tables/xprotect_meta by hitting the "Edit this page" button. For tips on formatting, see the other tables)
z
Arguably these could be separate tables since it's not sure that the columns apply across all the types.
Open in Slack
PreviousNext
Powered by