How to monitor XProtect updates in OS X

OS X does not provide a way to monitor XProtect updates, but you can set up a custom script to do so.

Apple's XProtect system (aka File Quarantine) in OS X is a rudimentary anti-malware scanner that will perform a quick check on downloaded files to make sure they do not contain known malware, and will block any versions of Web plug-ins like Java and Flash that have known vulnerabilities.

XProtect runs in the background with no interaction with the user, which is convenient, but it does mean that when it gets updated, users may find themselves unexpectedly unable to access some Web content. Even though quickly updating plug-ins should get you around this inconvenience, it may be useful to know if the block happened because of XProtect or for some other reason that may need to be investigated.

XProtect updater notification
With a small custom script, you can cause the system to notify you when its XProtect definitions are updated. Screenshot by Topher Kessler/CNET

Unfortunately, Apple does not provide notifications when XProtect is updated; however, you can implement a routine of your own that will check for and notify you of any updates.

Deep in the system folder, XProtect stores two files called "XProtect.plist" and "XProtect.meta.plist" that contain information on the plug-in versions being blocked, when XProtect was updated, and definitions for new malware threats. Using these files, you can set up a small background script that will regularly check for any changes and then send you a notification if one occurs.

As with other system-monitoring approaches , this setup involves creating a simple script that issues a notification, and then setting up a launch agent to periodically run that script.

terminal-notifier in Utilities folder
Place terminal-notifier in your Utilities folder to install it. Screenshot by Topher Kessler/CNET

Install terminal-notifier
In order to receive notifications from shell scripts, you first need to download the tool terminal-notifier and place it in the /Applications/Utilities folder on your system. This tool cannot be run directly, but contains all the features needed to use Apple's Notification Center feature in Mountain Lion.

Create the notification script
The next step is to create the script that will issue the notification, so to do this first open the OS X Terminal utility and enter the following command to create the script file called "xprotectnotify.sh" in the global Library folder (supply your password when prompted):

sudo pico /Library/xprotectnotify.sh

Then select the following script and copy it into the Terminal's text editor:

#!/bin/bash

if [ `md5 -q /System/Library/CoreServices/CoreTypes.bundle/Contents/Reso\
urces/XProtect.meta.plist` == `md5 -q ~/.XProtect.meta.plist` ] ; then
	echo "No change"
else
	UPDATED=`defaults read /System/Library/CoreServices/CoreTypes.b\
undle/Contents/Resources/XProtect.meta.plist LastModification`
	/Applications/Utilities/terminal-notifier.app/Contents/MacOS/ter\
minal-notifier -title "XProtect Updated" -message "$UPDATED"
	cp /System/Library/CoreServices/CoreTypes.bundle/Contents/Resour\
ces/XProtect.meta.plist ~/.XProtect.meta.plist
fi

Finally press Control-O to save followed by Control-X to quit, and then run the following command to make the script executable:

sudo chmod +x /Library/xprotectnotify.sh

At this point the script can be run directly in the Terminal by entering the full path to it (/Library/xprotectnotify.sh), which should make it try to compare the system's XProtect "meta" file with a hidden copy in your home directory. If the copy does not exist or is different from the official one, then it will notify you that a change has occurred and then update the copy to reflect the one the system is using.

Create launch agent
The final step is to create the launch agent that will load and run the notification script on a regular basis. To do this, in Terminal run the following command to create and edit the agent file:

pico ~/Library/LaunchAgents/local.XProtectNotify.plist

Now copy the following lines to the Terminal's text editor that should be open, followed again by pressing Control-O and then Control-X to save and quit:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>local.XProtectNotify</string>
	<key>ProgramArguments</key>
	<array>
		<string>/Library/xprotectnotify.sh</string>
	</array>
	<key>QueueDirectories</key>
	<array/>
	<key>StartInterval</key>
	<integer>3600</integer>
</dict>
</plist>

In this launch agent the number "3600" indicates it will run the script every hour, but you can change this to any number of seconds you would like, so you can set the script to run every few hours, only once or twice per day, or at any other interval.

After saving, log out and log back in to your user account, and you're done. This script is a very lightweight routine that would have a negligible impact on the system even if run every few seconds. However, if at any point you would like to undo these changes, then run the following three commands separately in the Terminal:

sudo rm /Library/xprotectnotify.sh
rm ~/Library/LaunchAgents/local.XProtectNotify.plist
rm ~/.XProtect.meta.plist

This script will simply notify you when XProtect is updated; however, you may be able to find some third-party tools to use that can display the status of XProtect and information on its latest definitions, and use it either instead of or in addition to this script.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

The Next Big Thing

Consoles go wide and far beyond gaming with power and realism.