- Jamf Nation Community
- Products
- Jamf Pro
- 10.8.4 - xProtect, the Sequel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
10.8.4 - xProtect, the Sequel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2013 11:05 AM
So I've been using 10.8.4 in beta for weeks now but couldn't talk about it due to Apple's NDA. However, now that it's out, you should know:
xProtect is back. With a vengeance.
The ComboUpdater puts the mechanism back (even if you previously deleted it) and my assumption moving forward is that Apple will continue to try to put it back on your Macs each and every time you try to update your OS.
Worse, it looks like they've changed up the meta.plist and added an entirely new executable to the xProtect system.
I wrote up a full description along with a script/solution over at:
http://themacdweeb.blogspot.com/2013/06/xprotect-ii-sequel-even-more-xprotect.html
So read that first. THEN, take a look at the following. And yes, we kinda like our logging! Makes reading the console so much more appetizing...
#!/bin/sh
# The Getty xProtect over-ride script, ©2013 David Koff
# Please use freely as long as you include both of these commented lines.
#----------------------------------------------------------
# Variables
#----------------------------------------------------------
#-----Directories & Files
SCRIPTNAME=$0
LOG="/Library/Logs/Getty Installations.log"
xProtectPlist="/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist"
xProtectInitPlist="/System/Library/LaunchDaemons/com.apple.xprotectupdaterinit.plist"
xProtectMetaPlist="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist"
LaunchDaemons="/System/Library/LaunchDaemons"
LaunchDaemonsDisabled="/System/Library/LaunchDaemonsDisabled"
#----------------------------------------------------------
# Timestamp
#----------------------------------------------------------
echo " " >> $LOG
echo "###################################" >> $LOG
echo "##### $SCRIPTNAME" >> $LOG
echo "##### `date "+%A %m/%d/%Y %H:%M"`" >> $LOG
echo "###################################" >> $LOG
echo " " >> $LOG
echo "" >> $LOG
echo "### ----- DISABLE XPROTECT ----- ###" >> $LOG
echo "" >> $LOG
echo "### ----- find & rename meta plist" >> $LOG
if [ -f $xProtectMetaPlist ]; then
zip -r $xProtectMetaPlist.zip $xProtectMetaPlist >> $LOG
rm -f $xProtectMetaPlist >> $LOG
echo "The xProtectMetaPlist has been renamed, disabled & left in its original location:" >> $LOG
echo "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/" >> $LOG
elif [ -f $xProtectMetaPlist.zip ]; then
echo "The xProtectMetaPlist has already been zipped & stored at:" >> $LOG
echo "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/" >> $LOG
fi
#### to put it back to it's original state
# unzip -j /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist.zip
# rm -f $xProtectMetaPlist.zip
echo "" >> $LOG
echo "### ----- check for disabled launchdaemons directory" >> $LOG
if [ ! -d $LaunchDaemonsDisabled ]; then
mkdir -v $LaunchDaemonsDisabled >> $LOG
else
echo "$LaunchDaemonsDisabled/ directory has already been created." >> $LOG
rm -fv $LaunchDaemonsDisabled/* >> $LOG
echo "Now it has also been emptied." >> $LOG
fi
echo "" >> $LOG
echo "### ----- unload any active xProtect process" >> $LOG
launchctl unload -w com.apple.xprotectupdater-init >> $LOG
launchctl unload -w "$xProtectPlist" >> $LOG
echo "" >> $LOG
echo "### ----- move any xProtect plists to new location" >> $LOG
cd $LaunchDaemons
mv -v com.apple.xprotect* $LaunchDaemonsDisabled >> $LOG
echo "" >> $LOG
echo "### ----- contents of $LaunchDaemonsDisabled now includes:" >> $LOG
ls $LaunchDaemonsDisabled >> $LOG
#----------------------------------------------------------
# Timestamp
#----------------------------------------------------------
echo " " >> $LOG
echo "###################################" >> $LOG
echo "##### END LOG" >> $LOG
echo "##### `date "+%A %m/%d/%Y %H:%M"`" >> $LOG
echo "###################################" >> $LOG
echo " " >> $LOG
exit 0
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2013 11:16 AM
This is a good argument for managing XProtect, rather than trying to block it. I've got a script that I'm using to help manage XProtect and make sure Java isn't blocked on my systems:
Another person adapted my script to manage XProtect with regards to Adobe Flash:
I haven't tested the Flash version of the script on 10.8.4, but the Java version is working fine.
Thanks
Rich
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2013 11:17 AM
Our 10.8.4 image didn't seem to be affected by this (we are copying a modified xprotect plist and running launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist as part of a post image script).
Added a line to unload the com.apple.xprotectupdaterinit.plist as well
Appreciate the heads up OP, thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2013 11:22 AM
Rich,
We read everything you wrote on the matter and tested some of your scripts as well, so before anything else: props, sir. :)
Secondly, this new iteration, for me, indicates the opposite of what you're suggesting: disabling or deleting vs. managing. If Apple continues to change how, what and when they push xProtect, it would seem better for SysAdmins to prevent the problems from cropping up in the first place instead of seeing the potential impact and then having to retool and recover.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-07-2013 11:41 PM
@CasperSally please can you show us your modified plist. I want to nip this in the bud
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-12-2013 06:24 AM
Tkimpton - below I will copy our xprotect.meta.plist - it's just an old copy of the file that is below the current versions of flash/java we use. Once that is there and you unload the launchdaemon you should not be bothered with xprotect.
Also, I heard back from apple it isn't necessary to unload the updaterinit.plist but it doesn't hurt to do so (if you need to disable xprotect).
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>JavaWebComponentVersionMinimum</key>
<string>1.6.0_33-b03-424</string>
<key>LastModification</key>
<string>Thu, 31 Jan 2013 04:41:14 GMT</string>
<key>PlugInBlacklist</key>
<dict>
<key>10</key>
<dict>
<key>com.macromedia.Flash Player.plugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>11.3.300.271</string>
</dict>
<key>com.oracle.java.JavaAppletPlugin</key>
<dict>
<key>MinimumPlugInBundleVersion</key>
<string>1.7.11.21</string>
</dict>
</dict>
</dict>
<key>Version</key>
<integer>1038</integer>
</dict>
</plist>