Reading view

There are new articles available, click to refresh the page.

XProtect has changed again in macOS Sequoia 15.2

If your Mac is running macOS Sequoia version 15.2 and you keep an eye on its security data updates, you may have noticed that those have changed again. Perhaps the only way to make sense of what has happened is to understand how XProtect updates work in recent versions of macOS.

Before doing that, there are two important issues to make clear:

  • Despite their names, XProtect and XProtect Remediator are different, and in Sequoia are updated using different mechanisms. XProtect is run on-demand when macOS is about to execute code, while XProtect Remediator runs scans for malware in the background about once a day. This article is only about how XProtect updates, as XProtect Remediator is still updated using the softwareupdate mechanism, and that hasn’t changed.
  • Sequoia obtains XProtect updates through a connection to iCloud that is independent of whether your Mac is logged into your Apple Account in iCloud. So long as your Mac is connected to the internet and nothing blocks its iCloud connections, those updates will be available to it, regardless of whether it’s connected to your Apple Account or iCloud Drive. This is in common with other services that macOS relies on, such as making notarization checks on apps, and updating linguistics data and those used by AI.

macOS Sonoma and earlier

Like other security data updates including XProtect Remediator, XProtect is updated through Software Update, or the command tool softwareupdate, which is how SilentKnight obtains its updates too. Shortly after starting up, and at least daily after that, your Mac’s softwareupdated service contacts Apple’s software update servers and checks whether there are any updates available. If there are, they’ll be automatically downloaded and installed, provided that’s enabled in System Settings.

In this case, XProtect is installed in its traditional place, in /Library/Apple/System/Library/CoreServices as XProtect.bundle.

mcOS Sequoia 15.0-15.1.1

For this brief period, XProtect updates have been available using either of two methods.

The traditional method using Software Update or softwareupdate continues to install the XProtect bundle in its old location, where it could still be used, but the XProtect service in Sequoia expects to find it in a different location, in /private/var/protected/xprotect, where it’s still known as XProtect.bundle.

The new method installs the XProtect bundle directly into its new location, and doesn’t obtain it using Software Update or softwareupdated, but an undocumented service that connects to iCloud instead. That appears to activate at least once a day, independent of softwareupdated, and silently checks for XProtect updates in iCloud. When it finds one, that’s installed directly to /private/var/protected/xprotect but not the traditional location in /Library/Apple/System/Library/CoreServices. It’s therefore perfectly possible for the two XProtects to get out of sync, although the only one that Sequoia uses is that stored in the new location.

Sequoia also introduces a new command tool xprotect to help manage these new updates. If you run
sudo xprotect update
and the version of the XProtect bundle in the traditional location is greater than that in the new location, then the newer version will be copied to the new location to install it there as an update, instead of having to wait for the update through the new iCloud mechanism. This also provides redundancy, but relies on the two sources providing identical updates.

To add a final twist of confusion, if xprotect copies the XProtect bundle from the traditional to the new location, it does so by copying its contents, so its version number changes but the bundle itself retains its previous date of creation and modification, which can prove thoroughly confusing. The lesson here is to check the bundle by its version number, not by its dates.

macOS Sequoia 15.2 and later

In the latest release of Sequoia, the traditional method of updating XProtect is no longer used. If softwareupdate were to download and install an update, then it will only end up in the traditional location, and xprotect update can’t use that to update the new location.

In normal use, this means that the user can’t update XProtect until that new version is made available from iCloud. This ensures that the only versions provided to Macs running 15.2 and later are those intended to be used in Sequoia, but it also means that any delay in providing those via iCloud will leave Macs without the latest update.

Apple has modified the xprotect command to provide one let-out, though: use
sudo xprotect update --prerelease
and it “will attempt to use a prerelease update, if available.” Note that still can’t use a traditional XProtect update installed in the traditional location, and still has to be able to obtain the update from iCloud, but it might work when xprotect check and xprotect update can’t offer a new update yet. Note that Apple describes that early-bird version as prerelease, and it shouldn’t therefore be used as if it’s a regular release, and only for good reasons.

SilentKnight

Because of these changes, as of Sequoia 15.2, SilentKnight is no longer able to provide any assistance in updating XProtect, and its next version 3.0 will also be unable to do anything more useful than inform you that your current version of XProtect is up to date, or out of date. If it is out of date, then it’s up to you what you decide to do about it. In most cases, that should be to leave well alone and let macOS handle the update as it’s intended to.

Because time of release of XProtect updates through softwareupdate and iCloud differ, and vary around the world, availability from one source is no guarantee that the other will also be offering that update. For example, on 17 December, the softwareupdate version became available by about 1830 GMT. A prerelease version for 15.2 was available several hours before that, but the regular release wasn’t available from iCloud until early the following day. If Apple is intending to fork XProtect data for 15.x from those for older versions of macOS, the two update services will be offering quite different bundles anyway, as we experienced briefly in the early days of Sequoia.

