© Scott a Garfitt/Invision, via Associated Press
© Graham Dickie/The New York Times
© The New York Times
© Doug Mills/The New York Times
Apple has just released an update to XProtect for all versions of macOS, bringing it to version 5322. At the same time there’s an update to XProtect Remediator for Catalina and later, bringing that to version 156. As usual, it doesn’t release information about what security issues these updates might add or change.
This version of XProtect adds one new rule to its main Yara file, for MACOS.TIMELYTURTLE.DYCAOC, and amends the existing rule for MACOS.SOMA.OCENA. It also adds a new XPScripts.yr file containing two rules using an osascript (AppleScript) interpreter, MACOS.OSASCRIPT.COTABR and MACOS.OSASCRIPT.COTAWA.
XProtect Remediator 156, which follows version 153, adds one new scanning module, XProtectRemediatorConductor. It will be interesting to see whether this refers to a new codename, or its role among other scanning modules.
The XProtect Behavioural or Bastion rules embedded in XProtect Remediator 156 amend Rule 22, but don’t add any further rules.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.
If you want to install these as a named updates in SilentKnight, their labels are XProtectPlistConfigData_10_15-5322 and XProtectPayloads_10_15-156
This XProtect update has finally been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal commandsudo xprotect check
then enter your admin password. If that returns version 5322 but your Mac still reports an older version is installed, you should be able to force the update usingsudo xprotect update
Update: the iCloud update was finally made available after 22:00 GMT on 5 November, over 24 hours after the release of this new version of XProtect.
Some who use SilentKnight for the first time discover that their Mac has been running for months with one of its security systems disabled. As macOS doesn’t have a dashboard to warn you of such dangerous settings, you may not notice until it’s too late. This article explains how to check those essential security settings on Macs with T2 or Apple silicon chips, and how to put them right. Intel Macs without T2 chips are different, and are covered in a previous version.
Running your Mac in Full Security ensures it gets full protection from its Secure Boot technology. In an Apple silicon Mac this prevents it from loading third-party kernel extensions, and requires recent approved versions of macOS. Check this in System Information by selecting the Controller item in its Hardware section, or in SilentKnight.
This is controlled in Startup Security Utility, accessed from Recovery. Note that it only works with the paired Recovery system, the one you normally use; Apple silicon fallback Recovery doesn’t have this ability.
If you need to run kernel extensions or other software that can’t be loaded in Full Security, use Startup Security Utility to set the Mac to Reduced Security, and enable kexts. Avoid doing this if at all possible.
Settings are different for Intel Macs with T2 chips, where there are three levels of boot security, and the most common reason for reduction from Full Security is to enable that Mac to boot from external drives, something that Apple silicon Macs can do in Full Security.
Since El Capitan, macOS has protected all its system files, even down to bundled apps, using System Integrity Protection. This should make it impossible for malware or other software to change those protected files. SIP is also required for a wide range of other security protection, and should be fully enabled unless you have a compelling reason for disabling it partially or completely. In Apple silicon Macs, its status is reported in System Information’s Controller item, but Intel Macs instead give it in the Software section. It’s also checked by SilentKnight and Skint.
You can turn SIP off, something very occasionally needed to perform certain essential tasks. Doing so requires you to start up in Recovery mode, enter a command in Terminal there, and restart; Apple silicon Macs also need to have their boot security reduced in Startup Security Utility before SIP can be disabled.
To enable SIP, start up in Recovery mode, open Terminal, and type the following command:csrutil enable; reboot
Once that’s done your Mac will restart in normal mode, and you should confirm that SIP is reported as enabled.
If you ever do need to disable SIP, do yourself a favour and put a sticky note on your Mac’s display to remind you to turn it back on.
Gatekeeper runs checks on apps when they’re opened, and those can include scans for known malicious software using XProtect. As part of your Mac’s frontline protection against malware, you should leave those enabled unless there’s a compelling reason to temporarily disable them. However, I don’t know of anywhere in the macOS GUI that informs you whether these checks are being performed, although they are reported by SilentKnight and Skint.
