Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5279. As usual, Apple doesn’t release information about what security issues this update might add or change.
Relative to the last version released for all supported versions of macOS (5278), this version makes a small amendment to the detection rule for MACOS.PIRRIT.CHU.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5279.
For Sequoia only: there’s no sign of this update being made available in iCloud, which now returns an XProtect version of 5278. If you download and install it using Software Update, softwareupdate or SilentKnight, then once that’s complete you need to update the primary XProtect bundle in Terminal using the command sudo xprotect update
then entering your admin password. If you’re unsure what to do, this article explains it comprehensively and simply.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
If you encounter problems with QuickLook not creating Thumbnails or Previews properly, one of the first steps is to discover which code is responsible for generating those for QuickLook. Prior to macOS Sequoia, the standard way to do that was using the command tool qlmanage, among whose options is -m, to list all the qlgenerators available on your Mac. If you’ve tried that in Sequoia, you’ll surely have noticed that no longer works.
qlmanage
Since Catalina, Apple has been encouraging developers to switch away from qlgenerators to app extensions to create custom Thumbnails and Previews for QuickLook, and Sequoia is the first version of macOS that can’t use third-party qlgenerators. I have noticed some document types that only a few weeks ago in Sonoma still used custom thumbnails and full previews, but now can’t do so, although others continue to work normally.
These are controlled in the Quick Look item in Login Items & Extensions in General settings.
That should list all third-party app extensions providing this service, and enabling the right one(s) could fix some of those problems. But it turns out this list isn’t complete, and doesn’t in any case tell you which app extension handles which file type. For those, you’d normally turn to qlmanage, but its -m option can only see the qlgenerators in macOS, and no third-party app extensions at all. In fact, qlmanage is now of little help for anything related to QuickLook. I’ve gone back through Sonoma and Ventura, and qlmanage there is no different: although it does list third-party qlgenerators, none of those provided in app extensions appear in its list.
QuickLook app extensions
As far as I can discover, Apple doesn’t provide any equivalent of qlmanage that can report on QuickLook app extensions. The closest it comes is in the pluginkit tool, that can list all app extensions known to macOS. With a bit of tweaking, its -m option can reveal which of those use the QuickLook SDKs for Thumbnails or Previews.
Armed with the appex bundle path from pluginkit, you can then inspect the Info.plist in each, where there’s an array of QLSupportedContentTypes giving the UTIs of all file types supported by that appex. Although I’m sure someone could implement that in a shell script, this seemed an ideal task for my free utility Mints.
Mints and QuickLook
Version 1.20 of my free utility Mints is now available from here: mints120
from Downloads above, from its Product Page, and via its auto-update mechanism.
This adds a twenty-fifth button to the app’s control window, named QuickLook, at the bottom left. Click on that and Mints will open a new window and fill it with information about all the qlgenerators and QuickLook appexes your Mac knows about.
For qlgenerators, you’re given the file UTI, the path to the qlgenerator file, and (when available) its version number, e.g. com.adobe.pdf/System/Library/QuickLook/PDF.qlgenerator (1002.2.3)
App extensions are divided into two, the first are those providing Previews, and the second those for Thumbnails, e.g. com.apple.applescript.text/Applications/PreviewCode.app/Contents/PlugIns/Code Previewer.appex
This is an appex provided in one of Black Pyramid Software’s superb Preview series, in PreviewBundle 2 from the App Store (highly recommended).
You will see a few entries like Safari’s [none]/System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app/Contents/PlugIns/SafariQuickLookPreview.appex
with an appex that doesn’t have a list of file types in QLSupportedContentTypes.
Checking UTIs
It’s easy to guess which UTIs represent many file types, but some are a bit more cryptic. For those, copy and paste the UTI into the UTI field of my free UTIutility and it will give you clues as to its identity, including file extensions.
Unfortunately, some of the system qlgenerators support generic UTIs such as public.audio/System/Library/QuickLook/Audio.qlgenerator (1002.2.3) public.image/System/Library/QuickLook/Image.qlgenerator (1002.2.3) public.movie/System/Library/QuickLook/Movie.qlgenerator (1002.2.3)
which clearly cover broad ranges of more specific file types, but don’t provide any more specific information.
How to identify QuickLook extensions
List installed QuickLook extensions using Mints’ QuickLook button.
Identify the file’s UTI using UTIutility.
Locate the UTI in the list of extensions.
If no match is found, check UTIs listed in UTIutility as Conforms.
Check Quick Look item in Login Items & Extensions in General settings, to ensure that extension is enabled.
Next up for Mints is a feature to explore app extensions. I may be a little longer on that one.
If your Mac is still running Sonoma or Ventura, and you have already updated it to 14.7.1 or 13.7.1, you might have noticed that neither updated Safari, nor has there been a separate update released yet for Safari 18.1.
According to release notes for Safari 18.1 (20619.2.8), this new version has already been released for Sonoma and Ventura, but as of 1600 GMT on 29 October 2024, there’s still no sign of any separate update, nor was it bundled in the x.7.1 updates.
Sonoma and Ventura had Safari 18 released for them on 16 September 2024, concurrently with Sequoia 15.0. On 3 October 2024, at the same time that Apple released Safari 18.0.1 in Sequoia 15.0.1, it also released Safari 18.0.1 for Sonoma and Ventura, without any CVEs being reported as fixed.
Current versions of Safari read:
in Sequoia 15.1 – Safari 18.1 (20619.2.8.11.10)
in Sonoma 14.7.1 – Safari 18.0.1 (19619.1.26.111.11, 19619)
in Ventura 13.7.1 – Safari 18.0.1 (18619.1.26.111.11, 18619)
leaving the latter two due an update to Safari 18.1, which would ordinarily have been released with the x.7.1 macOS updates, but hasn’t been yet.
Update
As of 2150 on 29 October 2024, both Safari updates are now available through Software Update. Version and build numbers are 18.1 (19619.2.8.111.5, 19619) for Sonoma 14.7.1, and 18.1 (18619.2.8.111.5, 18619) for Ventura 13.7.1, and Apple lists the CVEs they address in this note.
The macOS 15.1 update is the first scheduled update since Sequoia’s release last month, and brings with it a great many fixes as expected. From user reports, it’s believed to complete correcting problems reported with networking in 15.0, some of which were addressed in 15.0.1, although Apple hasn’t confirmed that.
Apple’s release notes are helpfully more detailed than usual, and include the following:
new Writing Tools, but only for Apple silicon Macs set to US English as their primary language, with Siri also set to US English,
a new-look Siri with Type to Siri for those who don’t want to talk to it, richer language understanding and context, and Apple product knowledge,
Photos can find by description, and now features Clean Up to remove unwanted parts,
Notifications has summaries, and a new Reduce Interruptions focus,
Mail and Messages have Smart Reply for suggested responses,
Notes has transcription summaries,
iPhone Mirroring now supports drag and drop.
To clarify the requirement to get Writing Tools and other AI to work, the Mac must have an Apple silicon chip (M1 to M4), and:
in System Settings, General, Language & Region, the Primary language must be set to English (US), although any other language can be set secondarily, and made the current language in the keyboard menu, and
in Apple Intelligence & Siri, the Language set for Siri Requests must be English (United States), although you can turn Listen forOff if you don’t want to converse with Siri vocally.
Once those are set, you should be able to turn Apple Intelligence on. There will then be a short period on the waiting list, for macOS to download the additional models required. You’ll be notified when it’s ready to use.
Security release notes are available here, and list 50 entries, none of which Apple suspects may already have been exploited.
iBoot firmware on Apple silicon Macs is updated to version 11881.41.5, and T2 firmware to 2069.40.2.0.0 (iBridge: 22.16.11072.0.0,0). The macOS build number is 24B83, with kernel version 24.1.0. There are no firmware updates for Intel Macs without T2 chips.
Significant changes seen in bundled apps include:
Books, to version 7.1
Freeform, to version 3.1
iPhone Mirroring, to version 1.1
Mail and Messages, large build increments
Music, to version 1.5.1
News, to version 10.1
Passwords, to version 1.1
Photos, large build increment
Reminders, large build increment
Safari, to version 18.1 (20619.2.8.11.10)
Shortcuts, large build increment
TV, to version 1.5.1
Tips, to version 15.1.
Inevitably, there are many build increments in components related to Apple Intelligence. Other significant changes to /System/Library include:
Audio/Plug-Ins/HAL MacAudio driver, to version 510.2
CoreServices Desk View app, to version 2.0
CoreServices Siri app, to version 3401.24.3.14.7
Significant changes across many AGX and AppleEmbeddedAudio kernel extensions
A new AppleT8140 kernel extension
APFS is updated to version 2313.41.1
Many public frameworks have updated build numbers, among them FileProvider
A new ImagePlayground public framework, which has moved from being private, in anticipation of the new app coming in macOS 15.2
Many private frameworks have substantial increments in build numbers, particularly Biome, Cloud, Email, Mail, Photo, Photos, Spotlight and FileProvider
A new DesignLibrary private framework.
