Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 2

347 points

Is the New Security Update Working on My Computers?

I have noticed that the XProtect.plist on 2 different computers have never updated since I installed the new Security Update on June 1. I have an Apple Care Product Specialist trying to figure it out.

But, I ran across this (pasted below) today when checking Console, and if anyone can dechiper logs, maybe some independent analysis will tell me why I'm not getting the "MacDefender" scan this security update was supposed to provide (and why the subject .plist has never updated since installing the Security Update on 2 10.6.7 Intel iMacs 4 days ago).

If anyone can dechiper the log and tell me what I might do to correct this problem, kudos!

The log entries (which contain a series of "failed") are:

Version:1.0StartHTML:0000000149EndHTML:0000004433StartFragment:0000000199EndFrag ment:0000004399StartSelection:0000000199EndSelection:00000043996/4/11 8:59:20 AM com.apple.launchd[1] (com.apple.xprotectupdater[39]) Exited with exit code: 255
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 22
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 21
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 20
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 19
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 18
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 17
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 15
6/4/11 8:59:24 AM com.apple.notifyd[12] EV_DELETE failed for file watcher 16
And
6/4/11 12:15:50 PM com.apple.launchd[1] (com.apple.xprotectupdater[39]) Exited with exit code: 255
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 22
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 21
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 20
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 19
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 18
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 17
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 15
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 16
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 30
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 29
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 28
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 27
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 26
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 25
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 23
6/4/11 12:15:54 PM com.apple.notifyd[12] EV_DELETE failed for file watcher 24
6/4/11 12:15:55 PM com.apple.WindowServer[80] Sat Jun 4 12:15:55 {INFO REMOVED}-imac.local WindowServer[80] <Error>: kCGErrorFailure: Set a breakpoint @ CGErrorBreakpoint() to catch errors as they are logged.
6/4/11 12:16:32 PM com.apple.launchd.peruser.501[126] (com.apple.ReportCrash) Falling back to default Mach exception handler. Could not find: com.apple.ReportCrash.Self
6/4/11 12:16:39 PM com.apple.launchd.peruser.501[126] (com.apple.Kerberos.renew.plist[161]) Exited with exit code: 1
6/4/11 1:03:18 PM System Preferences[222] Could not connect the action resetLocationWarningsSheetOk: to target of class AppleSecurity_Pref
6/4/11 1:03:18 PM System Preferences[222] Could not connect the action resetLocationWarningsSheetCancel: to target of class AppleSecurity_Pref

Posted on Jun 4, 2011 10:29 AM

177 replies

R C-R

Level 6

17,782 points

Jun 20, 2011 4:45 AM in response to powerbook1701

powerbook1701 wrote:

I also just checked mine, using the quicklook at the xprotect plist, and I am still at 13. Did the toggle, now at 20. I have restarted several times since version 13, but no updates have occured since then. I am on an AEBS, however. It's possible, like others have stated, that the wifi network isn't stabalized yet when this is suppose to run after startup so that check fails (the code 255?). As long as the toggle method works, it's easy enough to do for now..

FWIW, I have an AEBS & sometimes have seen the 255 code after startup or wake from sleep, but I still have been getting the updates automatically even when that & the other messages associated with the 'no Internet connection' appear in the logs.

From this I suspect the messages are not -- by themselves -- an indication of a malfunction & instead occur normally on occasion, depending on how long it takes to establish & stabilize the network. I believe that one of the possible causes of the malfunction may well be something that happens when forcing a manual update check with something other than toggling the system preference, or preexisting conditions that result in the same thing.

I am not sure what that something might be but it might be an issue in the dyld shared cache. This is only a hunch, based on examining the raw code of the XProtectUpdater executable & what I did with Onyx that (maybe) got the auto-update function working again after I tried the other manual update methods: one of the several things I did was to rebuild the dyld shared cache using the Maintenance > Rebuild panel of Onyx.

It would be interesting to know if rebuilding the dyld shared cache has any effect for anybody else having auto-update problems...

WZZZ

Level 6

13,226 points

Jun 20, 2011 8:03 AM in response to R C-R

FYI: you can easily rebuld the dyld shared cache with this command. No need to open up Onyx.

sudo update_dyld_shared_cache -force

Jun 20, 2011 8:37 AM in response to R C-R

on this particular machine, the only forcing of an update I have ever done is by using the toggle method. I haven't tried any other of the choices out there. My other machine, I used TM to go back to right before the Security update and then start fresh from that point running SU to get it (on that other machine, I have tried some of these other methods and wanted to erase any issues that might have resulted from running those). Both machines exhibit the same behaviour and are theoretically setup the same..