If it has been disabled, you may be able to enable it using the commandspctl --enable
but chances are that you will instead need to invokesudo spctl --global-enable
requiring you to authenticate using your admin password. Be careful with those commands: the hyphens before enable and global-enable aren’t long dashes, but two separate hyphens.
When you install Big Sur or later, the vast majority of its system files are saved in its System volume. For your Mac to boot from this, it has to be turned into a snapshot, sealed using a tree of cryptographic hashes, and the master seal ‘signed’ by a hash, which is compared against that set by Apple. This signed system volume is extremely secure and thoroughly reliable. On Intel Macs, this is only reported in Disk Utility, but Apple silicon Macs list it in System Information as well. It’s also reported by SilentKnight and Skint.
The SSV should always be enabled. If it isn’t, you’ll need to re-install macOS.
Intel Macs with T2 chips and Apple silicon Macs encrypt the whole of the Data volume on their internal SSD. By default, that uses an internally-generated key that’s used automatically when any user logs in. Although it provides good security in most situations, you’re far better off enabling FileVault, as that protects the encryption key with your password as well. This imposes no overhead on accessing encrypted data, and provides valuable protection for your data at no cost.
Check whether FileVault is enabled in Privacy & Security settings, where you can enable it if it’s not already turned on. SilentKnight checks it as well.
To ensure your Mac and its apps are best protected from malware, keep its firmware and macOS up to date. As those are updated together, Macs with T2 or Apple silicon chips that are running the most recent release of their major version of macOS will also be running the current firmware, which no longer needs to be checked separately. Check the version of macOS in the About This Mac command at the top of the Apple menu.
Apple lists current supported versions of macOS on its Security Releases page. Those, and versions of security data software, are also listed and detailed here on this page.
If your Mac is running an older release of macOS and its firmware, update them together using Software Update in General settings.
This anti-malware scanner performs automatic background scans to detect and remove a wide range of malicious software. It’s normally scheduled to run at least once a day, when your Mac is awake but not busy, and supplied with mains power. You’re wise to check that its scans are being run correctly, and will probably want to know if it has detected and remediated any malware. SilentKnight and Skint run a quick check of its activity over the previous 36 hours, and XProCheck provides detailed reporting and analysis.
Over the last year or so, XProtect Remediator has been using a timer during its scans, and automatically cancelling them if a scan takes longer than allowed. On many Macs, most scans are terminated early, and that results in warnings from SilentKnight and Skint. If you’re concerned, check the reports in XProCheck, where you’ll see that plugin was cancelled with a status_code of 30, as is typical with the timer.
SilentKnight does all of those and more.
Each of the main security services in macOS such as XProtect relies on data commonly stored in separate files on the Data volume so they can be updated directly outside full macOS system updates. Those are released silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.
Currently, those most frequently updated are XProtect and XProtect Remediator, the former being updated most weeks. However, Sequoia changed the way that XProtect’s data is updated, and it’s now intended to occur over a connection to iCloud rather than through Software Update, while XProtect Remediator continues to rely on the latter rather than iCloud.
This article details each of the main security data files found in macOS 26 Tahoe, together with others involved in related system functions. Several other bundles that formerly had roles in security have now been emptied, left frozen in time, or removed completely. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.
XProtectPayloads, alias XProtect.app and XProtect Remediator
This contains a suite of specialised malware detection and remediation tools, in the app bundle XProtect.app in the Data volume at /Library/Apple/System/Library/CoreServices. This was introduced in macOS 12.3, then version 62 was pushed to Catalina and later on 17 June 2022. Executables include a replacement for MRT, and many scanners for specific malware types. My free XProCheck inspects its reports for malware detection and remediation. This is normally updated every month or so using Software Update or a substitute.