Although this isn’t a particularly large update, it does come with the first wave of AI features, and a wide range of other improvements and bug fixes.
Updated 2030 GMT 1 November 2024 with info on non-T2 Intel firmware updates.
As expected, Apple has released the update to macOS 15.1 Sequoia, together with security updates to bring Sonoma to version 14.7.1, and Ventura to 13.7.1. There should also be Safari updates to accompany the latter two.
The Sequoia update is around 2.9 GB for Apple silicon Macs, and about 2.4 GB for Intel models.
As expected, this brings the first release of Writing Tools, in the first wave of new AI features, only for Apple silicon Macs using US English as both their primary language, and that set for Siri. Apple hasn’t got round to providing any list of new or changed features, and you may find that offered by Software Update is the same as for 15.0.
iBoot firmware on Apple silicon Macs is updated to version 11881.41.5, T2 firmware to 2069.40.2.0.0 (iBridge: 22.16.11072.0.0,0), and Safari to 18.1 (20619.2.8.11.10).
I will post details of changes found later tonight.
Apple provided developers with two Release Candidates of macOS Sequoia 15.1 this week. Provided there are no serious problems that come to light in the second of those, it’s likely that 15.1 will be released early next week, probably on Monday 28th. This article looks at what that brings, whether it’s safe to upgrade to Sequoia yet, and what comes next.
All supported Macs
Traditionally, the x.1 update is scheduled to be released about a month after the initial upgrade to a new major version of macOS, and brings with it the first wave of bug fixes, and a few features that weren’t quite ready in time.
Although there are reports of some other bugs in Sequoia, by far the most disruptive have been those affecting networking. Apple fixed the most serious of those in 15.0.1, released on 4 October, but some have continued to experience problems. Opinion from those testing betas of 15.1 are that it does resolve all those, and for the great majority should be ready for general use, provided that third-party apps are compatible. So if you normally wait for the x.1 version to be released before considering upgrading, this should fit the bill.
Apple does provide a list of fixes for developers, although as there’s no mention of any networking problems there, I suspect this isn’t of much help to users.
Apple silicon Macs
For those whose Macs run an M-series chip, the main interest in 15.1 is the first batch of Apple Intelligence features. Over the coming months, these should include:
Writing Tools, a suite of mainly on-device features for summarising and rewriting text.
Image Playground, producing synthetic images such as Genmoji, again using on-device methods.
Siri and related enhancements for user assistance, using on-device methods.
ChatGPT access, for more general AI features using text.
App-specific enhancement to Photos, including Clean Up, and others.
Of those, 15.1 brings Writing Tools and some other enhancements, but doesn’t bring Image Playground or ChatGPT. Although some have claimed that makes 15.1 little better, that understates the value and quality of Writing Tools for many.
Writing Tools should be accessible to pretty well any recent app that displays significant amounts of text. Although I haven’t intended the lower text view in SilentKnight to support them, Writing Tools are available there from the contextual menu (Control-click). They work great with all the text editors I have tested, including TextEdit, BBEdit, CotEditor, Pages, my Rich Text editor DelightEd, and even in my PDF viewer Podofyllin.
The initial release of Writing Tools in 15.1 does have language and regional limitations. It requires that your Mac’s primary language, as set in Language & Region settings, is set to English (US), although you can still switch to a secondary language such as English (UK) if you prefer. The other key control is in the new Apple Intelligence & Siri settings, where Siri’s language needs to be English (United States). As I don’t like Siri’s spoken interface, I have disabled that by setting the Listen for control to Off, and instead enabled a Keyboard shortcut to open Siri’s interactive window.
Apple has announced future support for non-US variants of English, and next year for other primary languages. However, Writing Tools still work excellently on British English, even that of Charles Dickens, with the settings described above.
When you have updated or upgraded to Sequoia 15.1, I suggest you download text versions of books by your favourite author(s) from Project Gutenberg and explore features in Writing Tools using those as prose sources.
Future Sequoia updates
Apple has this week released the first beta-test of Sequoia 15.2, with most if not all of the other Apple Intelligence features, including Image Playground and ChatGPT. Assuming testing proceeds well and there are no serious problems, this is likely to be released in the first couple of weeks in December. Although not confirmed yet, this should open supported languages to include most major regional variants of English.
Slated for next year is the extension of Apple Intelligence to cover French, German, Italian, Japanese, Korean, Portuguese, Spanish, Vietnamese, and others. However, these features aren’t likely to appear in the countries of the EU this year, and Apple hasn’t yet indicated when that’s expected.
For those concerned about on- and off-device AI and privacy, all the standard features of Writing Tools and Image Playground involve on-device processing, and don’t send your data to remote servers. If you choose to enable ChatGPT access, then that is handled off-device, but is opt-in, and requires a separate sign-in process to access either an anonymised free account or an existing ChatGPT account. You can also require confirmation of any Siri requests handled with ChatGPT before sending any information off-device.
Apple has already published a list of fixes in the first beta of 15.2, although it remains to be seen what it does for users.
M4 Macs
Apple has also signalled that it will be releasing new Macs next week, widely rumoured to be the first to use the M4 chip.
Summary
Sequoia 15.1 early next week, probably on 28 October, with Writing Tools in US English, and remaining networking bug fixes.
Sequoia 15.2 already in beta, probably for release in early December, with Image Playground, ChatGPT, and the remainder of this first wave of AI tools, including most other English variants.
Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 147. The previous version was 145.
Apple doesn’t release information about what security issues this update might add or change. There are no changes in the number or names of its scanning modules, and Bastion rules also remain unchanged.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac has not yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-147.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5278. As usual, Apple doesn’t release information about what security issues this update might add or change.
Relative to the last version released for all supported versions of macOS (5277), this version adds three new definitions for MACOS.ADLOAD.I, MACOS.SOMA.G and MACOS.SOMA.H.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5278.
For Sequoia only: there’s no sign of this update being made available in iCloud, which still returns an XProtect version of 5272. If you download and install it using Software Update, softwareupdate or SilentKnight, then once that’s complete you need to update the primary XProtect bundle in Terminal using the command sudo xprotect update
then entering your admin password. If you’re unsure what to do, this article explains it comprehensively and simply.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
This is the time of year when macOS keeps offering you the upgrade to the new version of macOS, but you may not want to go there yet. This article explains how you can stay running your existing version of macOS, while keeping it up to date.
Skint and SkintM
By default, SilentKnight is intended to download all the latest updates from Apple’s software update servers. Although you can configure it to behave differently, as I explain below, you may like to look at Skint or its menu bar sibling SkintM. Those don’t check for updates, they only check installed versions. They will warn you when your Mac has fallen behind with updates, and let you decide what you want to do.
Skint and SkintM do check that your Mac is running the latest version of its major release of macOS, and is happy if you’re still running Monterey, Ventura or Sonoma, as well as Sequoia, but it will advise you when they fall behind with their security updates; after all, that’s what it’s for.
Switching SilentKnight to manual
For many, SilentKnight’s button to Install all updates is most worrying, as that might inadvertently upgrade macOS to Sequoia. In fact, it isn’t dangerous at all, but before I explain why, you can remove that button altogether. Open SilentKnight, and its Settings, and set them to look as below.
This will still download and install the updates you want, but you won’t be tempted to inappropriately install the lot of them.
Once you’ve done that, click the Set button, quit SilentKnight, and run it again. Now when it tells you there are updates to be installed, you can’t click on a button to bring upgrade disaster.
In fact, after testing SilentKnight with macOS updates and upgrades, they don’t work like that anyway. If SilentKnight were to download a macOS update or upgrade, it can’t complete its installation. macOS first tells you that the update couldn’t be installed, then offers to install it in Software Update. All you have to do is shut your Mac down at that point, then start it up in Safe mode and the update will be stopped.
However, for your comfort and safety, I recommend untickingAllow Install All Updates, just in case.
Installing only the updates you want
Having avoided the update you don’t want, you now need to download and install those that you do. Scroll the lower text view to the bottom, to reveal all the updates available. Each has an opening line that declares it’s a Label, like * Label: XProtectPayloads_10_15-142
It’s that label you use to identify each update.
In the File menu, select the Install Named Update… command to open the manual updating window. One by one, copy and paste the label from the main window into the Name of update box and click on the Install Named Update button. SilentKnight will then tell you that it has been downloaded and installed. It only takes a few seconds to work through a list of updates like XProtect that you do want, and bring your Mac up to date without inadvertently upgrading it to Sequoia.
Further information
SilentKnight has a wealth of additional information that will help you solve problems like these. The most common are explained in its short text SilentKnight Help, in the Help menu, and there’s also a detailed Help Reference in the same menu.
Key points
Open Settings, and untickAllow Install All Updates, click Set, then quit the app. Open it again, and install each named update one at a time using that command in the File menu, pasting the Label in for each wanted update and clicking the Install Named Update button for each.
This assumes that you are running the latest version of SilentKnight, 2.11. If you’re still running version 1 you need to update for Catalina or later.
Many of you still seem puzzled as to how XProtect installs and updates in macOS Sequoia. This article tries to make this clear, so you can keep XProtect up to date.
