DetectX Swift



  • DetectX A lightweight, troubleshooting and security app for Macs to help find. DOWNLOAD; Swift Publisher 3 Limited time offer - 30% savings! Enhanced for the MacBook Pro with Retina. $19.99 DOWNLOAD; Swift Note Swift Note is a note widget for OS X 10.10 Yosemite's notification.
  • DetectX itself never asks for or sees your admin password. Any requests made for permissions is done via osascript or the Finder, and they deal with the password request and carry out the requested task. Were all deliberate design choices to make DetectX as safe as possible. Unlike some other security tools, DetectX itself.

If you like DetectX Swift and want to integrate it with Munki, this is how I did it. Hat tip to Zack McCauley for doing the heavy lifting, which I'm now building on. I'd recommend you read his blog post first.

DetectX Swift is an alternative to MalwareBytes Anti-Malware and was more economical for our district to use. It also is faster and more what we were looking for. I highly recommend it! This is a write up based on how we are deploying it here.

So instead of having an Outset script or separate Launch Agent, I decided to put the DetectX Swift scan as part of the Munki run (specifically a script in the postflight.d directory (if you put it in a preflight, it will be a blocking application that will prevent DetectX Swift from doing an unattended install upgrade) that MunkiReport creates):

It's best to use a separate Launch Daemon (example here), because the scan can sometimes take over a minute, and MunkiReport scripts will time out after ten seconds.

#!/bin/bash
# Run a DetectX Swift scan
/Applications/Utilities/DetectX Swift.app/Contents/MacOS/DetectX Swift search -aj /usr/local/munki/preflight.d/cache/detectx.json

Detectx Swift Chill Tab

Detectx swift key

Outside of MunkiReport (but connecting to the MunkiReport MySQL database), I have a script that generates a Python list of files that DetectX Swift has flagged as 'issues':

$query='SELECT issues FROM detectx WHERE numberofissues > 0';
$result=mysqli_query($YOURDATABASECONNECTION, $query);
if(mysqli_num_rows($result)>0){
// Create an array to store the results
$larger_issues=array();
while($row=mysqli_fetch_assoc($result)){
// Create an array based on a semi-colon delimiter
$smaller_issues=explode(';', $row['issues']);
foreach($smaller_issues AS $smaller_issue){
if((trim($smaller_issue)!=') AND (!in_array($smaller_issue, $larger_issues))){
array_push($larger_issues, $smaller_issue);
}
}
// End fetching results
}
if(!empty($larger_issues)){
echo '<p>okay_to_delete = [ ';
$counter=0;
while($counter+1<count($larger_issues)){
echo '' . $larger_issues[$counter] . ',<br />';
$counter+=1;
}
echo '' . $larger_issues[$counter] . ' ]</p>';
//print_r($larger_issues);
// End checking there are elements in larger issues (there should be)
}
// End checking there are any issues
}

And finally I have a nopkg to do the actual cleaning of the issues DetectX flagged.

So why even have an array of okay-to-delete things?

Well, DetectX Swift has command-line options to scan, but it (at least as of this writing) does not have the option to command-line remove things, presumably so someone has a chance to review the things removed before actually removing them. Also, since it's just forcefully removing things (yes, I know about using shutil to remove, but I've run into weird situations in which that doesn't work consistently, so I'm using a subprocess to invoke rm instead), it's probably a good idea for at least one human to review things before they get removed.

The nopkg also copies the .json to /var/log (with a datetime stamp in the name) before removing anything.

How to Setup DetectX in Jamf Pro

1) Create a CustomTrigger Policy to Install DetectX Swift

Create a new policy in your Site and name it Install – DetectX Swift. Set the only trigger to “Custom” and enter the custom trigger “install_detectx”. Set the Frequency to “Ongoing”, since we want this policy to be available whenever we need it. If desired the policy can also be enabled for Self Service.

Detectx Swift Review

Swift

In the Packages tab, add your DetectX Swift package named like “NCSU-Campus-DetectX_Swiftxxxx.pkg” where xxxx is a version number and the license package named NCSU-Campus-DetectX_Swift_License.pkg. Do not enable the “Update Inventory” option in the Maintenance tab.

Set an appropriate Scope; make the policy available to all clients in the Site.

Save the policy.

Detectx Swift Key

2) Create a Policy to Run DetectX Swift Searches

Create a new policy and give it a suitable name, like “Run DetectX Search.”

Set the Trigger to “Recurring Check-in,” and the Frequency to “Once per week.” If your environment demands more frequent or less frequent scanning, adjust the frequency accordingly. I will, however, caution against an “Ongoing” frequency so as not to inflate your Jamf Pro database with excessive inventory reports.

In the Scripts tab, add the run-detectx-search.py script. No parameters are necessary. Since the script is the only action of the policy, the default priority of “After” is sufficient.

Detectx swift beta

Set an appropriate Scope, Usually all computers in the site.

3) Interpreting the Extension Attribute

If DetectX finds potentially malicious files, they will be listed in the “DetectX Issues” Extension Attribute in each computers record in Jamf Pro.

The date of the last scan will be followed by either:

b) If the search completes but no issues are found, the Extension Attribute will be set to None.

DetectxDetectX Swift

Detectx Swift Mac

c) If the search has not yet completed, or an issue occurred when attempting a search, the Extension Attribute will be blank.

Detectx Swift For Mac

A normal value for the DetectX Issue Extension Attribute in the Jamf Pro computer record looks like:

Mt103 Field 52a

NOTE that this information will only update during the daily inventory automatically collected by Jamf Pro.

To force update use
/usr/local/bin/jamf recon

Detectx Swift Download

The information can also be confirmed by viewing the contents of the local file:

/Library/Application Support/JAMF/Addons/DetectX/results.json

More details on this process can be found at:

and