Although I do periodically poll traditional softwareupdate servers for new updates, repeatedly doing so for iCloud updates doesn’t appear a good way to proceed, and could in any case be misleading. On the other hand I don’t think it’s intended that apps like SilentKnight should check for prerelease updates as a matter of course, and abuse of that option could lead to its removal. In other words, Apple wants full control over when your Mac can and will update to new versions of XProtect, presumably because Sequoia will be getting different updates in the future.

Summary

  • If your Mac hasn’t been upgraded to Sequoia, XProtect updates continue as usual, and SilentKnight will continue to be able to find and install them as it has done in the past.
  • If your Mac is running Sequoia 15.0 to 15.1.1, then it will continue to be offered XProtect updates both ways, and should continue to do so until you update it to 15.2.
  • Macs running 15.2 and later now get XProtect updates differently. Neither you nor SilentKnight can alter that, unless you want to try obtaining prerelease updates through the xprotect command in Terminal. While SilentKnight and Skint will warn you when an XProtect update is expected, you should rely on macOS to handle those updates for you.

Apple has just released updates to XProtect and XProtect Remediator

Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5284, and to XProtect Remediator for all macOS from Catalina onwards, to version 149. As usual, Apple doesn’t release information about what security issues these updates might add or change.

Yara definitions in this version of XProtect augment existing rules for dylibs in MACOS.ADLOAD, and add 2 new rules for MACOS.DOLITTLE, 1 for MACOS.PIRRIT, 5 for MACOS.BUNDLORE and 5 for MACOS.ADLOAD.

XProtect Remediator adds a new scanner module for Bundlore. There are no changes to Bastion rules for the behavioural version of XProtect (Ventura and later).

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.

If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-149 and XProtectPlistConfigData_10_15-5284.

For Sequoia 15.2 and later only: XProtect updates are no longer supplied through Software Update, softwareupdate, or SilentKnight. The only way that your Mac can obtain XProtect updates is through a connection to iCloud, which is supposed to happen automatically. If your Mac hasn’t yet been updated to version 5284, you can try using the Terminal command
sudo xprotect update --prerelease
(with a double hyphen not an m-dash)
That should download and install this update even though it hasn’t yet been generally released through iCloud.

For Sequoia 15.1.1 and earlier only: this update hasn’t yet appeared in iCloud, which may still return an XProtect version of 5283. If you download and install it using Software Update, softwareupdate or SilentKnight, then once that’s complete you need to update the primary XProtect bundle in Terminal using the command
sudo xprotect update
then entering your admin password. If you’re unsure what to do, this article explains it comprehensively and simply.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Sequoia on this page, for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

[Updated blind-guessing the changes in 15.2, at 2030 GMT 17 December 2024.]

Is that authentication request genuine or fake?

It’s essential to know when an authentication request is genuine. Without that knowledge, it’s all too easy to give your password away to malware, or to a badly-behaved app that’s trying to work around macOS security rules. By far the best way to authenticate now is using Touch ID, but many Macs don’t support it, either because they can’t, or because their keyboard doesn’t, and macOS doesn’t always offer it anyway. This article looks at how you can recognise genuine requests.

All Macs

The traditional non-biometric dialog is still in widespread use, and can appear on any Mac, even when Touch ID is available, and in Sequoia. I’ve been trying to work out a simple rule to predict when you should expect to see a classic request, and it appears to be associated with more traditional apps like Keychain Access, and when asking to access a file-based keychain such as the login keychain. But there don’t appear to be any simple and robust rules.

When an app needs to access a secret that requires authentication, the security system, not the app, displays a dialog asking you for the password to that keychain to authenticate before it will provide the password or other secret to the app.

keychain

That authentication dialog is very important: although malware might try to forge it, it contains distinctive features you should always look for:

  • The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that has asked to access the keychain.
  • The bold text names the app or component that has called for keychain access, and states which item it’s asking to access: here, a named secure note.
  • The smaller lettering specifies that it’s asking for the keychain password, that is the password used to unlock the named keychain, not that for your Apple Account or any other password.
  • If you’re in any doubt about its authenticity, click on the Deny button and the request will be denied.
  • If you’re in any doubt about its authenticity, open Keychain Access, lock the keychain there, and repeat the action while watching the keychain to ensure that it’s unlocked and handled correctly.

Note that this doesn’t provide or ask for your user name, only the password for that keychain.

Macs without Touch ID

If Touch ID isn’t currently available to your Mac, either because it doesn’t support it, or because it doesn’t have a keyboard connected that includes Touch ID support, you should see the non-biometric versions of other dialogs requesting authentication. These are for purposes other than keychain access that require elevated privileges, such as for a process to run a privileged helper, or to make changes in System Settings.

keychain03

This new vertical format should contain the following:

  • The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that is asking for your password.
  • Bold text names the app making the request.
  • Below that is a general indication of the purpose of the request.
  • Below that is the instruction to Enter your password to allow this.
  • There are two text boxes, to contain your user name (already completed) and password.
  • There are only two buttons, one of which may be OK or something more specific, and the other is Cancel.
  • If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.