Sonoma and earlier
Until this changed in Sequoia, XProtect has been straightforward: its data is stored in a bundle named XProtect.bundle, in the path /Library/Apple/System/Library/CoreServices, which is on the Data volume so it can readily be updated. When you or macOS downloads an XProtect update, it simply replaces that bundle with the new one. This is shown in the diagram below.
Sequoia
XProtect in macOS 15 prefers not to use the XProtect.bundle in its old location of /Library/Apple/System/Library/CoreServices (although it can do if there’s no alternative). Instead, it looks for XProtect.bundle in its new location, /var/protected/xprotect.
However, when you or your Mac use the old update system, including Software Update, softwareupdate or SilentKnight, that still installs the update in the old location, where it won’t normally be used by XProtect when making its checks. What’s supposed to happen is that at least once a day, macOS checks whether there’s a newer update in the old location. If there is, then it should automatically prepare and move that to the new location in /var/protected/xprotect for XProtect to use.
If you want that to happen immediately, then you can run the following command in Terminal: sudo xprotect update
then enter your admin user’s password. The xprotect command tool will then complete the installation of that update from its old location in /Library/Apple/System/Library/CoreServices into its new location in /var/protected/xprotect.
There’s also a second way that XProtect in Sequoia can be updated, and that’s over a connection to iCloud. If that’s used, then the update is installed straight into its new location, and doesn’t change the XProtect bundle in the old location at all. Although Apple has used that earlier, all XProtect updates since the release of Sequoia have come using the old Software Update system, so have needed to be completed using the xprotect command in Terminal.
This is shown in the diagram below. The blue boxes show the old Software Update system, and the pink boxes are the new parts that ensure the update is installed in the new location.
SilentKnight
SilentKnight still works using softwareupdate, and can’t use the new xprotect command for updates yet, because that requires structural changes in the app that will be available in version 3. However, in Sequoia it reports the version of XProtect installed in the new location, as that’s the one that XProtect now uses.
When SilentKnight discovers a new version of XProtect via softwareupdate, it therefore installs that in the old location, in the path /Library/Apple/System/Library/CoreServices. It has no choice but to do that. Once that’s been installed to the old location, the version shown for XProtect won’t change, as that requires macOS to complete the second stage of the installation. You can then either:
leave macOS to complete the installation itself, which should happen over the next day or so, or
run sudo xprotect update in Terminal, which will complete that update immediately. SilentKnight will then show the updated version number correctly.
Key points
In Sequoia, when XProtect is updated by Software Update, softwareupdate or SilentKnight, you should either leave macOS to complete that installation, or run sudo xprotect update in Terminal if you want it to be updated immediately.
This only applies to macOS Sequoia: Sonoma and earlier still work as they always have done.
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5277. As usual, Apple doesn’t release information about what security issues this update might add or change.
Relative to the last version released for all supported versions of macOS (5276), this version contains extensive changes, largely of an editorial nature. It adds one new detection rule for MACOS.PIRRIT.CHU, and removes rules for OSX.Genieo.C, OSX.Genieo.B, OSX.Genieo.A and OSX.Leverage.a.
Many rules have changes to their detection hashes, where existing SHA1 hashes are replaced with SHA256. Among the rules changed by this are 36:
OSX.Proton.B
OSX.Vindinstaller.A
OSX.OpinionSpy.B
OSX.InstallImitator.C
OSX.Eleanor.A
OSX.InstallImitator.A
OSX.VSearch.A
OSX.Machook.A
OSX.Machook.B
OSX.iWorm.A
OSX.iWorm.B/C
OSX.NetWeird.ii
OSX.NetWeird.i
OSX.GetShell.A
OSX.Abk.A
OSX.CoinThief.A
OSX.CoinThief.B
OSX.CoinThief.C
OSX.HellRTS.A
OSX.MacDefender.B
OSX.QHostWB.A
OSX.Revir.A
OSX.Revir.ii
OSX.Flashback.A
OSX.Flashback.B
OSX.Flashback.C
OSX.FileSteal.ii
OSX.MaControl.i
OSX.Revir.iii
OSX.Revir.iv
OSX.SMSSend.i
OSX.SMSSend.ii
OSX.eicar.com.i
OSX.AdPlugin.i
OSX.AdPlugin2.i
OSX.Prxl.2
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5277.
For Sequoia only: so far, I have seen no sign of this update in iCloud, which still returns an XProtect version of 5272. If you download and install it using Software Update, softwareupdate or SilentKnight, then once that is complete you need to update the primary XProtect bundle in Terminal using the command sudo xprotect update
then entering your admin password.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Overnight European time, Apple released a small but urgent update to macOS Sequoia, bringing it to version 15.0.1. Although there are no updates to Sonoma or Ventura, there are updated versions of Safari for both.
This Sequoia update is about 1.42 GB for Apple silicon Macs, and around 500 MB for Intel models. It doesn’t bring any firmware updates, but Safari is updated to version 18.0.1 (20619.1.26.31.7). While Apple has released security notes for the concomitant updates for iOS and iPadOS, there are none reported for macOS.
Although Apple remains tight-lipped about exactly what has been fixed in this update, it does admit to fixing a bug in Messages that could crash the app in unusual circumstances, and to improving “compatibility with third-party security software”. It’s assumed the latter refers to the network problems that have been widely reported.
Changes seen in bundled apps include a single build increment in Messages, and Passwords with a new version of 1.0.1. Apart from those and Safari, the only other bundled app to see any change is Photos, with a small build increment. This suggests that there are undisclosed improvements to the new Passwords app.
Significant changes seen in /System/Library include:
Dock, small build increment
CFNetwork and Network frameworks, build increments
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5276. As usual, Apple doesn’t release information about what security issues this update might add or change.
Relative to the last version released for Sequoia (5275), this version removes all the new-style rules that had been added to that and 5273. Relative to the general release version 5274, and 5275, it adds one new rule for MACOS.PIRRIT.BM.OBF.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5276.
For Sequoia only: so far, I have seen no sign of this update in iCloud, which still returns an XProtect version of 5272. If you download and install it using Software Update, softwareupdate or SilentKnight, then you need to update the primary XProtect bundle in Terminal using the command sudo xprotect update
then entering your admin password.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
By now you should have gathered that macOS Sequoia 15.0 has brought changes to XProtect and the way that it’s updated. This article attempts to explain what has changed, and how that affects both macOS and you.
Sonoma and earlier
XProtect’s data is contained in a bundle in the path /Library/Apple/System/Library/CoreServices/XProtect.bundle, on the Data volume. When XProtect scans code to check it for known malware, it uses the Yara rules in XProtect.bundle/Contents/Resources/XProtect.yara, although it first checks unsuccessfully for rules in a file named XProtect2.yara within the bundle that, as far as I know, has never existed.
Updates to the XProtect bundle are provided through the normal Software Update mechanism, and summarised in the diagram below. Each Mac periodically checks Apple’s software update service for new updates. When it finds a version with a higher version number than that installed, the same system downloads and installs the updated bundle, so updating the Yara rules used. That may be performed directly, or through a Content Caching server, when that’s available. Checks for updates and their installation can also be performed manually, as in the command tool softwareupdate, as used by SilentKnight.
Sequoia: locations
macOS Sequoia adds a new location for XProtect’s data bundle, in the path /var/protected/xprotect/XProtect.bundle, also on the Data volume, which contains the primary copy of the Yara rules used by XProtect on that Mac. When XProtect scans code to check it for known malware, it looks for Yara rules in the following order:
XProtect.yara in /var/protected/xprotect/XProtect.bundle
XProtect2.yara in /Library/Apple/System/Library/CoreServices/XProtect.bundle (never found, as that file doesn’t exist)
XProtect.yara in /Library/Apple/System/Library/CoreServices/XProtect.bundle.
Thus, an XProtect bundle in CoreServices acts as a secondary source of Yara rules, and is only used if there’s no primary XProtect bundle in /var/protected/xprotect.
XProtect records in the log which set of Yara rules it uses for each of its ‘direct malware and dylib scans’.
Alongside the XProtect bundle in /var/protected/xprotect is XProtect’s database XPdb, which is also present in previous versions of macOS. This is likely to contain data from XProtect scans.
Sequoia: updates
At least once every 24 hours, XProtect’s Update Service automatically looks for updates to its bundle. This may include a check through softwareupdated, which may check Apple’s software update service for updates available there. If it finds any there, it appears that they are downloaded and installed in the secondary location in CoreServices.
In Sequoia, the primary check is made with iCloud using CloudKit, and is announced in the log in the entry CloudKit update source coming online
This uses a container with the ID com.apple.sear.xprotect-updates, SEAR being the in-house name for Apple’s security teams. Any update found there is ‘considered’ by comparison with the version currently installed in /var/protected/xprotect, and the decision whether to download and install that update is recorded in the log, for example Keeping local update 5273, installed <private>
XProtect’s Update Service appears to apply the usual rule that it will only download and install an XProtect bundle if its version number is greater than that already installed, and won’t attempt to install a bundle with a lower version number.
