User profile for user: bobgraw3
bobgraw3 Author
User level: Level 1
4 points

macOS XProtect and scan dates

While trying to "prove" that XProtect is running on our workstations, I noticed that on some machines the date and time being reported is not quite correct. The day and time appear correct, but the year is off by a lot.


$ defaults find XProtect | grep XProtect
        "com.apple.XProtect.PluginService.agent.fast.scan" = "1992-06-25 12:10:35 +0000";
        "com.apple.XProtect.PluginService.agent.scan" = "1992-06-25 12:10:35 +0000";
        "com.apple.XProtect.PluginService.agent.slow.scan" = "1992-06-25 12:10:35 +0000";


I finally noticed/realized that our M2 machines have the wrong year. Intel macs seem to have the correct year. And, I have one workstation that says the year of the scan is 1402.


A) Is there another way to figure out the last scan time(s) for XProtect besides "default find"?

B) @apple, why are the year of the dates so wonky?


Thanks,

~Bob

MacBook Pro (M2 Max, 2023)

Posted on Jun 26, 2023 10:23 AM

Reply

Similar questions

8 replies
User profile for user: VikingOSX
VikingOSX
User level: Level 10
123,734 points

Jun 26, 2023 12:37 PM in response to bobgraw3

On Ventura 13.4.1, I get the following result for fast.scan, scan, and slow scan entries respectively.


defaults find XProtect | awk '/com.apple.XProtect/ {print substr($0, index($0,$3))}' | tr -d '[";]'

2023-06-26 12:07:41 +0000

2023-06-26 18:56:42 +0000

2023-06-25 12:26:19 +0000


I am using Apple's time server to automatically keep the Mac time current. In Software Update > ⓘ, do you have the following set:



Without that set, XProtect will not get pushed updates.


If you recently did a Time Machine restore from a older Mac with its clock messed up, this might account for these older date stamps.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,946 points

Jun 26, 2023 11:06 AM in response to bobgraw3

Those look like the minimum dates the firmware understands. Have the clocks in Settings > General been set to automatically set the time?



The same command shows the correct date on my M2 mini.


% defaults find XProtect | grep XProtect

        "com.apple.XProtect.PluginService.agent.fast.scan" = "2023-06-26 16:27:55 +0000";

        "com.apple.XProtect.PluginService.agent.scan" = "2023-06-26 16:27:55 +0000";

        "com.apple.XProtect.PluginService.agent.slow.scan" = "2023-06-24 13:52:29 +0000";

Reply
User profile for user: bobgraw3
bobgraw3 Author
User level: Level 1
4 points

Jun 26, 2023 11:16 AM in response to Kurt Lang

Thanks for the reply :-)


Date & Time are definitely being set automatically:


date command in the terminal is correct as well (as expected):

$ date -Iseconds -u
2023-06-26T18:07:45+00:00


When I began testing things, I was pretty sure the command gave me the correct year.


Maybe it's just something about the way XProtect runs. This is from the same machine I sent the data from last time:

$ defaults find XProtect | grep XProtect
        "com.apple.XProtect.PluginService.agent.fast.scan" = "2023-06-26 18:46:29 +0000";
        "com.apple.XProtect.PluginService.agent.scan" = "1992-06-25 12:10:35 +0000";
        "com.apple.XProtect.PluginService.agent.slow.scan" = "1992-06-25 12:10:35 +0000";


It must have recently run a "fast" scan presumably, and the year is showing 2023.


And, looking at the command line date time and the XProtect fast.scan line, 2023-06-26 18:46:29 +0000 is in the future. So, maybe that's when it's going to run the fast scan.


I'll check it in 30 minutes or so and see how things have changed.


Thanks,

~Bob

Reply
User profile for user: bobgraw3
bobgraw3 Author
User level: Level 1
4 points

Jun 26, 2023 12:14 PM in response to bobgraw3

It is now later than the time that the "fast" scan was going to happen.

The year stayed 2023.

The others still have 1992 :-/


$ date -Iseconds -u
2023-06-26T19:09:30+00:00

$ defaults find XProtect | grep XProtect
        "com.apple.XProtect.PluginService.agent.fast.scan" = "2023-06-26 18:46:29 +0000";
        "com.apple.XProtect.PluginService.agent.scan" = "1992-06-25 12:10:35 +0000";
        "com.apple.XProtect.PluginService.agent.slow.scan" = "1992-06-25 12:10:35 +0000";


I'll update this again tomorrow or the next day and see if there's anything interesting.


I have about 75 workstations (various MacBook Pros), but it still looks like Intel based stay with 2023 for the year.


And, I have this one outlier that has 1402 for the year and the date is wrong. That one is making me nervous and we'll be doing some other investigations into it.


Thanks,

~Bob

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

macOS XProtect and scan dates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up