XProtectPlistConfigData
These are whitelists and blacklists used by XProtect. Since Sequoia, two different locations are used: the primary is at /var/protected/xprotect/XProtect.bundle in the Data volume; the secondary is also in the Data volume at the traditional location of /Library/Apple/System/Library/CoreServices/XProtect.bundle, and can used as a fallback when there’s no bundle at the primary location. While previous versions of macOS still obtain updates through Software Update, Tahoe is also intended to update the primary bundle via a CloudKit connection to iCloud. This is routinely updated every week, at the same time as updates for previous versions of macOS. You can force an update using the command sudo xprotect update in Terminal, if a more recent version is available.
Bastion
These provide rules and exceptions for XProtect Behaviour Service (XBS). First introduced in Ventura, this service monitors for and logs processes that access sensitive locations such as folders containing browser data. This doesn’t block behaviours, only records them in its database at /var/protected/xprotect/XPdb, and reports them to Apple as security intelligence. Bastion rules are defined in bastion.sb and BastionMeta.plist inside /Library/Apple/System/Library/CoreServices/XProtect.app Those are updated irregularly.
AppleKextExcludeList
Latest version: 21.0.0, 9 September 2025 (26.0 release).
This is a huge list of kernel extensions that are to be treated as exceptions to Tahoe’s security rules, and is stored in the Data volume in /Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist. At one time, this was a blacklist of kexts to block, but in Mojave 10.14.5 that changed, and it has since been a list of over 18,000 kexts that are given exceptional treatment, as explained here. However, this doesn’t appear to apply to Apple silicon Macs, as they have their own separate rules about which kexts to allow and which to block, that are far more stringent. Accordingly, this list should go away in macOS 27.
IncompatibleAppsList
Latest version: 260.200 (26.0 release).
This is a bundle in the Data volume at /Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products, including Flash Player.
MRTConfigData
Last version: 1.93, 14 July 2022.
This was Apple’s Malware Removal Tool stored in the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it could remove any malware which macOS detected. This has now been replaced by the XProtectRemediatorMRTv3 executable module in XProtect Remediator, and may disappear in future versions of macOS. It usually isn’t installed as part of macOS, but is installed later as a security data update.
Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database in the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db and may have been used to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. Macs that have never had Catalina or earlier installed normally have the very old version 94, indicating this database isn’t currently used.
Gatekeeper E Configuration Data (GKE), alias Gatekeeper Compatibility Data
Latest version: 1.0 dated 2 October 2019.
This was an SQLite database in the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which may have provided whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since. Although this is still downloaded and installed, it’s nowhere to be found in Tahoe, and appears to be a historical remnant.
Last updated: 19 September 2025.
It’s now almost a year since macOS Sequoia changed security updates, and I’m still being asked how these work. I also suspect a few are wondering whether there will be any changes coming in Tahoe. This article summarises how these work at the moment, and are expected to continue.
All reasonably recent versions of macOS have three different security features known as XProtect:
So for the time being, you should expect your Mac to update XProtect’s bundle every week or so, and the XProtect app (XProtect Remediator, and Bastion rules) every month.
Roughly once a month, your Mac should download and install a file named something like XProtectPayloads_10_15-155, where the last three digits are its new version number. This is delivered and installed automatically through Software Update, if you have it set to Install Security Responses and system files. You can also download and install it manually using the softwareupdate command, or, easiest of all, using my free SilentKnight.
All fairly recent versions of macOS have a copy of XProtect.bundle in /Library/Apple/System/Library/CoreServices. This is also downloaded and installed using Software Update, softwareupdate or SilentKnight, and the file name is something like XProtectPlistConfigData_10_15-5314. In versions of macOS before Sequoia, this is the only copy of that bundle, and once that has been installed, XProtect is up to date.
Almost a year ago, Apple changed XProtect in Sequoia, and since then Tahoe has followed suit. They not only have legacy XProtect with its XProtect.bundle in /Library/Apple/System/Library/CoreServices, but they have a separate copy of the same bundle in /private/var/protected/xprotect. If you compare those carefully, you’ll see differences, as the legacy copy is signed, but the other isn’t.
When XProtect is updated, Sequoia and Tahoe therefore download and install those two copies separately. The legacy copy is updated exactly the same as in older macOS, through Software Update, softwareupdate or SilentKnight.