If the version number of the XProtect bundle in the secondary location in CoreServices is greater than that in the primary location in /var/protected/xprotect, then XProtect’s Update Service may copy the bundle from the secondary location to replace that in the primary location. However, immediately after upgrading to Sequoia, when the primary location has no XProtect bundle, several hours can pass before a primary bundle is installed by XProtect’s Update Service. Over that period, XProtect scans use the Yara rules installed in the secondary XProtect bundle in CoreServices. This is summarised in the diagram below.
Sequoia: xprotect command
Apple has added a command tool to Sequoia, to help manage the new version of XProtect and its unusual habits. As its documentation isn’t complete, here are further details of some of its options.
xprotect version (which doesn’t require sudo) returns the current version of the XProtect bundle in the primary location in /var/protected/xprotect, but not the version of the secondary bundle in CoreServices. If it returns a version of 0, that means that no XProtect bundle is currently installed in /var/protected/xprotect, although XProtect will still be able to check against the Yara rules in the secondary bundle.
sudo xprotect check (requires sudo) checks and returns the current version of XProtect available from iCloud, not that available from Apple’s software update service. If XProtect has already copied a bundle from the secondary to primary locations, then the version reported from iCloud may be lower than that reported by xprotect version.
sudo xprotect update (requires sudo) requests the latest XProtect version from iCloud. If its version is greater than that in the primary bundle, then that update will be installed automatically. It may also check the version of the secondary bundle, and is likely to copy-install that to the primary location if that version is greater than the primary bundle.
Sequoia: version therapy
The release of Sequoia was accompanied by a series of changes in the availability of XProtect versions for different macOS:
13 Sep (approx) XProtect version 5273 available from Software Update Service for Sequoia only
16 Sep macOS 15.0 released, with version 5273 available from Software Update Service for Sequoia only; upgraded Macs updated to 5273 by copying from secondary to primary locations; 5273 not provided from iCloud, where 5272 remained the current version
18 Sep Software Update Service resumed delivery of 5272 to Sonoma and earlier
18 Sep Software Update Service started delivery of 5274 to Sonoma and earlier; 5273 no longer available for Sequoia, with 5272 still available from iCloud
24 Sep Software Update Service delivered 5275 for Sequoia; no change to Sonoma and earlier, and 5272 still available from iCloud.
Thus, those Macs upgraded to Sequoia early, or which had been running a beta-release, were likely to have a primary XProtect version of 5273. Those that upgraded after 18 September are likely to have done so after installing the 5274 update, which will then have been copied to the new primary XProtect location, and prevented them from being updated to 5273. This makes a big difference in terms of Yara rules: although the differences between versions 5272 and 5274 are largely cosmetic, 5273 contains well over 3,000 new lines to perform file size checks on potential malware.
Hopefully Apple will sort all this out in the next round of XProtect updates.
Apple has just released an update to XProtect for Sequoia only, bringing it to version 5275. As usual, Apple doesn’t release information about what security issues this update might add or change.
In accordance with changes brought in version 5274 for Sonoma and earlier, this new version replaces the previous rule for MACOS.449a7ed with a modified version for MACOS.BUNDLORE.KUDU.5, that for MACOS.e4644f7 with MACOS.BUNDLORE.KUDU.3, and that for MACOS.0e62876 with MACOS.BUNDLORE.WBTLS.
It also adds a Yara definition for MACOS.TAILGATOR.CT using the new format of rule, with each rule given a UUID and listing SHA256 hashes of file size, of which there are just 13.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5275.
So far, I have seen no sign of this update in iCloud, which still returns an XProtect version of 5272. If you download and install it using Software Update, softwareupdate or SilentKnight, then you need to update the primary XProtect bundle in Terminal using the command sudo xprotect update
then entering your admin password.
I maintain a list of the current versions of security data files for Sequoia on this page.
macOS Sequoia 15.0 and the security updates to Sonoma 14.7 and Ventura 13.7 brought firmware updates to most supported models. Over the weekend I have updated the databases used by SilentKnight, and the relevant articles listing them here, including new information for Macs running Sequoia, published a few minutes ago.
Which Macs get firmware updates?
For many years now, firmware updates have only been supplied in macOS updates and upgrades, and haven’t been offered as separate installations. It therefore follows that the only Macs that can receive firmware updates are those still supported by one of the three supported versions of macOS.
If the most recent version of macOS your Mac can install (without using OCLP) is Monterey, that automatically means that it can’t get any further firmware updates, as the final version of Monterey was 12.7.6, released on 29 July 2024. In practice, though, Apple normally stops revising EFI firmware well before that event, and this year has followed that pattern again.
Macs no longer supported
With the start of the Sequoia cycle, Apple appears to have ceased revising EFI firmware for the following models, all of which were originally released in June 2017:
iMacs introduced in June 2017 – iMac18,1, iMac18,2, iMac18,3
MacBook from June 2017 – MacBook10,1
MacBook Pros from June 2017 with a T1 chip – MacBookPro14,1, MacBookPro14,2, MacBookPro14,3
The last firmware update for those is dated 23 June 2024, and supplied in the Ventura 13.7 security update.
These have occurred slightly earlier than would have been expected, just 7 years after that model’s first release. It was previously more usual to see support extend for 8 or more years after release.
Intel (EFI) model still supported
The only Intel Macs without a T2 chip that are still supported with EFI firmware updates are iMac 2019 models, designated iMac19,1. Not only do they continue to receive firmware updates, but they’re still supported by macOS Sequoia. In theory, that could enable them to continue to receive firmware updates until the summer of 2027, when maintenance of Sequoia is expected to cease. However, I suspect that it’s more likely that firmware support for them will be discontinued in June 2026, 7 years after their release. They’re already the last Intel Mac without a T2 chip to be supported by Sequoia.
Intel Macs with T2 chips
All other Intel Macs still supported by Sequoia have T2 chips, which have a common firmware installer. However, their release dates range from December 2017 (iMac Pro) to August 2020 (iMac Retina 5K 27-inch). Apple has already stopped current macOS support for two T2-equipped MacBook Air models (2018 and 2019), so it’s possible the list of Intel Macs supported by macOS 16 next year will be shorter than that for macOS 15 this year.
In 2026, when support for Sonoma stops, this should mean that, for the first time, some Macs with T2 chips will only be able to run older versions of their firmware, while others will continue to receive updates.
OpenCore Legacy Patcher
Macs that can have OCLP installed so they can run unsupported versions of macOS don’t receive any further firmware updates. They’re stuck with the last version released in their last supported macOS update.
One of my greatest regrets in life is that I never invested in a stock of cards with just four words on them: I told you so. Although I’m often wrong, when I see an obvious problem on its way, it’s disappointing how often it’s ignored. Instead of last week being all about Sequoia, I ended up spending most of my time trying to discover what the hell was going on with XProtect and its updates.
My feeling of unease started before last weekend. My fourth and last-ditch fallback Mac is a lovely MacBook Pro 16-inch 2019. It doesn’t see much use, so in the days before the release of Sequoia I charged it up and updated it to 14.6.1. It was still running an old version of XProtect, 2195 from the end of May, so I was surprised when it didn’t update XProtect, and no update was offered. At roughly the same time, my MacBook Pro M3 Pro running 15.1 beta updated from 5272 to 5273, and other beta-testers reported the same.
Bearing in mind that Apple had told nobody what was going on with XProtect or its updates, when last Monday came and my three other Macs that had been running 14.6.1 were upgraded to 15.0, I was still none the wiser. As with everyone else upgrading to Sequoia, any existing XProtect bundle was ignored by the new version of XProtect, and when asked what version of its security data it was running, it replied 0 (zero), indicating that it had no such data. That was a surprise to many, and something not anticipated by any information from Apple.
If you weren’t using SilentKnight, you’d then have to guess either that macOS would somehow fix that before you ran any newly downloaded apps, or that there would be a new command tool named xprotect, whose man page also doesn’t provide any guidance as to what to do.
For those who checked their new Sequoia installation with SilentKnight may have been just as surprised to see the XProtect version of 0, but at least they were guided to run the xprotect command tool, and force an update. Even then, confusion reigned when some Macs were updated to 5273 while others were left at 5272. Either has got to be better than 0, though.
Meanwhile, those who had updated to 14.7 or 13.7 got no XProtect update at all. If those Macs had already installed 5272, then that’s where they stayed, with no sign of 5273, which appeared exclusive to those who had ventured up to Sequoia. But if those Macs were still using an older version of XProtect’s data, there was no update available to take them to 5272, which others had installed when it had been released at the end of last month (28 August).
By the end of the following day, 17 September, this was the state of play with XProtect data:
those running Sequoia could have no XProtect data at all (‘version 0’), 5272, or 5273;
those running Sonoma 14.7 or any earlier version of macOS could have 5272 if they had updated before 13 September, or any older version if they hadn’t.
Then late on 17th, or early on 18th depending on your time zone, everything changed again. Apple’s software update servers started offering 5272 to everyone, and as an added bonus, those running Sequoia might also be offered 5273, although the new iCloud update service seemed content just to offer 5272. Within 24 hours, Apple released yet another XProtect data update, to version 5274, only this time it wasn’t made available to Macs running Sequoia. By the end of 18 September, the state of play had changed to:
those running Sequoia could have no XProtect data at all (‘version 0’), 5272, or 5273, but not 5274;
those running Sonoma 14.7 or any earlier version of macOS could have 5274 if they had updated on 18 September, or any older version except 5273 if they hadn’t.
Does any of this make a difference, though: just what came in the updates to 5273 and 5274?
For Macs running macOS Sonoma or earlier, 5274 is just a renaming exercise, and doesn’t materially affect XProtect’s ability to detect malware. Perhaps it was a placebo after all.
The new Yara definitions added to 5273 are very different, though. As I described in my announcement here: “This adds Yara definitions for MACOS.DOLITTLE.CT, MACOS.SHEEPSWAP.CT and MACOS.SOMA.CT using a new format of rule, with each rule given a UUID and listing SHA256 hashes of file size.” Here’s a short excerpt: rule XProtect_MACOS_SOMA_CT
{
meta:
description = "MACOS.SOMA.CT"
uuid = "DA584E59-A152-4E5B-A906-D354144DCA69"
condition:
hash.sha256(0, filesize) == "59e01f6f925af0643f4751191d28eab11ffb014412cd66ece8e5c77ba082977a" or
following which are a further 3,123 hashes, whereas MACOS.DOLITTLE.CT has just six.
Clearly, Sequoia’s XProtect is quite a different beast from that in Sonoma. It looks like Apple has forked XProtect data files, the Yara definitions in particular. It’s now likely that each future XProtect data update will either be destined for Sonoma and earlier, or specifically for Sequoia. Keeping them in the same version numbering sequence is only going to lead to greater confusion, unless Apple only intends releasing further updates for macOS 15 and later.
As Apple continues to provide absolutely no information about this, I fear that we’re just going to be left stumbling on in the dark, wondering what’s going on with one of the primary security defences in macOS. It must be time to order a new batch of I told you so cards.
Even the smallest of updates to macOS or its security components can leave your Mac in a mess. Once those feelings of panic are subsiding, what should you do next?
Boot loop
There’s one emergency situation that happens on rare occasions after a failed firmware update: a boot loop, in which the Mac tries to start up, hits a kernel panic early, so tries to restart again, and continues in that loop. If that happens, press and hold the Power button until it shuts down, and refer to this article.
Restart, Safe mode
Otherwise the first thing to try is simply restarting your Mac normally. If that proves a problem, or things are still awry, try Safe mode. On an Apple silicon Mac, shut it down, wait ten seconds or so, then start it up in Recovery, select the disk to use for Safe mode, hold the Shift key, and click Continue in Safe Mode.
On an Intel Mac, hold the Shift key during startup.
Once running, leave your Mac for a couple of minutes, then restart in normal mode, with your fingers tightly crossed.
Sometimes Safe mode works fine, but as soon as you return to normal mode everything goes wrong again. That’s a good indicator that something you have installed is at fault, rather than the macOS update, although it’s normally a combination of both working against one another. You now need to hunt down the third-party software that has become upset by the update, and either update or remove it.
If Safe mode either doesn’t help, or you can’t even enter it, then your Mac’s problems could be from the macOS update itself or something third-party, and teasing them apart isn’t going to be easy. This is when you should, for the first time, ask yourself whether you want to return to your previous version of macOS without the update, or try to fix what you’ve got. You can change your mind later, but this is a key question that determines what you do next.
Reinstall
Until Big Sur, the next step for those wanting to stay with the update was to install it differently, most commonly using the Combo update, because that contained all the changed components since the first release of that version of macOS, but was smaller and simpler than a full installer. Because of the way that macOS is now installed into a Signed System Volume (SSV), actually a snapshot, this is no longer available, and the only alternative beyond the update that brought your Mac’s problems is a full installer.
Before going any further, bear in mind that macOS booted from an SSV is very different to that of the past. Macs with T2 and especially Apple silicon chips verify the contents of the SSV down to the last bit, and they’re checked against what Apple considers to be a ‘perfect install’. So the incomplete or broken updates of the past simply can’t happen with an SSV, which is guaranteed to be perfect as Apple intended. Installing another identical copy of that is therefore most unlikely to change anything.
Simplest is to start up in Recovery mode and re-install the current version of macOS, which should by now be the version you’re trying to run. When you do that, ensure you install to your current Volume Group so that the existing Data volume is connected up with the fresh System volume. Because that may not always work, before starting this journey, ensure you’ve got a full copy of your Data volume. Carbon Copy Cloner is an excellent tool for doing that if you don’t already have a full Time Machine backup.
There are variations too, although these bring greater risk that your current Data volume will get trashed or ignored. You can download the latest installer app from the App Store, or in Terminal, which gives you a more precise choice that’s essential should you want to downgrade. The following command lists available macOS installers: softwareupdate --list-full-installers
Currently, that list includes for Intel Macs:
Sequoia 15.0,
Sonoma 14.7, 14.6.1, 14.6, 14.4.1,
Ventura 13.7, 13.6.9, 13.6.8, 13.6.6,
Monterey 12.7.6, 12.7.4,
Big Sur 11.7.10,
Catalina 10.15.7, 10.15.6,
Mojave 10.14.6,
High Sierra 10.13.6.
You can then use a command like sudo softwareupdate --fetch-full-installer --full-installer-version 11.7.7
to download the installer of your choice.
For an even wider choice, visit a site such as Mr. Macintosh.
If you install macOS afresh with your existing Data volume and the problems persist, then it’s most likely they result not from any error in the system update, but in third-party software. You can then rip out all third-party extensions and anything from your apps that persists, until you find the offender.
Revert to previous
Returning to a previous version of macOS isn’t an easy option after you’ve performed a macOS update. There’s no secret Roll Back button, and you’ll have to perform a fresh install of that older version of macOS, ensuring that hitches up with your existing Data volume. If the latter part doesn’t work, be prepared to migrate from a backup into a fresh Data volume.
Intel Macs have one significant limitation here: firmware. While you can roll the system back, you can’t return an Intel Mac’s firmware to a previous version. So if the problems you’re encountering are firmware-related, your Intel Mac is out of luck.
Apple silicon Macs can readily be reverted to older firmware, by putting them into DFU mode and restoring an older version of macOS complete with its firmware, using Apple Configurator 2. You’ll need another Mac to run that free app (from the App Store), and the first time you do this is daunting, but it’s a valuable feature that can recover from apparent disaster.
Apple Support
If your Mac suffers any significant problems after a macOS update, don’t be afraid to contact Apple Support. Sometimes updates have serious failings with specific models, and only Apple Support is likely to discover this, and offer a way forward. Otherwise, I wish you success diagnosing and fixing your problems.
Summary
If in a boot loop, press and hold the Power button to shut down.
Otherwise restart the Mac.
If necessary, start up in Safe mode, wait a couple of minutes, and restart in normal mode.
Consider reinstalling that version of macOS.
Reverting to a previous version is a slow and hard process.
macOS and its smaller security updates are widely announced, here and across many other sites supporting Apple products. What should you do, though, when you know updates have been released by Apple but your Mac can’t find them, or when it tries to install them and fails?
Before Sequoia, almost all software updates are normally fetched by Software Update in System Settings/Preferences, or alternatively at the command line by softwareupdate, also used by my free SilentKnight. They work through the softwareupdated service that should be running in the background. If you run a local Content Caching server, then softwareupdated should automatically connect to that and ask it for the update; otherwise, it tries to connect to Apple’s software update servers over the internet. Although this chain is usually reliable, it has several points of weakness.
Sequoia brings greater complexity, in that one its most important security data updates for XProtect is intended to be delivered over a CloudKit connection with iCloud, although those updates can still arrive from Software Update as well. However, when delivered through softwareupdated the XProtect bundle is installed but not ‘activated’ for XProtect’s use. To do that, open Terminal and enter the command sudo xprotect update
then authenticate with your admin password when prompted.
Update not found
You open Software Update or SilentKnight, and are told that your Mac is up to date, although it’s still running the older version of macOS, or hasn’t installed a smaller security update.
The most likely reasons for this include:
Apple’s software update servers are in heavy demand, and are temporarily refusing new connections. As Apple tends to release a lot of updates at once, this isn’t uncommon, particularly in the autumn/fall with the new versions of macOS and others. The only solution is to try again later, although sometimes you can kickstart the process by running SilentKnight or softwareupdate. Apple provides a page showing the status of its many internet services, where these are listed as macOS Software Update, but transient problems due to load seldom get reported there.
Your Mac, or its Content Caching server if you’re running one, can’t connect to Apple’s servers because of a network fault. Again the only solution is to try again later, in the hope that the fault has been fixed.
softwareupdated or your Content Caching server aren’t working properly. This is normally rectified by restarting that Mac and trying again once it’s up and running. In some cases, it can require that the client Mac is started up in Safe mode before the update becomes available.
