{"id":349,"date":"2011-06-03T14:43:13","date_gmt":"2011-06-03T19:43:13","guid":{"rendered":"http:\/\/www.brunerd.com\/blog\/?p=349"},"modified":"2011-06-03T16:47:06","modified_gmt":"2011-06-03T21:47:06","slug":"advanced-safe-downloads-list-tips-and-tricks","status":"publish","type":"post","link":"https:\/\/www.brunerd.com\/blog\/2011\/06\/03\/advanced-safe-downloads-list-tips-and-tricks\/","title":{"rendered":"Advanced Safe Downloads List Tips and Tricks"},"content":{"rendered":"<p>So I submitted a <a href=\"http:\/\/hints.macworld.com\/article.php?story=20110602091032338\" target=\"_blank\">hint<\/a> for getting info about the Safe Downloads protection list, then I\u00a0made a\u00a0<a title=\"Safe Downloads List Info Widget\" href=\"http:\/\/www.brunerd.com\/blog\/2011\/06\/03\/safe-downloads-widget\/\">widget<\/a>,\u00a0now delving deeper into Safe Downloads list and the command line<\/p>\n<p>Let&#8217;s look at the BOM for the update:<\/p>\n<p><code>\/Library\/Preferences\/com.apple.ReportMessages.domains<br \/>\n\/Library\/Preferences\/com.apple.ReportMessages.v2.domains<br \/>\n\/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect.plist<br \/>\n\/System\/Library\/CoreServices\/MRTAgent.app<br \/>\n\/System\/Library\/LaunchAgents\/com.apple.mrt.uiagent.plist<br \/>\n\/System\/Library\/LaunchDaemons\/com.apple.mrt.plist<br \/>\n\/System\/Library\/LaunchDaemons\/com.apple.xprotectupdater.plist<br \/>\n\/System\/Library\/PreferencePanes\/Security.prefPane<br \/>\n\/usr\/libexec\/MRT<br \/>\n\/usr\/libexec\/XProtectUpdater<\/code><\/p>\n<p>What&#8217;s interesting is after installation \/usr\/libexec\/MRT, com.apple.mrt.plist, and com.apple.mrt.uiagent.plist delete themselves after they run?! This is odd, yes? From what it looks like MRT has a lot of pattern matching \u00a0code in it&#8230; Also notable is that in the postflight action <a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/loadMRT.txt\" target=\"_blank\">loadMRT<\/a>, the launchagent and daemon are unloaded and reloaded in the postflight actions, however the <a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/loadXProtectUpdater.txt\" target=\"_blank\">loadXProtectUpdater<\/a> script does not do this. So the XProtectUpdater does not run again if you rerun the installer since launchctl will report it&#8217;s already loaded, so you&#8217;ll have to wait a day for it to check again and update as seen in <a href=\"http:\/\/www.brunerd.com\/blog\/wp-content\/uploads\/com.apple_.xprotectupdater.plist_.txt\" target=\"_blank\">com.apple.xprotectupdater.plist<\/a> (86400 seconds = 1 day).<\/p>\n<p>If you want to manually force an update, you can run this command:<br \/>\n<code><strong>sudo \/usr\/libexec\/XprotectUpdater<\/strong><br \/>\n<\/code>You must run as root or else it informs you:<br \/>\n<span style=\"font-size: 13px; font-family: Monaco, Consolas, 'Andale Mono', 'DejaVu Sans Mono', monospace; line-height: 19px;\">XprotectUpdater[<em>pids<\/em>] Unable to write new signature meta plist<\/span><\/p>\n<p>You can also just toggle the preference in the Security prefpane, this causes the launchd job to be unloaded an reloaded, however from an admin POV it&#8217;s nice to have a non-GUI way to do this. Also there seems to be a <a href=\"http:\/\/blog.intego.com\/2011\/06\/01\/bug-in-apples-malware-detection-settings-may-lead-to-mistaken-preferences\/\">bug<\/a> in the prefpane so values are not written after it is open for more than 30 seconds! Come on 10.6.8! (It feels like this was Lion stuff that&#8217;s getting shoe-horned into Snow Leopard a bit earlier than they expected )<\/p>\n<p>Another interesting tidbit is the actual malware list that is squirreled away here:<br \/>\n\/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect.plist<\/p>\n<p>If you attempt to use the defaults command to read it you are given this:<br \/>\n<code>defaults[<em>pids<\/em>] Preference plist was NOT a dictionary.<br \/>\ndefaults[<em>pids<\/em>]\u00a0Domain \/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect does not exist<br \/>\n<\/code><\/p>\n<p>It seems the Apple folks have done some creative things so while this is still valid XML it is not a defaults compatible plist. The values are dictionaries stored in an array at the top level. Is this protection against script-kiddies who&#8217;d use defaults to change values in the list? While the file is root owned, one must wonder if there are safeguards to check its checksum against a server to detect unauthorized changes to it? Since admin status is enough to escalate to root using sudo (and every initial user in OS X is an admin), combine this with the fact that installer runs as root when installing a pkg, and this is something to keep an eye on&#8230; (oh right my point being this thwarts a script to list detected threats, at least <em>easily<\/em> using defaults)<\/p>\n<p>And some parting advice: Turn off Open Safe Downloads in Safari! It&#8217;s an oddly bad decision by Apple, its paralells to Windows&#8217; AutoPlay\/AutoRun give me goose bumps! I don&#8217;t want a dmg opening itself up and copying out it&#8217;s pkg payload into Downloads, then auto launching it! CRAZY BAD! Malware on a platinum platter, Apple couldn&#8217;t have made it easier!<\/p>\n<p>Here&#8217;s the code for turning this off in Safari, it is a per user preference:<br \/>\n<code>defaults write com.apple.Safari AutoOpenSafeDownloads -bool FALSE<\/code><\/p>\n<p>And so concludes this expedition, hope you learned something, and can teach me something back in the process, thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So I submitted a hint for getting info about the Safe Downloads protection list, then I\u00a0made a\u00a0widget,\u00a0now delving deeper into Safe Downloads list and the command line Let&#8217;s look at the BOM for the update: \/Library\/Preferences\/com.apple.ReportMessages.domains \/Library\/Preferences\/com.apple.ReportMessages.v2.domains \/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect.plist \/System\/Library\/CoreServices\/MRTAgent.app \/System\/Library\/LaunchAgents\/com.apple.mrt.uiagent.plist \/System\/Library\/LaunchDaemons\/com.apple.mrt.plist \/System\/Library\/LaunchDaemons\/com.apple.xprotectupdater.plist \/System\/Library\/PreferencePanes\/Security.prefPane \/usr\/libexec\/MRT \/usr\/libexec\/XProtectUpdater What&#8217;s interesting is after installation \/usr\/libexec\/MRT, com.apple.mrt.plist, and com.apple.mrt.uiagent.plist delete [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4,8],"tags":[],"class_list":["post-349","post","type-post","status-publish","format-standard","hentry","category-apple","category-os-x","category-security"],"_links":{"self":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/comments?post=349"}],"version-history":[{"count":8,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/349\/revisions"}],"predecessor-version":[{"id":360,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/posts\/349\/revisions\/360"}],"wp:attachment":[{"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/media?parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/categories?post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.brunerd.com\/blog\/wp-json\/wp\/v2\/tags?post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}