How can I monitor xProtect logs and version on macOS Sonoma?
I was trying to build an automation to check if xProtect is running correctly.
When reading the logs with the following command:
log show --predicate 'subsystem == "com.apple.xprotect"'
I get a message saying that Xprotect's rules are located in a directory, under the file XProtect.yara,
and then that the file XProtect2.yara is not accessible:
2024-05-09 15:21:04 [...] Default 0x0 1277 0 XprotectService: [com.apple.xprotect:xprotect] Using XProtect rules location: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara
2024-05-09 20:22:48 [...] Error 0x0 1277 0 XprotectService: [com.apple.xprotect:xprotect] Rule path is not accessible: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect2.yara
I've checked the directory and permissions and the file XProtect2.yara doesn't exist. Why is it looking for that rule file when XProtect.yara already has the expected contents (I've checked it).
Do I have any other way of monitoring if XProtect is running and correctly configured? Are there any other logs I can check for it? Has someone experienced a similar error?
MacBook Pro (M3 Pro, 2023)