If an update has only just been announced, then the software update servers that your Mac connects to may not be offering that update yet. Availability around the world isn’t instant, and often you’ll find that an Apple silicon Mac can find an update and install it readily, while an Intel Mac on the same network may be unable to discover the same update for another hour or more.
Note that, unless an update is listed as being available, you can’t force it by trying to install the update using its label, either in softwareupdate or SilentKnight.
For updates to XProtect in Sequoia, try opening Terminal and entering the command sudo xprotect check
then authenticating with your admin password when prompted. This should force XProtect management to look for an update. If it finds one, then entering sudo xprotect update
should download it from iCloud and install it. Note that this command is only available in Sequoia. For further information, man xprotect tells you as much as Apple lets you know.
Update fails to install
This is easiest to detect when you use SilentKnight, which will report the update is available, then when you try to install it, you’ll see an error message in the scrolling text window reporting that installation of the update failed, and the component being updated won’t change to the new version number.
If the Software Update pane shows an error, that should provide similar information. Otherwise, to download and install waiting updates you can type softwareupdate -ia --include-config-data (or in El Capitan sudo softwareupdate -ia)
in Terminal, to see the same messages shown by SilentKnight, as that’s also the tool it uses to obtain waiting updates. If you know your way around the Unified Log, you should discover parallel entries there.
By far the most common cause for failure to install updates like this is that something has gone wrong with softwareupdate or softwareupdated, best corrected by restarting your Mac and trying again. If it still doesn’t work, start up in Safe mode and try from there. One of the primary purposes of Safe mode is to resolve problems with updates and updating, whether they’re full macOS updates or small security data updates like XProtect.
If you’re not running a local Content Caching server and still can’t get the update to install, all you can do is wait an hour or two and try again.
Content Caching problems
If you’re running a local Content Caching server, then the problem could now rest with the copy of the update stored in its cache. When the local server downloaded the update from Apple’s software update servers, it may have become damaged. Once that damaged copy has been put into your local server’s cache, that’s the update that it will serve to all your local Macs when they connect to it to obtain the update.
What can make this worse is that, even if you do manage to get the Mac running the Content Caching server to update successfully, that doesn’t mean that it will replace the damaged copy in its cache, which may continue to deliver that same damaged version to all the Macs that try connecting to it.
To confirm this, you can inspect the log, as I’ve described here.
The most immediate solution, which should allow all your local systems to update correctly, is to turn the Content Caching service off in Sharing, shut down the Content Caching server, or isolate that server from the rest of the network. Then update all your other systems, which should download fresh copies of the update directly from Apple’s servers. Once that’s done, you can bring the server back up in Safe mode and try updating it there.
For a period of over six months in 2022-23, updates for XProtect and XProtect Remediator obtained through Content Caching servers frequently failed to install correctly. In that time, the simplest solution was to disable the server before trying to download and install those updates, and to enable it again once all updates had been completed. It’s still not clear where that problem occurred, but it has since been fixed and updates should be reliable now.
I don’t know any way to remove individual updates from the Content Caching server. Apple’s command tool for its maintenance, AssetCacheManagerUtil, only knows how to flush whole caches, using sudo AssetCacheManagerUtil [flushCache|flushPersonalCache|flushSharedCache]
where the commands set the cache to be flushed:
flushCache flushes the entire content cache.
flushPersonalCache flushes all personal (iCloud) content.
flushSharedCache flushes all shared (non-iCloud) content.
Flushing a large cache may not be what you want to do. So long as there’s no storage problem and the update affected was most probably supplied broken, there shouldn’t be any harm in leaving it where it is.
In Sequoia, XProtect’s new updates delivered from iCloud are likely to bypass Content Caching servers altogether, although Apple hasn’t clarified that yet.
Nothing helps
If you’ve worked your way through to the end here but still haven’t solved the problem, contact Apple Support, who can escalate it to someone who can hopefully do something about the problem.
Apple has just released an update to XProtect for all versions of macOS from El Capitan to Sonoma, but not for Sequoia, bringing it to version 5274. Version 5273 was for Sequoia only.
Apple doesn’t release information about what security issues this update might add or change. This replaces the previous rule for MACOS.449a7ed with a modified version for MACOS.BUNDLORE.KUDU.5, that for MACOS.e4644f7 with MACOS.BUNDLORE.KUDU.3, and that for MACOS.0e62876 with MACOS.BUNDLORE.WBTLS. New format Yara rules that were added to 5273 for Sequoia don’t appear, suggesting that Yara rules have been forked, with one fork for Sonoma and earlier, the other for Sequoia only.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5274.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Apple’s software update servers are once again offering and providing updates to XProtect data for macOS Sonoma and earlier, as of about 0500 GMT today, 18 September 2024.
Software Update, the command tool softwareupdate, and SilentKnight should now be able to find XProtect version 5272, released on 28 August 2024, and install that for versions of macOS before Sequoia. I have verified this in both Sonoma and Monterey.
Although the update to version 5273 that was released on 16 September only for Sequoia 15.0 and later is still available, it remains unreliable. softwareupdate and SilentKnight report that both versions 5272 and 5273 are available, which is bizarre, and may then install either of them. If 5273 (or 5272) is installed into the local XProtect bundle, you can then get XProtect to ‘install’ it locally using the command sudo xprotect update. You may then end up with either version 5272 or 5273.
If you experience any difficulties with updating XProtect, please contact Apple Support so that they can report this within Apple.
macOS Sequoia 15.0 brings major change to the maintenance and updating of XProtect’s data. With the release of that new version of macOS, Apple has stopped providing any updates to XProtect data for previous versions of macOS, including the latest updates to Sonoma 14.7 and Ventura 13.7, also released yesterday.
Sequoia
If you have upgraded your Mac to Sequoia 15.0 or 15.1 beta, then it should be using XProtect data version 5273, released yesterday, 16 September 2024.
However, immediately after upgrading, the XProtect version may be given as 0, indicating that there’s no XProtect data installed at all. If that’s the case, or the version shown is 5272 or earlier, open Terminal and type in the following command: sudo xprotect update after which you’ll be prompted to enter your admin password. Once you do, the latest version of XProtect data should be obtained and installed correctly.
If you run SilentKnight after upgrading to Sequoia, it may find an XProtect data download waiting to be installed. If it does, install it. However, that doesn’t actually update the data used by this new version of XProtect. To complete that process, use the sudo xprotect update command in Terminal.
If you don’t use SilentKnight, you can check the current version of XProtect data being used with: xprotect version That should now return 5273. If it doesn’t, use the sudo xprotect update command to force an update.
Sonoma and all earlier macOS
With the release of Sequoia 15.0, Sonoma 14.7 and Ventura 13.7, Apple’s software update servers have stopped providing XProtect data updates to all versions of macOS prior to Sequoia. I have confirmed this in both Sonoma and Ventura. It’s not clear whether this is an error and Apple intends restoring XProtect updates in the future, or has simply stopped providing further updates.
The effect of this depends on the latest version of XProtect data installed on your Mac. If that’s 5272, then your Mac has the latest available without upgrading to Sequoia. If that’s any earlier version of XProtect, then there’s now no supported way for your Mac to be updated from that old version. As the XProtect bundle is located on the Data volume, you could try manually replacing the bundle (if you can get one for version 5272), but there’s no guarantee that will actually be used by XProtect, or make any difference to the protection it provides.
SilentKnight and Skint
The good news is that, if you use my free SilentKnight, and/or Skint, you should get the best information and help whichever version of macOS is running.
In anticipation of this, current versions of SilentKnight and Skint now report different versions for XProtect data depending on whether that Mac is running Sequoia or an earlier version of macOS. However, if the version found is earlier than 5273 (15.x) or 5272 (14.x and earlier), it will be reported as an issue. If Apple does restore XProtect data updates to macOS 14.x and earlier, then SilentKnight should be able to download and install them.
If your Mac is running Sequoia, SilentKnight can’t (yet) update XProtect data. To do that, you’ll need to run sudo xprotect update in Terminal.
Summary
The most recent version of XProtect data for Macs running Sonoma or earlier is 5272.
Currently, Apple’s update servers have stopped providing any updates to XProtect data for Sonoma and earlier.
Sequoia should be using XProtect data version 5273.
If your Mac is running Sequoia and has an older version, use the sudo xprotect update command to force an update.
Update
As of about 0530 GMT on 18 September 2024, XProtect updates for macOS Sonoma and earlier are available again, delivering version 5272 through Software Update, softwareupdate and SilentKnight. Fuller details are in a new article coming very shortly.
Apple has just released an update to XProtect for Sequoia only, bringing it to version 5273.
Apple doesn’t release information about what security issues this update might add or change. This adds Yara definitions for MACOS.DOLITTLE.CT, MACOS.SHEEPSWAP.CT and MACOS.SOMA.CT using a new format of rule, with each rule given a UUID and listing SHA256 hashes of file size.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5273.
