I have an Endpoint system extension that, in theory, receives XProtect alerts.
I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac.
I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI.
Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?
Does Apple have or recommend a way … for triggering the XProtect detectors for testing?
Not that I’ve seen.
Although one trick I recently learnt about is gktool, which allows you to run a Gatekeeper scan on a file explicitly.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?
Yes:
$ echo -n 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' >/tmp/eicarsudo eslogger xp_malware_remediated/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect