search

salopensource / sal

Modular reporting for Endpoints
Apache License 2.0
212 stars 64 forks source link

Latest XProtect Version is not detected by default plugin #317

Closed 1dustindavis closed 5 years ago

1dustindavis commented 5 years ago

Describe the bug The latest XProtect version shipped by Apple (2102) does not update Version in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist.

The current plugin that ships with Sal uses that plist to determine the machines current XProtect Version, but an up-to-date machine with 2102 still returns 2101.

You can check if a machine has 2102 by checking for the pkg receipt: pkgutil --pkg-info com.apple.pkg.XProtectPlistConfigData.16U4051. Sadly, that command is specific to each XProtect release, so it can not be used generically without additional processing.

To Reproduce Steps to reproduce the behavior:

  1. Confirm an enrolled machine has 2102 by running pkgutil --pkg-info com.apple.pkg.XProtectPlistConfigData.16U4051
  2. Check the "XProtect" plugin on Sal's homepage
  3. Only 2101.0 is displayed

Expected behavior The plugin should display 2102 for all machines with 2102 installed.

Server (please complete the following information):

Client (please complete the following information):

Additional context The issue is fairly straight forward, but since Apple does not document XProtect, it is not clear if the issue will be resolved in a future XProtect version, or if this is the way it will be forever.

One potential solution would be to use the pkg receipt to determine the current version, but as I mentioned above, that will require additional logic to determine the latest version.

This bash one-liner (stolen from Rich Trouton with slight modifications) shows one method:

for i in $(pkgutil --pkgs=".*XProtect.*"); do pkgutil --pkg-info $i | awk '/version/ {print $2}'; done | sort -n | tail -1
2102.1.1555398512
1dustindavis commented 5 years ago

At least on 10.14.4 with XProtect version 2102, this command works:

defaults read /System/Library/CoreServices/XProtect.bundle/Contents/version.plist CFBundleShortVersionString

I can submit a PR, but I have no idea if this is reliable on older OS or XProtect versions. (Testing old XProtext versions sounds real annoying)

grahamgilbert commented 5 years ago

I'm fine with a split in the logic for 10.13 and 10.14. All we really need to know is if the old method works on 10.13. If so, I'm happy to make the assumption that the fruit co just changed it for 10.14.

erikng commented 5 years ago

Dustin, spin up an old OS without network access and run that command. If it works and is accurate I'd say there's a pretty high chance it will always work.

Good catch btw.

Thanks, Erik Gomez

From: Graham Gilbert notifications@github.com Sent: Wednesday, May 1, 2019 12:33:00 PM To: salopensource/sal Cc: Subscribed Subject: Re: [salopensource/sal] Latest XProtect Version is not detected by default plugin (#317)

I'm fine with a split in the logic for 10.13 and 10.14. All we really need to know is if the old method works on 10.13. If so, I'm happy to make the assumption that the fruit co just changed it for 10.14.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/salopensource/sal/issues/317#issuecomment-488351937, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ABLL6GFKFLXXTK5P7OY4KSDPTHH4ZANCNFSM4HJRHF2Q.

1dustindavis commented 5 years ago

A new XProtect version was released today and actually has the correct version number in XProtect.meta.plist, so I am closing this since it was likely just a one-time mistake on Apple's side.