If you’ve upgraded to Sequoia and are still stuck at a version number of 0 or 5272, you can either leave macOS to catch up with this in its own good time, or you can force an update by typing into Terminal sudo xprotect update
then entering your admin password.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
As promised last week, Apple has released the upgrade to macOS 15.0 Sequoia, together with security updates to bring Sonoma to version 14.7, and Ventura to 13.7. There should also be Safari updates to accompany the latter two.
The Sequoia update is around 6.6 GB for Apple silicon Macs, and 14.7 is around 1.6 GB. For Intel Macs, 15.0 is around 4.9 GB as an ‘update’, and 14.7 is around 860 MB.
Security release notes for Sequoia list around 77 vulnerabilities addressed, including two in the kernel, none of which Apple is aware may have been exploited in the wild. Release notes list 36 vulnerabilities addressed in Sonoma 14.7 here, and there are 30 listed for Ventura 13.7 here.
iBoot firmware is updated to version 11881.1.1, Intel T2 firmware to version 2069.0.0.0.0 (iBridge 22.16.10353.0.0,0), and Safari to 18.0 (20619.1.26.31.6).
After completing the upgrade to 15.0, you are likely to see that the installed XProtect version is 0, in other words that there is no XProtect data. You can leave your Mac to automatically download the required data from iCloud, or manually force it using the command sudo xprotect update
then entering your admin password. That will normally ‘activate’ the XProtect data previously installed, and set the version to 5272, although that will then need to be updated to 5273 separately. Don’t be surprised if you end up repeating the trip to Terminal to get this to work.
If you use .NET, you may wish to delay upgrading to Sequoia: see this article for further details. Thanks to Raoul for pointing this out.
Later today, Apple is expected to release macOS Sequoia 15.0. For those interested in planning their immediate or delayed upgrade, these are my forecast dates for its minor versions over the coming year. Like all the best weather forecasts, this is most accurate for the next 5 days, and those for further into the future are likely to be decreasingly reliable.
Minor version release dates for Sonoma have been broadly similar to those of others since Big Sur:
14.0 – 26 September,
14.1 – 25 October,
14.2 – 11 December,
14.3 – 22 January,
14.4 – 07 March,
14.5 – 13 May,
14.6 – 29 July,
14.7 – 16 September.
Ventura differed mostly because it had a later start date to its cycle, in October, resulting in the delay of 13.1 until December. Subsequent versions thus trailed Sonoma by one, for example with 13.5 on 24 July, against 14.6 on 29 July. Although Apple is believed to have some flexibility in the release dates for minor updates, the timetable for the cycle appears to be fixed well in advance, and is probably already at least pencilled in for Sequoia.
Most minor updates bring new versions of firmware, the kernel and key kernel extensions such as APFS. In between those may be patch updates to fix serious bugs or security vulnerabilities that can’t wait for the next minor version, such as 14.3.1 on 8 February, two weeks after 14.3 and a month before 14.4.
According to Apple’s release notes, the current release candidate for 15.0 has no significant bugs that remain unfixed, and we hope that remains the case.
15.1: October 2024
Apple has already announced that this first ‘minor’ update will bring its AI features, including most significantly Writing Tools. Although those have been in beta-testing for almost as long as 15.0, in terms of changes, the step from 15.0 will in many ways be greater than that from 14.6 to 15.0. However, that only applies to Apple silicon Macs that support AI.
For all Macs, this is likely to bring fixes for some more substantial bugs, although because of the short interval between 15.0 and 15.1, few are likely to be addressed until 15.2.
This update is likely to coincide with new Mac products launched at an as-yet unannounced Mac event in October, where Apple is expected to promote its new M4 Macs as being ‘made for AI’, much in the way that it did last week with the iPhone 16 range.
15.2: December 2024
Turnaround time fixing even straightforward high priority bugs makes it likely that most in 15.0 will be addressed not in 15.1 but 15.2, before Christmas. This will also catch the first fixes and any additional enhancements required by AI, so may well be one of the more substantial updates this cycle. The aim is to give engineering teams a chance to catch up with the vacation without leaving too much to await their return in the New Year.
15.3: January 2025
This update is largely constrained by the effects of the Christmas vacation, but should enable most issues arising in 15.0 and 15.1 to be fixed, leaving Sequoia running sweetly.
15.4: March 2025
This is the major mid-cycle update, that is most likely to contain new and enhanced features, often making it the largest update of the cycle. Apple also seems to use this to introduce initial versions of new features intended to become fully functional before the end of the cycle. One example of this was XProtect Remediator, released on 14 March 2022 in Monterey 12.3, but not really functional until June that year.
Unfortunately, these enhancements can also cause problems, and this update in March has a track record of sporadic more serious bugs, including the occasional kernel panic.
15.5: May 2025
A month or so before the first beta-release of the next major version of macOS, this normally aims to fix as many remaining bugs as possible, and progress any enhancements introduced in the previous update. If you’ve reported a bug before April, then if it’s going to be fixed in this cycle, this is the most likely time; any new bugs reported after this update are most likely to be carried over to the next major release.
15.6: July 2025
This really is the last chance for fixes and feature-tweaks before the next major version is released in September. If all is working out well, this should be the most stable and bug-free release, although in some years late changes have turned this update into a nightmare, and Sonoma required a patch update in early August to address those.
When best to upgrade?
If third-party software, hardware and other compatibility requirements don’t apply, there’s no way to predict which is the best version to choose as an upgrade from previous macOS. Every version contains bugs, some of them may be serious, others may be infuriating and intrude into your workflows. But those aren’t predictable. If you’re unsure, wait a few days after a minor update, or even 15.0, check around with others, and decide then. If you’re really cautious and have an Apple silicon Mac, I suggest you might like to consider upgrading a week or two after the release of 15.1, by which time most of any major issues with 15.0 and AI should have come to the surface.
For myself, I already have my designated beta-testing Mac, a MacBook Pro M3 Pro, running 15.1 beta, and my other three Macs (iMac Pro, Mac Studio M1 Max and MacBook Pro 16-inch 2019) will all be running 15.0 by midnight tonight, I hope. I’ll let you know how I get on.
Apple will release macOS 15.0 Sequoia on 16 September, that’s next Monday, alongside iOS and iPadOS 18.0, and upgrades and updates for lesser mortals. Among the latter are Sonoma 14.7 and Ventura 13.7, as I’ll explain later. Sequoia introduces two important changes to security data checked and updated by SilentKnight, for which I have built and notarized another new version of that app, 2.11, which is essential for anyone intending to upgrade to Sequoia, and worthwhile for all running Catalina or later.
What’s coming next week
Apple has just provided release candidates for the following three new versions of macOS:
Sequoia 15.0, its first full release,
Sonoma 14.7, its first security-only update,
Ventura 13.7, the first of its security-only updates for its final year of support.
There’s not expected to be any update to Monterey 12.7.6, which is no longer supported, even with security updates.
The minor version numbers of Sonoma and Ventura will then be the same, the first time this has happened. In previous release cycles, the start of the first year of security-only updates has been with x.6, as it was with Ventura, and proceeded through the year with versions x.6.1, x.6.2, and so on. Over the coming year, we can expect 14.7.1 and 13.7.1, then 14.7.2 and 13.7.2, continuing until Ventura reaches the end of its third and final year of support in a year’s time.
Sequoia 15.1, the first release with AI support, is now expected in October, and continues in beta-testing, alongside AI-enhanced versions of iOS and iPadOS in versions 18.1.
TCC in Sequoia
The TCC database in /Library/Apple/Library/Bundles/TCC_Compatibility.bundle was introduced in Mojave (when it had a different location, of course), and has been updated with each new major version of macOS since. That has now vanished, and I can find no trace of it, nor any apparent substitute. If you run SilentKnight 2.10 in Sequoia, that will be reported as an error, so version 2.11 addresses that by omitting that result both from its display box and the text report below.
XProtect in Sequoia
Since it was first introduced many moons and versions of macOS ago, there has been a bundle named XProtect.bundle in CoreServices, most recently in the path /Library/Apple/System/Library/CoreServices/XProtect.bundle, that has provided data for XProtect scans of executable code and other security services. That bundle has been updated frequently in downloads labelled XProtectPlistConfigData. Although that can still be present in Sequoia, XProtect now uses a completely different source for its data, that is normally updated through iCloud’s CloudKit rather than Software Update.
The result is that your Mac can have an up-to-date XProtect.bundle in the normal location, but XProtect itself may not be up-to-date at all. For example, in fresh installs of Sequoia, XProtect.bundle is usually absent, and the new tool to check its version may report a number of 0.
SilentKnight versions 2.10 and 2.11 have been updated to cope with this major change, which Apple has apparently not seen fit to document (yet). They check the correct current version using a new command tool, and report that version number faithfully. At present, though, SilentKnight isn’t able to update this new form of XProtect. You can either leave macOS to do that itself in its own time, or you can run a command in Terminal to force the update immediately: sudo xprotect update
following which you’ll need to authenticate with your admin user password.
I intend to address this more completely in SilentKnight version 3, but for the time being this is fully documented in SilentKnight’s Help book and Help Reference, in these latest versions.
