Hi wonder if anyone has got

Question

Hi wonder if anyone has got <https osquery io schema 4 3 0 xprotect reports|xprotect reports> table working I was testing a binary that would trigger xprotect to reject but xprotect reports table still empty why Maybe I miss some switches in Osquery to turn the report on

Zhen · Answer

If anyone s willing to help I could send the steps to trigger Xprotect

Zhen · Answer

I checked about locations of the report log files and realize I don t have Xprotect related log files stored in with Xprotect prefix on my Catalina so I filed a bug = gt

fritz · Answer

< Zhen> I looked into this myself recently and also came up blank when attempting to find any records from XProtect for caught malware I think you are right that something changed between minor OS releases and it wasn t caught

oneiroi · Answer

necro warning however `xprotect reports` is non functional and seems like this has been the case for sometime <https github com osquery osquery issues 6588> I added a comment today that given this is planned for improvement in the next macOS release and that many are likely reliant on `xprotect reports` for reporting capability via OSquery the table should be sought to be fixed if not now then when the revamped functionality becomes available

fritz · Answer

zombie