Jun 20, 2011 11:02 AM in response to R C-R

Thanks to R C-R for an informative post:

It would be interesting to know if rebuilding the dyld shared cache has any effect for anybody else having auto-update problems...

Your observation of the 255 code while still receiving automatic updates is very interesting, and mysterious to me.

I did follow your Onyx suggestion of a former post, including rebuilding the dyld cache. The 255 error persisted upon restart. But I do not yet know if the automatic updates work. It's possible that a XProtectUpdater failure upon restart does not stop the 24-hour run cycle from being established, which is something that I previously thought likely. Of course this test will take a day or two to perform.

In my case the malfunction cannot have been caused by a non-toggle manual update. I have always toggled.

Thanks also for the info that you use AEBS, as do I.

pcbjr Author

Level 2

347 points

Jun 21, 2011 2:59 PM in response to pcbjr

Are we still at Version 20? If so, it's been since last Friday.

(Now - 6:00PM EDT, Tue., 6/21/11)

baltwo

Level 9

62,362 points

Jun 21, 2011 3:17 PM in response to pcbjr

That's what http://configuration.apple.com/configurations/macosx/xprotect/1/clientConfigurat ion.plist shows.

pcbjr Author

Level 2

347 points

Jun 21, 2011 3:21 PM in response to baltwo

Thanks!

I wish I knew how to read that so I'd know what I was looking for!

And how did you create that link?

baltwo

Level 9

62,362 points

Jun 21, 2011 3:31 PM in response to pcbjr

R C-R pointed it out. Scroll through the Signature section and see this:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>meta</key>

<dict>

<key>Version</key>

<integer>20</integer>

pcbjr Author

Level 2

347 points

Jun 21, 2011 3:34 PM in response to baltwo

Thanks again and please pardon what may seem like stupidity on this side - but what is the "Signature section"? How do I get there and see it? Is it part of my Console Log? Is it part of the Get Info in Core Services? Or what?

Any guidance - most appreciated!

MadMacs0

Level 5

5,221 points

Jun 21, 2011 5:21 PM in response to pcbjr

pcbjr wrote:

Thanks again and please pardon what may seem like stupidity on this side - but what is the "Signature section"?

The Signature is used in conjunction with the Apple root Certificate that lives in your keychain to validate the file. This insures that it is really from Apple and not some phony site planning on corrupting the defs database. The XProtect process does extract the update date/time from the Signature and adds it to the XProtect.meta.plist.

How do I get there and see it? Is it part of my Console Log? Is it part of the Get Info in Core Services? Or what?

It is discarded after processing, so you won't find it unless it's cached somewhere and I seriously doubt that it is. I don't see how it would be useful to anyone.

MadMacs0

Level 5

5,221 points

Jun 21, 2011 5:25 PM in response to pcbjr

pcbjr wrote:

Are we still at Version 20? If so, it's been since last Friday.

(Now - 6:00PM EDT, Tue., 6/21/11)

Still at v.20 5:00PM PDT, Tue., 6/21/11. I check the VirusTotal sample database nightly and the last time anything related to MacDefender was submitted was on 6/15, so it makes sense that Apple's 6/16 update is still current.

baltwo

Level 9

62,362 points

Jun 21, 2011 5:41 PM in response to pcbjr

pcbjr wrote:

Thanks again and please pardon what may seem like stupidity on this side - but what is the "Signature section"? How do I get there and see it?

You click on this link and the page that pops up opens with a Signature block. Scroll down to

----- END SIGNATURE ----- and you'll see the rest of what I posted previously.

Jun 23, 2011 2:52 PM in response to baltwo

well, with 10.6.8 out, we will see what happens...

MadMacs0

Level 5

5,221 points

Jun 23, 2011 4:28 PM in response to powerbook1701

powerbook1701 wrote:

well, with 10.6.8 out, we will see what happens...

There's nothing about XProtect in the announcement that I got.

MadMacs0

Level 5

5,221 points

Jun 23, 2011 6:34 PM in response to MadMacs0

MadMacs0 wrote:

powerbook1701 wrote:

well, with 10.6.8 out, we will see what happens...

There's nothing about XProtect in the announcement that I got.

Having now downloaded it, I can say that there are components of the XProtect system in the delta update which are dated 6/2/11. It will take me awhile to compare them to see what changes were made.

Is the New Security Update Working on My Computers?