SilentKnight, Skint, SystHist, LockRattler
SilentKnight version 2.11 is strongly recommended for anyone intending to update to Sequoia this year, and, as it also fixes a bug in reporting Studio Display firmware in VMs, is worthwhile for those remaining with Sonoma for longer. It’s available from here: silentknight211
from Downloads above, on its Product Page, and through its auto-update mechanism.
Thankfully, as Skint doesn’t check TCC, the current version 1.08 remains fully compatible with Sequoia. The current release of SystHist, 1.20, works well with Sequoia too, and usefully distinguishes between the two different types of XProtect update, XProtectPlistConfigData delivered through Software Update, and XProtectCloudKitUpdate the new one obtained through iCloud instead.
I don’t intend to update LockRattler for the time being. It won’t report the true version of XProtect, but does report that it can’t find TCC or the GKE data. Otherwise it should continue to function as expected in Sequoia.
More to come in Sequoia 15.0
These changes to XProtect are but one of the significant changes that Apple hasn’t yet mentioned. Once 15.0 has been released, I’ll be delighted to provide fuller details of others.
Summary
On Monday 16 September, Apple will release macOS 15.0, and security updates 14.7 and 13.7.
Monterey is no longer supported.
Download and install SilentKnight 2.11 if you’re intending to upgrade to Sequoia this year.
Skint and SystHist remain fully compatible with Sequoia.
Watch here for further news on Sequoia once it has been released next week.
Sequoia 15.1 with AI will be released next month (October).
Every autumn/fall, the current version of macOS changes, and with it there are changes great and small that can affect the apps we run. If you use any of the free apps that I provide here, now is the time to check that you’re running the correct version to support both your current macOS, and any that you might aspire to in the coming months.
SilentKnight
Although most of my apps have auto-update mechanisms that inform you when their updates are available, there are some notable pitfalls that can lull you into a sense of false security. Most importantly, SilentKnight was upgraded to version 2 two years ago to ensure its compatibility with Catalina and later. Every few days I come across someone who is still using version 1 with a newer release of macOS and seeing incorrect results. If you use SilentKnight in any version of macOS from Catalina onwards, then please ensure that it’s updated to the current version 2.10: SilentKnight 2.10 (Universal App for Catalina to Sequoia)
This is particularly important if you intend upgrading to Sequoia, because of the changes it brings in how XProtect is updated. If you’re still running 2.9 or earlier, then SilentKnight will give you incorrect versions for XProtect, and at worst could report a version of 0 (zero) as it might not be able to find XProtect at all.
Skint and SystHist
For the same reason, Skint should be updated to version 1.08: Skint 1.08 (Universal App for Monterey, Ventura, Sonoma and Sequoia only)
SystHist lists full system and security update installation history, a task that invariably requires an annual update to cope with the quirks of the new version of macOS. If you’re aiming for Sequoia at some stage, ensure that you have updated it to version 1.20: SystHist 1.20 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
Writing Tools
Although Apple isn’t intending to release any of its new AI features in the initial version of Sequoia, 15.0, but is delaying them for 15.1, you might like to prepare for that by updating my rich text editor and PDF viewer in advance. Their latest versions should prove fully compatible with Writing Tools when they’re released.
DelightEd is a Rich Text (RTF) editor with special Dark Mode features and support for interlinear text, and version 2.3 should work fully with Writing Tools: DelightEd 2.3 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
Podofyllin is a lightweight PDF viewer (without any editing capability, so it can’t alter original PDF files) and shows source code and more. Version 1.3 should work fully with Writing Tools: Podofyllin 1.3 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
XProCheck, Nalaprop, Precize
Other recent updates you might have missed include the following.
XProCheck to check on XProtect Remediator scans completed and reported in the log: XProCheck 1.6 (Universal App for Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
Nalaprop for multilingual natural language parsing, now compatible with Writing Tools: Nalaprop 1.3 (Universal App for Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
Precize, which looks deep into files, bundles and folders to show their full size including extended attributes, provides macOS Bookmarks and volfs paths as enduring file references, and detailed information contained in Bookmarks and Aliases: Precize 1.15 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)
Key points
For Catalina or later, particularly Sequoia, use SilentKnight 2.10.
For Sequoia in particular, use Skint 1.08.
For Sequoia in particular, use SystHist 1.20.
Older versions of those apps will give incorrect results when run in more recent versions of macOS.
With macOS Sequoia fast approaching from the horizon comes the question as to how to upgrade and update, whether to Sequoia or one of its recent predecessors. If you’re happy to go with what Software Update offers, then that’s usually simplest and most efficient. This article considers what you should do if you want something different, from updating to any previous version, to using a single installer to update several different Macs.
Procedures given here should work with all versions of macOS from Monterey onwards. They may work too with Big Sur, but its installers weren’t always as reliable, so you should there be well-prepared to have to migrate from a backup in case the installation creates a fresh, empty Data volume instead of firmlinking up to your existing one.
Which installer?
As Apple discontinued standalone updater packages when it introduced Big Sur, the choice now is between downloading the full Installer app, and performing the process in Recovery mode. The latter severely limits your choice to what it’s prepared to offer, so you’re almost certainly going to need to obtain the full Installer for the version of macOS you want. Rather than use the Installer app provided in the App Store, download the Installer package from the links given by Mr. Macintosh. Those provide a package that’s easier to store and move around, unlike the Installer app itself. It will typically be a little over 13.5 GB, and works on both Intel and Apple silicon Macs.
Standard procedure
As with any update or upgrade, first ensure you have a full recent backup before starting. If anything does go wrong during the procedure you’ll then be able to perform a fresh install and migrate from that backup.
Unless you want to install everything afresh and migrate from your backup, don’t try erasing either your System or Data volume. You’d have to do that in Recovery mode anyway, limiting your options as to which version of macOS you can install unless you create a bootable installer first.
Double-click the installer package to launch it in the Installer utility. The default is to save the Installer app to your current Applications folder, which should work fine as long as you remember to delete it once you’ve finished. Once complete, launch that Installer app and follow its instructions.
When macOS restarts at the end of the process, check the version now running, confirm that your Data volume has survived intact, and run SilentKnight to ensure that all security data files are up-to-date.
Recovery
Intel Macs have a slight advantage when it comes to installing macOS in Recovery mode, as depending on the keys held during startup, you should be able to coax a choice of versions out of an Intel system. Unless you simply want to install or update to the current version, though, you’ll probably want to avoid doing so in Recovery.
There’s another good reason for not using Recovery, in that delivery of installers to Macs running in Recovery can be painfully slow, and you may well be in for a longer wait than if you downloaded the Installer direct.
However, if you want to erase the current boot volume group on your Mac’s internal storage so you can install a fresh copy of macOS and restore the contents of its Data volume from backups, Recovery is normally the best place to do that. Apple works through the process for Intel Macs, and Apple silicon models. The key step is to select the Macintosh HD boot volume group and click on the Erase tool to perform Erase Volume Group.
When the SSV was first introduced in Big Sur, there were many problems resulting from erasing just one volume in the boot volume group. If that happened to be the System volume, when macOS was installed it created a new firmlinked Data volume, leaving the existing Data volume as an orphan. That was usually done in a misguided attempt to have a fresh install of the System volume and SSV while keeping the existing contents of the Data volume, but doesn’t do that. Every installation of the SSV in any given version of macOS since Big Sur is identical, so it isn’t necessary to erase it, but simply to install or update macOS.
Bootable installer disk
Another traditional way to install macOS is using a bootable installer disk, normally a USB ‘thumb’ drive, although you can also create a small HFS+ volume for the purpose on an external SSD. Apple provides detailed instructions for doing this using a range of versions of macOS.
In many cases, installing a version of macOS older than the one that’s currently running requires this, as old Installers usually fail to run in newer macOS. Unfortunately, on Apple silicon Macs, this isn’t the powerful tool that it once was, as the Mac doesn’t boot fully from the external disk, and as a result it has no role in dealing with problems with internal storage.
Virtual Machines on Apple silicon
Installer apps and Recovery installs both work fine in virtual machines running on Apple silicon hosts. However, there’s one special circumstance you need to beware of. One of the major new features in virtualisation in Sequoia is support for iCloud and some other services dependent on Apple ID. If you want to use those, then the VM must be created new in Sequoia, using a Sequoia IPSW image. You can’t update or upgrade an existing VM from a previous version of macOS and use iCloud services in it.
Summary
If you can, use Software Update to update or upgrade macOS, as it minimises download size and is simplest.
If you want to perform a different update, or run one installer on several Macs, download and use the appropriate Installer package.
If you want to erase the existing system including all your data, use Recovery mode to erase the whole volume group, then install macOS and migrate from your backup.
Never erase only your Mac’s System volume, as that will orphan its current Data volume.
If you want to downgrade to an older version of macOS, you’ll probably need to do so from a bootable installer disk.
If you want a VM to use iCloud, then create a fresh VM using a Sequoia IPSW, as an upgraded VM can’t access iCloud.
Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 145. The previous version was 142.
Apple doesn’t release information about what security issues this update might add or change. There are no changes in the number or names of its scanning modules, and Bastion rules also remain unchanged.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-145.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Login
