Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
mikermcneil
01/28/2023, 12:17 AMHey y'all, I've been playing around with some queries, and I think the docs for the
xprotect_metaBut when I query some Macs, I see "com.viewanysearch", which looks pretty sketchy, with its minimum version listed as "any". Should this actually say:- The minimum allowed plugin version.min_version
- The minimum banned plugin versionmin_version
It might also be that we just have insufficient schema here. Like rather than "any", min_version should only be set if the type of ban is for an extension or plugin BELOW a specific version, rather than a ban of an extension or plugin altogether (e.g. this
com.anysearchWent ahead and tracked an issue here about it: https://github.com/fleetdm/fleet/issues/9545
z
zwass
01/28/2023, 12:39 AMMaybe better for #macos channel?
It does seem like the docs should say "minimum blocked plugin version"
https://eclecticlight.co/2020/10/27/xprotect-what-do-we-know-about-it/ discusses a bit more.
m
mikermcneil
01/28/2023, 12:54 AMSeems like it should be the opposite though, right?
I would think "minimum ALLOWED plugin version"
If it was a block, I would think "maximum banned version"
e.g. if com.anysearch has a vulnerability ≤v4.0.2, then we'd want to allow only versions above that version. (Not ban)
But if com.anysearch is inherently something that should be blocked, then it should be banned at any version (and no version should be allowed- not any version)
z
zwass
01/28/2023, 12:55 AMApple doesn't document this but people's analysis generally seems to be that this is a blocklist of safari extensions based on known malware. I think the reason for a minimum version is because of some extensions that have started out good but then later introduced malware.
Although the file on my machine doesn't actually set a version for any of these, so it might be just that the versions are used in a separate part of that file.
m
mikermcneil
01/28/2023, 12:57 AMAh, I see so then
min_versionz
zwass
01/28/2023, 12:58 AMSince it's not documented, we can only speculate. They don't seem to set any versions for
ExtensionBlacklistanysearchPluginBlacklist[This analysis}(https://nixhacker.com/security-protection-in-macos-2/) agrees with that interpretation that for some of these plugins it's a minimum required version.
m
mikermcneil
01/28/2023, 1:00 AM👍 k, got it. Thanks! I'll unroll all those goodies into the issue so someone can grab it and run with it.
If you're a contributor reading this and want to take a pass at updating the docs, feel free to jump in! (You can actually make the edit in the browser on fleetdm.com/tables/xprotect_meta by hitting the "Edit this page" button. For tips on formatting, see the other tables)
z
zwass
01/28/2023, 1:00 AMArguably these could be separate tables since it's not sure that the columns apply across all the types.