Mac OS X XProtect Detection

2011-10-20T00:00:00
ID MACOSX_XPROTECT_DETECT.NASL
Type nessus
Reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2011-10-20T00:00:00

Description

The remote Mac OS X host includes XProtect, an antivirus / anti- malware application from Apple included with recent releases of Snow Leopard (10.6) and later. It is used to scan files that have been downloaded from the Internet by browsers and other tools.

Note that this plugin only gathers information about the application and does not, by itself, perform any security checks or issue a report.

                                        
                                            #TRUSTED 2b5c835122ee61c84f090a58ba4525eab8207c287d53d59faaff08b72c12ac7d77e5c4abbe35485d302cc66815e801e070dc5430fcdbf7200bce091cd28ade7aeaa636325c45feb66a95f1bccc99b7fbfe89e526c3bec772a4c65e4bbba195b74d79f2b44d4b8492fc7602f2dd5216b90bdd6c3004082e7b6e118065d698974052786c3b6329888022d74c2bfe664601ae2351b31efb29b7f0e033488fc6fbbbc7ea247799158d373aa89f235a40b3e29c24473914f8844a993d54ccbee6053ff9cde50fceefc98d176de7af4cd14805608d33828099f1c904169e79cbbdc5cbed2b21d599b2537ebe2e11191847b3de8a15d61c9dd6dd2f68e0cc8f0040d4b2902675f99235c106a5e6afa6746abc6bc9a2eeed4bb6c9de498d5adfedbb1e76afa950fa0342bf997d15e84e9ca1e6d20abecb43e2f2a30cf23c63c0b7bb46fb0b80d4a26dedbe44b021e43e60375108ddb0c1a73d35423a78a4c2a350aa19c7616d92f0f4f4932d7168d956e105a193267b23d7ec17b859535f81b3ddeebe4ea9743454ffffcd98b4db8c83a2a5e98a6536388b1558417375d43020b5a0eb1710b100daf792eea3ac2fe906b9e6cfed4dd6957ec39016682c7662bba0a3e86588bb009f061ada6b6138bd832de2428eb8815d94343c5711df5dab9e272cbcf56c994357b7fccb6894efb0ab7054ec8b7a028c329478a7b94667f13df6d0ff51
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(56567);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/05");

  script_name(english:"Mac OS X XProtect Detection");
  script_summary(english:"Checks for Apple's XProtect");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mac OS X host has an antivirus application installed on
it."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote Mac OS X host includes XProtect, an antivirus / anti-
malware application from Apple included with recent releases of Snow
Leopard (10.6) and later.  It is used to scan files that have been
downloaded from the Internet by browsers and other tools. 

Note that this plugin only gathers information about the application
and does not, by itself, perform any security checks or issue a
report."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://en.wikipedia.org/wiki/Xprotect"
  );
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/a:apple:xprotect");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"asset_categories", value:"security_control");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");
  script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");



if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");


# Mac OS X 10.6 and 10.7.
os = get_kb_item("Host/MacOSX/Version");
if (!os) exit(0, "The host does not appear to be running Mac OS X.");
if (preg(pattern:"Mac OS X ([0-9]\.|10\.[0-5]([^0-9]|$))", string:os)) 
  exit(0, "The host is running "+os+", which does not have XProtect.");


# Runs various comments to check XProtect's status.
#
# - Is it configured to get updates?
plist1 = "/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist";
cmd1 = 'cat \'' + plist1 + '\'';
# - Does the XProtectUpdater daemon exist?
cmd2 = 'ls -al /usr/libexec/XProtectUpdater';
# - Is the XProtectUpdater daemon loaded?
cmd3 = 'launchctl list';
# - When was it last updated?
plist4 = "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist";
cmd4 = 
  'cat \'' + plist4 + '\' | ' +
  'grep -A 1 LastModification | ' +
  'tail -n 1 | ' +
  'sed \'s/.*<string>\\(.*\\)<\\/string>.*/\\1/g\'';
# - And what's its version?
cmd5 = 
  'cat \'' + plist4 + '\' | ' +
  'grep -A 1 Version | ' +
  'tail -n 1 | ' +
  'sed \'s/.*<integer>\\([0-9]*\\)<\\/integer>.*/\\1/g\'';

results = exec_cmds(cmds:make_list(cmd1, cmd2, cmd3, cmd4, cmd5));
if (isnull(results)) exit(1, "Unable to determine the status of XProtect.");

if (isnull(results[cmd3]) || !egrep(pattern:"^1[ \t]+.+launchd", string:results[cmd3]))
  exit(1, "'launchctl list' failed, perhaps because it was run as a non-root user.");

set_kb_item(name:"Antivirus/XProtect/installed", value:TRUE);
kb_base = 'MacOSX/XProtect/';

if (
  !isnull(results[cmd1]) && 
  egrep(pattern:"^[ \t]*<string>/usr/libexec/XProtectUpdater</string>", string:results[cmd1]) && 
  egrep(pattern:"^[ \t]*<key>RunAtLoad</key>", string:results[cmd1])
) set_kb_item(name:kb_base+'XProtectUpdater/Configured', value:TRUE);
  
if (
  !isnull(results[cmd2]) &&
  # nb: we're looking here for a file of a non-trivial size.
  egrep(pattern:"^.+rwx.+ root +wheel +[1-9][0-9]+ .+ /", string:results[cmd2])
) set_kb_item(name:kb_base+'XProtectUpdater/Exists', value:TRUE);
  
if (
  !isnull(results[cmd3]) && 
  "com.apple.xprotectupdater" >< results[cmd3]
) set_kb_item(name:kb_base+'XProtectUpdater/Loaded', value:TRUE);

if (!isnull(results[cmd4])) set_kb_item(name:kb_base+'LastModification', value:results[cmd4]);

if (!isnull(results[cmd5])) set_kb_item(name:kb_base+'DefinitionsVersion', value:results[cmd5]);