The new copy of XProtect.bundle in /private/var/protected/xprotect can’t be updated by softwareupdate or SilentKnight, though. Updating the legacy copy doesn’t alter or update that, which is instead performed over a connection to iCloud. To check and update that copy, you can use the xprotect command in Terminal. The commandxprotect version
returns the version of XProtect installed in the new (iCloud-based) location, which can be different from the legacy copy. You can check whether an iCloud update is available using the Terminal commandsudo xprotect check
and entering your admin password when prompted to do so. If that version number is higher than that currently installed in the new location, then the commandsudo xprotect update
will download and install XProtect from iCloud into its new location.
In Sequoia and Tahoe, both versions of XProtect.bundle will eventually be downloaded and installed automatically. Sometimes, when you’re installing one, the other is also updated. That doesn’t occur because one updater can also update the other copy, but simply because the automatic update process has run. In the early days of Sequoia, the xprotect update command could update the iCloud version from the legacy version, but that stopped working many months ago.
Another behaviour that can appear confusing is when legacy XProtect updates but the iCloud version doesn’t. That often occurs soon after a new version is released, as it almost invariably is made available via Software Update first, so resulting in the legacy version being updated quickly. Sometimes the iCloud update isn’t made available for several hours later, and that may give the impression that updating the legacy version is somehow blocking the iCloud update. That’s easy to check using the xprotect check command: until that reports the new version is available, the xprotect update command won’t work.
I am sometimes asked where I look to check when XProtect and other updates are available, as if Apple publishes this information somewhere. It doesn’t. I use the same tools that you can use, SilentKnight to check for updates via softwareupdate, and the xprotect command tool for those delivered from iCloud. As soon as I find a new update, I install it here, update the databases on Github used by SilentKnight and Skint, analyse the contents of the update, post the announcement here, post that on X/Twitter, then update this blog’s System Updates page.
All the code for these updates is contained in the copy of macOS installed in the SSV, the signed snapshot of the System volume that runs your Mac. For any given version of macOS, all Macs, both Intel and Apple silicon, have identical SSVs, although there are differences in their cryptexes and Data volumes. Thus, XProtect updates work exactly the same on all Macs running Sequoia 15.6.1 from my ancient iMac Pro to my latest Mac mini M4 Pro, and I check those with every update as well.
I hope you find these helpful.
Few other companies have had as much influence on the Mac and its success as Adobe. Founded just over a year before Apple launched the Mac, its original mission was to develop and market its new PostScript page description language, originally designed and written by Adobe’s co-founders, John Warnock (1940-2023) and Charles Geschke (1939-2021). Steve Jobs (1955-2011) was an early enthusiast who shared their vision. After an unsuccessful bid to buy Adobe, Apple bought a 19% stake in it and paid in advance for a five-year licence for PostScript. When Apple introduced its first PostScript laser printer, the LaserWriter, in March 1985 the partnership launched the Desktop Publishing (DTP) revolution.
The same year the LaserWriter brought PostScript and its fonts to the first DTP designers, Adobe started development of its first retail software product, Illustrator, released two years later in 1987. This is a vector graphics editor aimed initially at creating in Encapsulated PostScript Format (EPSF), so had to render the bézier curves of PostScript into the Mac’s QuickDraw graphics.
Illustrator wasn’t offered for Windows for another two years, and even then was widely criticised for lagging behind its Mac version. It wasn’t until 1997 that the Windows version achieved parity. Adobe’s major competitor, Aldus FreeHand, was preferred by many professionals until Adobe bought Macromedia in 2005, following which it was quietly suffocated.
This is Adobe Illustrator running in Mac OS X 10.2 Jaguar in early 2003.
In 1988, Adobe bought the distribution licence to a raster graphics editor already named Photoshop by its original developers, brothers Thomas and John Knoll. The first Adobe version was released for Macs only in February 1990. It has the distinction of being the major app developed using Apple’s MacApp class library, and wasn’t released for Windows until late 1992, by which time it was establishing itself as the standard, particularly for pro photographers. In 2007 it was joined by Adobe Photoshop Lightroom, an image management app that became the standard when Apple discontinued Aperture in 2015.
