Is the New Security Update Working on My Computers?

That agrees exactly with what I see.

I did not have to toggle the pref or do anything else to receive the update automatically.

R C-R wrote:

The version number, when Apple released it, & when it was installed can be determined easily from the file /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta. plist. For those not willing to navigate to that file in Finder, note its creation date, & open it with TextEdit or Property List Editor, it would be easy for someone to create an AppleScript to display that info.

I think I mentioned the Safe Downloads Widget before http://www.brunerd.com/blog/2011/06/03/safe-downloads-widget/ which will display that info and it contains an AppleScript which could be easily adapted to Finder use.

An option to set the update frequency to less than the once every 24 hour default would be inadvisable given how often the definitions are updated. One to set it to greater than that would be pointless unless Apple started releasing updates more frequently, & would just burden the servers with needless queries.

There have been at least two occasions when Apple released two updates in less than 24 hours, but I would have to agree that's not enough to warrant more frequent updates at this time.

As for MacDefender showing others how to cause problems, what it does is not new. It is a social engineering exploit that relies on tricking the user into installing something they would not otherwise install. The most sophisticated thing it does is to download a file to a would-be victim's Mac via a Javascript embedded in a web page without any overt notification or an explicit request to do so. But that is basically the same thing loading many URL's in browsers already do, the only difference being we usually load them on purpose.

Has anybody verified that no action was necessary on the users part for the payload to download? I know several people have alleged that they did nothing, but I visited many of the sites and was never able to make anything happen until I clicked on something. I was even able to use the cancel button to dismiss a dialog without anything being downloaded. Of course, I haven't accessed all of the incarnations, so it's possible they made that happen.

This does that. Save it as an application:

set a to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version"

set b to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification"

display dialog "Safe Download definitions are at version " & a & "," & return & "Last updated on " & b

When run returns:

MadMacs0 wrote:

There have been at least two occasions when Apple released two updates in less than 24 hours, but I would have to agree that's not enough to warrant more frequent updates at this time.

Thanks for the info. I have not been keeping track of when all the updates were released, but I have noticed that the "LastModification" time varies throughout the day. I suppose if one was overly concerned about getting the updates ASAP, modifying the launch daemon to check more often than once every 24 hours would do that, but I doubt it is worth the effort. Besides, if too many users did that the servers might not be set up to handle the load.

If it ever really becomes necessary I suspect Apple will release a new security update with a more frequent update check & set up the servers to handle that.

Has anybody verified that no action was necessary on the users part for the payload to download?

I did, with what I assume was the very first variant. AFAIK, all the variants do this unless the browser in use is set up not to run Javascripts without explicit user permission. But it may be different for PPC Macs, or for OS versions other than Snow Leopard or something.

But for those still not clear about it, downloading the payload is all it can do without user help. If Safari's "Open safe files" option is checked, Installer.app will launch & offer to install it, but unless users do that, it just sits there impotently in the designated downloads folder, like any other download.

baltwo wrote:

This does that. Save it as an application...

FWIW, the Mac Observer app is just an AppleScript wrapped in an application package. (Right-clicking on the app to show its contents shows this.) I suspect it includes code very similar to baltwo's, plus a conversion from GMT to local time & more shell scripting to run the update check (also similar to what baltwo has mentioned elsewhere). But unfortunately, the script was saved as run only so we can't examine it for ourselves to see exactly what it does.

That's one reason I do not recommend using that app, especially to force an update check: since you have to give it your admin password to do that, you are taking it on faith that it won't do anything harmful like mess up Keychain access. (The logs on my system do suggest that it accesses keychain, so this is not impossible.)

I suppose it is a bit ironic that some folks worried about malware are willing to trust an opaque third party app instead of an AppleScript that can be vetted by the ASC community. Go figure.

frequency of updates wouldn't be that big of a deal if there was an Apple added addition to the system preferences security pane that just said "check for new malware definitions" "last updated" and "current version." This way, you wouldn't have to toggle anything nor worry about when it last updated. At a glance from the above, you can get all the info you need and update if necessary.

Heck, just give XPROTECT it's own securiy pane (in addition to security one) if you need more room..

powerbook1701 wrote:

At a glance from the above, you can get all the info you need and update if necessary.

How would users know from that info if there was a new update out yet or not, unless they manually ran the check & the info changed?

R C-R wrote:

powerbook1701 wrote:

At a glance from the above, you can get all the info you need and update if necessary.

How would users know from that info if there was a new update out yet or not, unless they manually ran the check & the info changed?

