XProtect in 10.12.4/10.12.5 Beta

Question

simonfromexeter OP

Created May ’17

Replies 12

Boosts 0

Views 3.2k

Participants 3

I'm looking at a problem with getting the latest XProtect update.

I noted on 10.12.4 and 10.12.5 beta (16F71b) that the updates weren't being applied.

This seems to be due to some sort of problem with older AirWatch Software Update profiles.

For the 10.12.4 box I uninstalled Air-Watch and did "sudo softwareupdate --background-critical" and the new "OSX.Dok.A"/"OSX.Dok.B" versions of XProtect were installed.

I identified that the old AirWatch Software Update profile disables the checkbox for App Store preferences "Install system data files and security updates", but a newly created AirWatch profile doesn't disable this checkbox. The February 22nd XProtect update was correctly applied, so I assume this is either due to 10.12.4 changes by Apple or recent changes by AirWatch.

However now I have tried on 10.12.5, with a new Software Update profile (so the checkbox is shown) and without any Software Update profile, and it isn't refreshing the XProtect version when I do the "sudo softwareupdate --background-critical".

Is there any sensible way to see what the update tool is doing in regard to security updates, or does anyone know what servers it contacts so I can TCPdump the connection and at least get some insight.

I'm assuming 10.12.5 should get the update to Xprotect?

Any tips on troubleshooting this welcome, I will try removing AirWatch on 10.12.5, and that'll be great for my boxes, they'll all be patched, but I'll be out of test boxes for figuring out how to do it for the rest of the organisation.

Boost

Answer 1

tywebbooooo OP

May ’17

You can install it manually if you want:

new xprotect for el capitan and sierra:

http://swcdn.apple.com/content/downloads/12/27/091-13407/6j13mem461qqb1sq9dp863ihpp70ue16vb/XProtectPlistConfigData_1011.pkg

Also here is the new xprotect for systems older than el capitan:

http://swcdn.apple.com/content/downloads/28/47/091-13408/pay9lbdswdjq849dsi1ek713cpl9aud86y/XProtectPlistConfigData.pkg

For sierra you need to install the XProtectPlistConfigData_1011.pkg version.

EDIT: links updated for version dated May 6, 2017.

0

Answer 2

macdoc OP

May ’17

are you sure about this?

using WallsOfTroy.app, this ... configData_1011.pkg show me an empty List on Sierra 10.12.5B5,

but installing the ConfigData.pkg lists all of Malware including the DokA and DokB-Entries.

0

Answer 3

tywebbooooo OP

May ’17

Yes.

The contents are the same, but the difference between them is that they install into different places on the mac depending on what system you use.

For systems older than el capitan the XProtectPlistConfigData.pkg version installs it at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist .

Whereas for El Capitan and Sierra, the XProtectPlistConfigData_1011.pkg version installs it at /System/Library/Coreservices/XProtect.bundle/Contents/Resources/XProtect.plist .

In either case you can open XProtect.plist with textedit to see the contents.

So basically, starting with El Capitan, XProtect gets it's own special bundle, whereas previously it was placed into the CoreTypes bundle.

Also, in El Capitan and Sierra there is still an alias of XProtect.plist in the CoreTypes bundle but that points to the real XProtect.plist file in the XProtect bundle.

This change was done to enhance the security of XProtect.

But as older systems are still supported for now, this therefore necessitates the existence of 2 versions of the XProtect installers every time XProtect is updated.

0

Answer 4

macdoc OP

May ’17

Thanks for this.. good to know....

so my WallsOfTroy.app is no longer useful.

0

Answer 5

tywebbooooo OP

May ’17

It seems from what you posted that you may have installed the wrong version of XProtect into Sierra. I sugggest you replace the incorrectly installed XProtect.plist and XProtect.meta.plist files in the CoreTypes bundle with appropriate alias files instead.

It probably won't be a problem for now - but will become a problem the next time XProtect is updated.

The latest version of Walls Of Troy, version 2.2.5 should also work OK with the aliases in the CoreTypes bundle - even after XProtect.plist is updated in the XProtect bundle.

Note however that Walls of Troy version 2.2.5 was released on April 3, 2015, yet the first developer preview of El Capitan was released 2 months later on June 8, 2015. Hence Walls of Troy does not incorporate the change of location of the real XProtect.plist file. Walls of Troy extracts information from /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist which is an alias in Sierra, not the real XProtect.plist file which is actually at /System/Library/Coreservices/XProtect.bundle/Contents/Resources/XProtect.plist . It is the latter which is updated when XProtect is updated, not the alias file in the CoreTypes bundle. Hence a bug in Walls of Troy is that it shows the incorrect update date of XProtect, which in El Capitan and Sierra would be the date the alias file of XProtect.plist was created in CoreTypes bundle instead of the date the real XProtect.plist file was updated in the XProtect bundle. These dates are almost always different.

This explains the review of the app by lacwbo in the app store "It shows all the malware that XProtect can recognize but does not always give the correct update date".

0

Answer 6

macdoc OP

May ’17

here, on my Systems there arent any Aliases in

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

so WallsOf Troy shows only a blank Window.

should i only set an alias from the XProtect.plist?

better from the omplete .bundle?

0

Answer 7

tywebbooooo OP

May ’17

Inside /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ there should be aliases of XProtect.plist and XProtect.meta.plist which point to the real XProtect.plist and XProtect.meta.plist inside /System/Library/Coreservices/XProtect.bundle/Contents/Resources/

If you make these aliases, Walls Of Troy will work again - except for the problem of not displaying the correct update date. Never mind about that though because the correct update date will display in /System/Library/Coreservices/XProtect.bundle/Contents/Resources/ anyway.

Also there is now a new XProtect. So I have updated the links above.

0

Answer 8

macdoc OP

May ’17

Hm, something hwere is wrong...

have made these Aliases, but in WOT there is an empty Window...

what can i do, to see these Entries in WOT ?

0

Answer 9

tywebbooooo OP

May ’17

Well that is very strange.

I put the latest version of Walls Of Troy on 2 different computers, 1 with el capitan and the other sierra, and in both computers there are aliases

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

and

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

which point to

/System/Library/Coreservices/XProtect.bundle/Contents/Resources/XProtect.plist

and

/System/Library/Coreservices/XProtect.bundle/Contents/Resources/XProtect.meta.plist

respectively.

In both cases I got Walls Of Troy working, except that they do not show the correct update date.

The correct update date does not show because it is the XProtect bundle which gets updated, not the aliases. Nevertheless Walls Of Troy still works with the aliases. If I want the correct update date, they are shown in the folder

/System/Library/Coreservices/XProtect.bundle/Contents/Resources/

Do you have the latest version of Walls Of Troy, and do your aliases point correctly to the real XProtect.plist and XProtect.meta.plist files?

0

Answer 10

macdoc OP

May ’17

Yes, WOT Version 2.2.5 from Appstore and both Aliases are right.

there are no other .plist-Files, only thesetwo?

the others are only .icns and .lproj-Folders? is this right..?

0

Answer 11

tywebbooooo OP

May ’17

Yeah. Most of it is that, but there are some other stuff there too, but they have nothing to do with Walls Of Troy or XProtect.

0

Answer 12

macdoc OP

May ’17

Hi, just work after Final 10.12.5 Installation, WOT now shows me the Entries...

Thanks...

0