How to find out which kernel extension has been updated

kernel-extensionslogsSecurity

I received a notification on Big Sur that an extension was updated and this must be authorised in System Preferences. It is 'System software from developer "Apple Inc."'. I find this odd:

I didn't receive any such notification in the past about Apple's own software (although I have occasionally received similar notifications about third party software). I would expect kernel extension updates to only occur via official software updates, which presumably do not require such warnings (or, if anything has changed there, then Software Update process is at least clearly happening rather than silently taking places in the background).
I had not performed an update of any kind immediately preceding this (that I know of).
FortiClient had just run. I believe it does some self-updating. I have a dim view of the software; it is always trying to be invasive and is regularly refused rights for various unnecessary installations of its own.

I see the situation as potentially risky: it is possible that either someone is pretending to be Apple who isn't, or that someone is trying to modify an Apple extension.

How can I find out which extension is being updated and which process initiated this? I did not have much luck looking in Console logs or kext command-line utilities. None of the files in /Library/Extensions or /System/Library/Extensions appear to have been modified recently.

Best Answer

The name of the software developer and the contents of the kernel extension is cryptographically signed to ensure that it cannot be tampered with. Therefore I do not think it is likely that someone is pretending to be Apple, or that they're trying to modify an Apple extension.

However, I do think it is likely that some software you've installed (presumably FortiClient) has attempted to install an Apple kernel extension. I.e. an authentic Apple kernel extension that either wasn't installed before, or was installed in a version that the software wasn't compatible with - and so that developer has made the software so that it attempts to install the right version of Apple's kernel extension that they want to use.

I wouldn't exactly say that's a good way of doing things - and certainly not without informing the user - but it does sounds like a thing that could happen in practice without it being nefarious.

Related Solutions

MacOS – How to clear the kernel extension caches while using FileVault 2

Holding down cmdS at boot time, for a boot drive that's FileVault 2 encrypted, presents the password dialog, then continues into Safe Mode.

Way to find out when a USB flash drive has been last used (on any computer)

The best evidence you could get is to inspect the last access time of the files in question, or perhaps the last access time of the top-level directory on the file system.

But first, a bit of background. A USB flash drive would be treated by the computer much like a disk. The drive (or, more precisely, the main partition within the drive) would be formatted as a filesystem. Most flash media come formatted out of the box with a VFAT filesystem, which is a lowest-common-denominator solution that works with nearly all devices, including OS X, Windows, Linux, and digital cameras. The next most likely alternatives to VFAT would be HFS+ (the native file system of OS X, which Windows doesn't support at all) or NTFS (the native file system of Windows, supported by any version of Windows released this century, but which has just read-only support in OS X, and is rarely supported on digital cameras).

That background is relevant because different filesystems store the last access time differently. I'm going to work with the assumption that your USB stick is formatted with VFAT. This is important because VFAT filesystems only store the last access date, not the time of day. That would be the best evidence you could hope to collect, assuming that everything else goes right.

To see last access dates in the Finder,

Switch to List view (View → as List (⌘2))
Show the View Options dialog (View → Show View Options (⌘J))
Select "Date Last Opened"

Alternatively, instead of using the Finder, you could use the Terminal to run

stat -x /Volumes/USB-Stick-Name/Path/To/File

to see the Access time of a particular file.

There are some important caveats, though!

First, the act of plugging in the media on your Mac will cause it to be automatically mounted, thus altering the last access time of the top-level directory (and perhaps destroying even more evidence than that). A forensic analysis should require precautions such as mounting the media in read-only mode. Therefore, you would have to suppress the auto-mounting behaviour of OS X, which is not that easy.

Second, your suspected coworker / spy could have taken a similar countermeasure of mounting the media read-only, thus leaving no timestamp as evidence. (There is also no guarantee that the computer that the spy used had its clock set accurately, which would cast doubt on the validity of any timestamp.)

The moral of the story is, if you have any sensitive information to be stored on removable media, encrypt it! The easiest solution would be to use FileVault 2. Note, however, that such encryption would make the USB stick unreadable on any machine other than a Mac.

Best Answer

Related Solutions

MacOS – How to clear the kernel extension caches while using FileVault 2

Way to find out when a USB flash drive has been last used (on any computer)

Related Question