I too have been having a hard time following what 1701 has in mind. It seems that he wants the XProtect Update system to be more like Software Update, but I don't think that's the right model. Software Update gives you options to install, download only, wait or completely ignore the update. That's great for software that takes time and may or may not be needed, but it seems to me you would always want to update when available. It only takes a matter of seconds and you don't need to wait while it's being done or shut down any applications. A user shouldn't have to be responsible for doing anything manually, IMHO. Apple just needs to fix things so it works reliably and automatically. That's the Mac way.

If Apple eventually see a need to push updates out as soon as they are available, I'm sure the technology will be there to do that. They already have push technology built into IOS for alerts and iCloud updates, so I wouldn't be at all surprised to see it come to Lion.

MadMacs0 wrote:

A user shouldn't have to be responsible for doing anything manually, IMHO. Apple just needs to fix things so it works reliably and automatically.

As I have mentioned elsewhere, AFAIK it was working reliably for me until about the time I tried the "Safe Download Version" app from MacObserver & forced a manual update with its "Update now" button. And it is working reliably again after I quit using the app & ran some routines using Onyx to delete caches, rebuild databases, repair permissions, etc.

I can't say for sure that the MacObserver app caused subsequent auto-updates to fail or that which if any of the Onyx routines got it working again, but I suspect from all this that there is nothing wrong with the auto-update feature itself, & instead the cause of the failure is something on the affected Macs.

Remember that we don't know exactly how the XProtect update process is supposed to work because Apple hasn't fully documented it. I think we can safely assume that the LaunchDaemon com.apple.xprotectupdater.plist sets up an "on demand" request to run the XProtectUpdater executable on a periodic schedule of about once every 24 hours, but we don't really know what if any other files or settings might be involved, or if just forcing the XProtectUpdater executable to run using sudo or by similar means actually updates any such things correctly, if at all.

BTW, the most current version is now 20, updated at 17 Jun 2011 21:01:16 GMT.

R C-R wrote:

I can't say for sure that the MacObserver app caused subsequent auto-updates to fail or that which if any of the Onyx routines got it working again, but I suspect from all this that there is nothing wrong with the auto-update feature itself, & instead the cause of the failure is something on the affected Macs.

I was referring to the reliability of the initial update on load and wake from sleep. I don't think those are working for some users who aren't able to negotiate internet access quickly enough. Whether this is the fault of ones Mac or some other component of internet access can be argued, but I should think Apple can solve that with adequate delay. I would agree with you that the auto-updates are working as long as you don't attempt to run XProtectUpdater directly.

Remember that we don't know exactly how the XProtect update process is supposed to work because Apple hasn't fully documented it. I think we can safely assume that the LaunchDaemon com.apple.xprotectupdater.plist sets up an "on demand" request to run the XProtectUpdater executable on a periodic schedule of about once every 24 hours, but we don't really know what if any other files or settings might be involved, or if just forcing the XProtectUpdater executable to run using sudo or by similar means actually updates any such things correctly, if at all.

Not for certain, but I think we have enough observations to say that using the MacObserver app or sudo command is able to update the defs on a one time basis, but that it also can disrupt auto-updates. I'm almost ready to say it will disable auto-updates, but I'm not sure we've heard enough other user experiences.

MadMacs0 wrote:

R C-R wrote:

I can't say for sure that the MacObserver app caused subsequent auto-updates to fail or that which if any of the Onyx routines got it working again, but I suspect from all this that there is nothing wrong with the auto-update feature itself, & instead the cause of the failure is something on the affected Macs.

I was referring to the reliability of the initial update on load and wake from sleep. I don't think those are working for some users who aren't able to negotiate internet access quickly enough. Whether this is the fault of ones Mac or some other component of internet access can be argued, but I should think Apple can solve that with adequate delay. I would agree with you that the auto-updates are working as long as you don't attempt to run XProtectUpdater directly.

Remember that we don't know exactly how the XProtect update process is supposed to work because Apple hasn't fully documented it. I think we can safely assume that the LaunchDaemon com.apple.xprotectupdater.plist sets up an "on demand" request to run the XProtectUpdater executable on a periodic schedule of about once every 24 hours, but we don't really know what if any other files or settings might be involved, or if just forcing the XProtectUpdater executable to run using sudo or by similar means actually updates any such things correctly, if at all.

Not for certain, but I think we have enough observations to say that using the MacObserver app or sudo command is able to update the defs on a one time basis, but that it also can disrupt auto-updates. I'm almost ready to say it will disable auto-updates, but I'm not sure we've heard enough other user experiences.

I am one for whom the automatic updates do not work and have never worked. I wish to comment on the comments made by MadMacs0 (boldface is mine).

