What is XProtectRemediatorPirrit and it it safe or important for me to let it run?

Question

Charles Belov Author

Level 1

148 points

What is XProtectRemediatorPirrit and it it safe or important for me to let it run?

I just got a dialog that seems to be a macOS-generated dialog. I get a similar dialog whenever Firefox upgrades.

The dialog reads:

XProtectRemediatorPirrit wants to make changes.

It then wants me to enter my Admin user name and password.

I looked in my System Report under applications, extensions, and disabled and there is no such program listed.

I searched /Library/Apple and found XProtect.app but not XProtectRemediatorPirrit.

It would be nice if Apple showed who signed the program in these dialogs but given that it doesn't and I'm not expecting this dialog I'm concerned that it might be a virus trying to look like it's Apple's protection feature.

What is this? If it's an Apple program, has Apple documented it anywhere?

Mac mini, macOS 14.4

Posted on Apr 30, 2024 9:18 PM

Reply

Answer 1

May 1, 2024 4:21 AM in response to Charles Belov

To validate the dialog I checked Activity monitor - CPU - sort by ProcessName - select XProtectRemediatorPirrit - (i) - Open Files and Ports:

...
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediatorPirrit
...

So this appeared to be genuine. After permitting XProtectRemediatorPirrit to make changes I see in the log:

$ log show --predicate 'subsystem=="com.apple.XProtectFramework.PluginAPI" && category == "XPEvent.structured"' --style compact --info --signpost --last 1h  | grep  Pirrit
2024-05-01 06:38:47.803 Df XProtectRemediatorPirrit[98695:89cf81] [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"status":{"code":24,"causedBy":[],"description":"Error deleting path: \134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg: Error Domain=NSCocoaErrorDomain Code=513 \134"“C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg” couldn’t be removed because you don’t have permission to access it.\134" UserInfo={NSUserStringVariant=(\134n    Remove\134n), NSFilePath=\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg, NSUnderlyingError=0x153678920 {Error Domain=NSPOSIXErrorDomain Code=1 \134"Operation not permitted\134"}}."},"path":{"modificationDate":725305677.3817278,"path":"\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg","creationDate":725305677.3817278},"action":"report"}
2024-05-01 06:38:47.805 Df XProtectRemediatorPirrit[98695:89cf81] [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"path":{"creationDate":725305677.3817278,"modificationDate":725305677.3817278,"path":"\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg"},"action":"path_delete","status":{"causedBy":[{"description":"Error deleting path: \134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg: Error Domain=NSCocoaErrorDomain Code=513 \134"“C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg” couldn’t be removed because you don’t have permission to access it.\134" UserInfo={NSUserStringVariant=(\134n    Remove\134n), NSFilePath=\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg, NSUnderlyingError=0x153678920 {Error Domain=NSPOSIXErrorDomain Code=1 \134"Operation not permitted\134"}}.","causedBy":[],"code":24}],"description":"Failed to delete Path[\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg] due to error DeleteFailed(\134"Failed to delete Path[\134/Library\134/Developer\134/CoreSimulator\134/Images\134/C306DD66-CB17-<…>
2024-05-01 06:38:53.242 Df XProtectRemediatorPirrit[98695:89cf81] [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"status_message":"FailedToRemediate","execution_duration":3.0040740966796875e-05,"status_code":24,"caused_by":[]}

Looking at the file it is failing on:

$ ls -l /Library/Developer/CoreSimulator/Images/
total 14357680
-rw-------  1 root  admin  7351124481 Dec 26 12:47 C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg
drwxr-xr-x  2 root  admin          64 Dec 26 12:48 Inbox
-rw-r--r--  1 root  admin        1236 Apr 14 04:48 images.plist
drwxr-xr-x  2 root  admin          64 Dec 26 12:48 mnt

The plist claims to be:

$ plutil -p /Library/Developer/CoreSimulator/Images/images.plist
...
"bundleIdentifier" => "com.apple.CoreSimulator.SimRuntime.iOS-17-2"
...

I did download Xcode's iOS simulator some months ago, so this might be a false positive detection.

Reply

Answer 2

May 1, 2024 5:33 AM in response to ahooper99

The dmg appears genuine, supporting the false positive:

$ sudo spctl -a -t open -vvv --context context:primary-signature /Library/Developer/CoreSimulator/Images/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg
/Library/Developer/CoreSimulator/Images/C306DD66-CB17-43AF-B09A-8B8B96F4518C.dmg: accepted
source=Apple System
origin=Software Signing

Reply

Answer 3

Apr 30, 2024 10:43 PM in response to Charles Belov

Apple has recently updated detections for Pirrit:

https://eclecticlight.co/2024/04/30/apple-has-just-released-updates-to-xprotect-and-xprotect-remediator-12/

Reply

Answer 4

Charles Belov Author

Level 1

148 points

Apr 30, 2024 11:15 PM in response to Matti Haveri

Thank you. I see installations for:

XProtectPlistConfigData:

Version: 2193

Source: Apple

Install Date: 4/30/24, 2:11 PM

and

XProtectPayloads:

Version: 132

Source: Apple

Install Date: 4/30/24, 2:11 PM

but nothing for XProtectRemediatorPirrit, and the message happened around 9:15 pm, and I've been on my computer all day. (Although if the installation list was using UTC that would explain a 7 hour difference as I'm on PDT.)

But if it's Apple system software that's trying to run, why would it need to ask me for permission? I'm still not confident that the software that tried to communicate with me is Apple's. I mean, it would totally be a smart move for the bad folks to send a compromise right after an Apple update.

I do wish Apple would put the signer in these dialogs.

Reply

Answer 5

May 2, 2024 1:23 AM in response to Charles Belov

In my case, when I run

sudo log show --predicate 'subsystem=="com.apple.XProtectFramework.PluginAPI" && category == "XPEvent.structured"' --style compact --info --signpost --last 1h | grep Pirrit

I get: 2024-05-02 00:50:13.979 Df XProtectRemediatorPirrit[50374:c0729] [com.apple.XProtectFramework.PluginAPI:XPEvent.structured] {"status":{"description":"Error deleting path: \134/Library\134/Developer\134/CoreSimulator\134/Images\134/2D295372-B778-4E14-B1CA-B5EF5080B114.dmg: Error Domain=NSCocoaErrorDomain Code=513 \134"“2D295372-B778-4E14-B1CA-B5EF5080B114.dmg” couldn’t be removed because you don’t have permission to access it.\134"…

In my case, that .dmg is the "iOS 17.0.1 21A342 Simulator", part of Xcode.

Why is XProtectRemediatorPirrit trying to remove one of Xcode's .dmg?

[Edited by Moderator]

Reply

Answer 6

Charles Belov Author

Level 1

148 points

May 6, 2024 9:38 PM in response to Charles Belov

I originally replied cancel, and never saw this pop-up again, so it may not be needed.

Reply