Apple's XProtect system (aka File Quarantine) in OS X is a rudimentary anti-malware scanner that will perform a quick check on downloaded files to make sure they do not contain known malware, and will block any versions of Web plug-ins like Java and Flash that have known vulnerabilities.
XProtect runs in the background with no interaction with the user, which is convenient, but it does mean that when it gets updated, users may find themselves unexpectedly unable to access some Web content. Even though quickly updating plug-ins should get you around this inconvenience, it may be useful to know if the block happened because of XProtect or for some other reason that may need to be investigated.
With a small custom script, you can cause the system to notify you when its XProtect definitions are updated.
(Credit: Screenshot by Topher Kessler/CNET)
Unfortunately, Apple does not provide notifications when XProtect is updated; however, you can implement a routine of your own that will check for and notify you of any updates.
Deep in the system folder, XProtect stores two files called "XProtect.plist" and "XProtect.meta.plist" that contain information on the plug-in versions being blocked, when XProtect was updated, and definitions for new malware threats. Using these files, you can set up a small background script that will regularly check for any changes and then send you a notification if one occurs.
As with other
system-monitoring approaches, this setup involves creating a simple script that issues a notification, and then setting up a launch agent to periodically run that script.
Place terminal-notifier in your Utilities folder to install it.
(Credit: Screenshot by Topher Kessler/CNET)
Install terminal-notifierIn order to receive notifications from shell scripts, you first need to
download the tool terminal-notifierand place it in the /Applications/Utilities folder on your system. This tool cannot be run directly, but contains all the features needed to use Apple's Notification Center feature in Mountain Lion.
Create the notification script
The next step is to create the script that will issue the notification, so to do this first open the OS X Terminal utility and enter the following command to create the script file called "xprotectnotify.sh" in the global Library folder (supply your password when prompted):
sudo pico /Library/xprotectnotify.sh
Then select the following script and copy it into the Terminal's text editor:
#!/bin/bash
if [ `md5 -q /System/Library/CoreServices/CoreTypes.bundle/Contents/Reso\
urces/XProtect.meta.plist` == `md5 -q ~/.XProtect.meta.plist` ] ; then
echo "No change"
else
UPDATED=`defaults read /System/Library/CoreServices/CoreTypes.b\
undle/Contents/Resources/XProtect.meta.plist LastModification`
/Applications/Utilities/terminal-notifier.app/Contents/MacOS/ter\
minal-notifier -title "XProtect Updated" -message "$UPDATED"
cp /System/Library/CoreServices/CoreTypes.bundle/Contents/Resour\
ces/XProtect.meta.plist ~/.XProtect.meta.plist
fi
Finally press Control-O to save followed by Control-X to quit, and then run the following command to make the script executable:
sudo chmod +x /Library/xprotectnotify.sh
At this point the script can be run directly in the Terminal by entering the full path to it (/Library/xprotectnotify.sh), which should make it try to compare the system's XProtect "meta" file with a hidden copy in your home directory. If the copy does not exist or is different from the official one, then it will notify you that a change has occurred and then update the copy to reflect the one the system is using.
Create launch agent
The final step is to create the launch agent that will load and run the notification script on a regular basis. To do this, in Terminal run the following command to create and edit the agent file:
pico ~/Library/LaunchAgents/local.XProtectNotify.plist
Now copy the following lines to the Terminal's text editor that should be open, followed again by pressing Control-O and then Control-X to save and quit:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>local.XProtectNotify</string>
<key>ProgramArguments</key>
<array>
<string>/Library/xprotectnotify.sh</string>
</array>
<key>QueueDirectories</key>
<array/>
<key>StartInterval</key>
<integer>3600</integer>
</dict>
</plist>
In this launch agent the number "3600" indicates it will run the script every hour, but you can change this to any number of seconds you would like, so you can set the script to run every few hours, only once or twice per day, or at any other interval.
After saving, log out and log back in to your user account, and you're done. This script is a very lightweight routine that would have a negligible impact on the system even if run every few seconds. However, if at any point you would like to undo these changes, then run the following three commands separately in the Terminal:
sudo rm /Library/xprotectnotify.sh
rm ~/Library/LaunchAgents/local.XProtectNotify.plist
rm ~/.XProtect.meta.plist
This script will simply notify you when XProtect is updated; however, you can also use a tool like
XProtect Plugin Checker either instead of or in addition to this script to give you information on the versions of plug-ins that XProtect is blocking.