Purposely trigger XProtect detectors?

Question

Todd_at_Ennetix OP

Created Mar ’24

Replies 2

Boosts 0

Participants 3

I have an Endpoint system extension that, in theory, receives XProtect alerts.

I regularly see XProtectPluginService starting programs like XProtecteRemediatorSheepSwap on my Mac.

I would love to be able to put one or more files/bundles on my Mac that triggers the detectors, so I can see the alerts go from the Endpoint system extension through to the UI.

Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?

Answered by DTS Engineer in 782143022

Does Apple have or recommend a way … for triggering the XProtect detectors for testing?

Not that I’ve seen.

Although one trick I recently learnt about is gktool, which allows you to run a Gatekeeper scan on a file explicitly.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’24

Accepted Answer

Does Apple have or recommend a way … for triggering the XProtect detectors for testing?

Not that I’ve seen.

Although one trick I recently learnt about is gktool, which allows you to run a Gatekeeper scan on a file explicitly.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Security Engineer OP

Apple

Jun ’24

Does Apple have or recommend a way (short of being infected) for triggering the XProtect detectors for testing?

Yes:

$ echo -n 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' >/tmp/eicar
Watch your ES client, or optionally use eslogger directly: sudo eslogger xp_malware_remediated
run /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect
Get an ES XProtect event

1