This is Adobe Photoshop in Mac OS 9.2, in late 2002.
And this is its matching Mac OS X version in 10.2 Jaguar.
Digital non-linear video editing was in its infancy in 1991, when SuperMac Technology developed a QuickTime-based app to support its Video Spigot capture card. Adobe purchased the whole project, and four months later at the end of 1991 released the first version of Adobe Premiere. Although severely constrained by hardware of the time, it proved another successful Mac-only product until its Windows version was released almost two years later, and the product was renamed Adobe Premiere Pro in 2003.
In 1995, Premiere was joined by After Effects following Adobe’s acquisition of Aldus the previous year. After Effects provides digital effects including motion graphics and compositing. In 1999, Apple released Final Cut Pro, whose early development had been by the first Premiere development team working for Macromedia, and has since added Motion and other apps to form its Pro suite. They successfully competed against Adobe’s video products on the Mac.
I have already given a fuller account of the history of PDF and Adobe Acrobat on Macs.
This is Acrobat Distiller 4.0 running on Mac OS 9.1 in early 2001, showing some of its bewildering array of options for turning PostScript files into PDF.
Adobe provided its free Acrobat Reader for Mac OS X, here seen in 10.0 Cheetah.
FrameMaker, originally developed by Frame Technology, is a high-end technical publishing system bought by Adobe in 1995. It was then offered in a premium version with extensive support for SGML, seen here in 2002, two years before Adobe dropped this Mac version.
From its launch in 1985, the leading page layout app for Macs had been Aldus PageMaker, which Adobe acquired when it purchased Aldus in 1994. By this time, PageMaker was under increasing pressure from QuarkXPress, which had become preferred by many professionals. As a result, Aldus had already started to develop what it claimed would be its “Quark killer”, and Adobe continued that. It then discontinued support for PageMaker in a final version released in 2001, which notoriously didn’t support Mac OS X and was never ported to Intel Macs either.
Early development on what was to become Adobe InDesign had started in Aldus before it was swallowed up by Adobe, and its first version was released in 1999, for both Windows and Mac OS. When Mac OS 10.0 Cheetah was released in March 2001, InDesign was its first native page layout app, as well as the first to support Unicode and advanced features of OpenType fonts. As QuarkXPress entered a decline, InDesign became the DTP product of choice.
This is Adobe InDesign in its early days, seen here editing Christmas cards in Mac OS X 10.2 Jaguar in December 2002.
Dreamweaver is a website development app that originated in Macromedia in 1997, and was acquired by Adobe with its purchase of that company in 2005.
Adobe Dreamweaver is seen here running in Mac OS X 10.6 Snow Leopard in August 2009.
Another of Macromedia’s products that Adobe acquired in 2005 was Flash, a rich multimedia software platform that became enormously popular in websites including YouTube and many corporate sites. Flash came with its own scripting language ActionScript, but proved a security nightmare because of its long series of exploited vulnerabilities. Although Flash Player was almost universal on Macs, Apple refused to allow Flash support on its devices, leading to a bitter standoff between Steve Jobs and Adobe. About a year later, much to the relief of security staff around the world, Adobe announced it would cease Flash development; it was deprecated in 2017, and all support stopped at the end of 2020.
‘Shockwave Flash’ and the Flash Player plagued Mac OS X Tiger in 2006.
There have been and still are many other apps from Adobe. One of my favourites was LaserTalk, first released by Emerald City Software in 1988. This was a PostScript debugger acquired by Adobe and bundled in its PostScript SDK. Finally, there was Adobe Streamline, a tool for converting bitmap graphics into Adobe Illustrator vector graphics, first released in 1989, and absorbed into Illustrator in about 2001. No doubt you will also have your own favourites.
Apple sold its 19% stake in Adobe in 1989, and in 2011 Adobe introduced its Creative Cloud subscription service, that two years later replaced its popular Creative Studio DVD distributions with perpetual licences.
Login