I agree that for me the issue for updates at boot time is that the internet is offline. Here is a snippet taken from my system.log taken from the console app run from an admin account:

Jun 18 12:06:05 localhost com.apple.launchd[1]: *** launchd[1] has started up. ***

Jun 18 12:06:12 localhost blued[16]: Apple Bluetooth daemon started

Jun 18 12:06:12 localhost mDNSResponder[18]: mDNSResponder mDNSResponder-258.18 (Jan 18 2011 20:25:03) starting

Jun 18 12:06:14 localhost configd[14]: bootp_session_transmit: bpf_write(en1) failed: Network is down (50)

Jun 18 12:06:14 localhost configd[14]: DHCP en1: INIT-REBOOT transmit failed

Jun 18 12:06:14 localhost configd[14]: network configuration changed.

Jun 18 12:06:14 myMBP configd[14]: setting hostname to "myMBP.local"

Jun 18 12:06:15 myMBP configd[14]: network configuration changed.

Jun 18 12:06:25: --- last message repeated 1 time ---

Jun 18 12:06:18 myMBP bootlog[48]: BOOT_TIME: 1308423965 0

Jun 18 12:06:23 myMBP com.apple.usbmuxd[31]: usbmuxd-211 built on Jan 13 2011 at 04:20:21 on Jan 13 2011 at 04:20:21, running 64 bit

Jun 18 12:06:26 myMBP /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[37]: Login Window Application Started

Jun 18 12:06:26 myMBP XProtectUpdater[29]: NSURLConnection error: Error Domain=NSURLErrorDomain Code=-1009 UserInfo=0x100106ea0 "This computer’s Internet connection appears to be offline." Underlying Error=(Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo=0x100124f60 "This computer’s Internet connection appears to be offline.")

Jun 18 12:06:27 myMBP com.apple.launchd[1] (com.apple.xprotectupdater[29]): Exited with exit code: 255

I don't know if the network failure for localhost is a problem. I would really love to know if someone for whom the updates succeed has any message like this shown from when they last booted. Similarly for any XProtectUpdater message and an exit code for the launchd run of com.apple.xprotectupdater.

Also, I wish to state for the record that I have only done manual updates by toggling the Security checkbox. I have never used sudo or Safe Download Version to do that.

I would also be very curious to know from someone for whom the automatic updates work how they are connected to the internet? Are you using DHCP for local address assignment? Or do you have a fixed address? Or is there some special configuration that might be turned on very early in the boot cycle? As I reported in a previous post, I have tried a hardwired ethernet connection to my Airport Extreme Base Station, with DHCP address assignment.

I tried to emulate R C-W by having Onyx clean stuff up, but that has not helped.

I have to admit I'm getting a bit frustrated. Things start working semi-magically for others, but not me. Perhaps my only hope is that some fix will be included in 10.6.8, rumored to be imminent.

Any feedback on the above questions will be greatly appreciated.

frequency of updates wouldn't be that big of a deal if there was an Apple added addition to the system preferences security pane that just said "check for new malware definitions" "last updated" and "current version." This way, you wouldn't have to toggle anything nor worry about when it last updated. At a glance from the above, you can get all the info you need and update if necessary.

Heck, just give XPROTECT it's own securiy pane (in addition to security one) if you need more room..

What I meant was that IF Apple adopted my suggestions listed in my post, that you would have all the info you needed and be able to take direct action to correct (other than just toggling the update box). "from the above" meant my suggestions..

Sorry if it was unclear..

pcbjr wrote:

I am not savvy enough to run scripts, nor do I have time to do so on 5 computers located in two different offices and at home.

If it's not updating, then send feedback. Alternatively, copy these lines into the AppleScript Editor app window, save as an application, and then double-click it to update the XProtect database.

do shell script "sudo /usr/libexec/XProtectUpdater" with administrator privileges

set a to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version"

set b to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification"

display dialog "Safe Download definitions are at version " & a & "," & return & "last updated on " & b

Doesn't get any simpler than that.

baltwo wrote:

copy these lines into the AppleScript Editor app window, save as an application, and then double-click it to update the XProtect database.

do shell script "sudo /usr/libexec/XProtectUpdater" with administrator privileges

set a to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta Version"

set b to do shell script "defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification"

display dialog "Safe Download definitions are at version " & a & "," & return & "last updated on " & b

Doesn't get any simpler than that.

I'm getting way behind here, but I need to comment on this one first.

I don't know where you got the idea that this script would update the XProtect database, but it does not. It's a good script and I do recommend it to anybody that finds a need to know what database is currently on there computer, but that's all it does. If you think it's out-of-date, you must still toggle the preference pane in order to update it.