Macs with Touch ID

If your Mac supports Touch ID (all Intel Macs with T2 chips, and all Apple silicon Macs), and currently has a keyboard connected to it with support for Touch ID, macOS should offer you the biometric version of that authentication dialog.

passwordeg3

This should contain the following:

  • The icon consists of a Touch ID fingerprint, on which is superimposed a miniature icon representing the app or component that is asking for your password.
  • Bold text names the app making the request.
  • Below that is a general indication of the purpose of the request.
  • Below that is the instruction to Touch ID or enter your password to allow this.
  • There are only two buttons, the upper being Use Password…, and the lower is Cancel.
  • If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.

This dialog has distinctive behaviour that’s difficult to forge. When you place your fingertip on the Touch ID button on the keyboard, it will either authenticate successfully, so dismissing the dialog, or the dialog shakes to indicate you should try placing your fingertip on the button again.

pwordprompt1

If Touch ID authentication fails, or you click on the button to Use Password…, the dialog expands to resemble the non-biometric version above, with the following two important differences:

  • The icon still consists of a Touch ID fingerprint, with a superimposed miniature icon representing the app or component.
  • The instruction remains to Touch ID or enter your password to allow this.

Although you will continue to encounter classic non-biometric authentication dialogs on a Mac with full Touch ID support, you may also come across some that you might have expected still to use the old dialog, but which now use a biometric dialog, such as that below.

pwordprompt2

Perhaps as Touch ID support extends this will become more consistent.

Apple has released an update to XProtect Remediator

Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 147. The previous version was 145.

Apple doesn’t release information about what security issues this update might add or change. There are no changes in the number or names of its scanning modules, and Bastion rules also remain unchanged.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac has not yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-147.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Sequoia on this page, for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Is there more XProtection in Sequoia?

If you’ve already upgraded to macOS Sequoia, you’ll probably be well aware of the changes it has brought in updating the data used by XProtect. Although it’s now designed to get those updates from iCloud, so far most have been delivered through the traditional Software Update route, and have had to be installed in their new location either manually in Terminal, or by waiting for the new system to get round to it. So is it worth this extra hassle: how has the new XProtect improved?

We’ve now seen two updates only for Sequoia’s XProtect, one for all Macs, and one only for older macOS. Although still early days, the differences in the XProtect bundle have been obvious. Both versions 5273 and 5275, which were only released for macOS 15, contained large additions to their detection rules, which vanished just as suddenly in 5276, the latest version common to all versions of macOS. To see what has changed, we must examine their XProtect.yara files, the only one in its bundle that has seen any changes.

YARA rules

XProtect performs static checks on code before it’s run, to assess whether there’s evidence that it’s malicious. Its tests are based on YARA rules, explained in detail here. Each rule sets out conditions that must be met for XProtect to conclude that a file is known to be malicious. For example, the rule used by XProtect to detect the Eicar test, a standard non-malicious sample used in testing, is:
rule EICAR
{
meta:
description = "OSX.eicar.com.i"
xprotect_rule = true
condition:
filesize <= 100000000 and hash.sha1(0, filesize) == "3395856ce81f2b7382dee72602f798b642f14140"
}

Its meta section names the detection and states that it’s an XProtect rule. The condition to be met for this rule requires a file size of less than 100 MB and the SHA1 hash of the whole file, from its start (0) to the end (filesize), matches the hash given. Some rules have far more complicated conditions, requiring combinations of tests.

Changing rules

New rules that have only appeared in YARA files used by Sequoia have followed a different pattern. Here’s an excerpt from an example:
rule XProtect_MACOS_DOLLITLE_CT
{
meta:
description = "MACOS.DOLITTLE.CT"
uuid = "[UUID]"
condition:
hash.sha256(0, filesize) == "[SHA256 hash]" or

}

where [UUID] is the rule’s unique identifier, and [SHA256 hash] is the hash value for that part of the condition.

For the first time this rule’s metadata includes a UUID, and its conditions require the SHA256 hash of the file contents to match one of a number of specific values. In this case, the rule gives only six different hashes, but in the rule for MACOS.SOMA.CT there are 3,124 hashes to match against.

So the new YARA rules tested by Apple using Sequoia’s XProtect don’t yet reveal any evidence of new capabilities. What they do suggest is that it’s capable of handling even larger sets of rules, including single rules testing well over 3,000 file hashes. Over the last year, XProtect’s YARA files have increased considerably in their size and complexity. XProtect.yara from version 2173 a year ago had only 223 rules in just over 3,000 lines of code, while version 5275 for XProtect in Sequoia has more than 350 rules requiring nearly 17,000 lines of code.

XProtect future

It seems most unlikely that Apple will ever update Sonoma or earlier versions of macOS to use comparable code in XProtect to that in Sequoia. We have already seen how it has forked XProtect’s YARA rules to deliver different versions for Sequoia and previous macOS, with the newer XProtect receiving odd-numbered releases, and older ones even-numbered. Although those have been confusing for those users who track security data updates, Apple expects us to leave it to macOS to download and install the right updates promptly.

If the last couple of weeks have been chaotic, I fear that the future will be similar. I’ll continue to do my best to inform you of updates to XProtect’s data, and to help you keep your Macs up to date, whichever version of macOS they’re running.

[Thanks to Arnaud for correcting my original reference to file sizes, rather whole-file hashes.]

❌