Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 145. The previous version was 142.
Apple doesn’t release information about what security issues this update might add or change. There are no changes in the number or names of its scanning modules, and Bastion rules also remain unchanged.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-145.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Reviewing security products intended to detect and remove malicious software is far harder than it used to be. There was a time when all you had to do was set your virtual machine to Reduced Security, disable SIP, and maybe Gatekeeper too, then strip any quarantine extended attributes from samples of recent malware. With nothing to trigger checks by macOS security, the malware was fully exposed to the security software under test, and you could assess how successful the product was at detection.
Yet in Sonoma it seems that you also need to disable AMFI (Apple Mobile File Integrity), or macOS will intervene to detect the malware before the product under test, which then won’t get a look-in.
Back in Sonoma 14.4.1 I summarised those layers of checks in this diagram.
Although it’s encouraging that malware detection is now so pervasive, this makes it almost impossible to assess the other side of an anti-malware product, how well it can remove the malicious software it discovers. The same applies to Apple’s own XProtect Remediator. Stunting and tricking macOS to the point where malware can deploy fully isn’t anywhere near as easy as it was.
You know you have failed again when macOS pops up an alert like this, telling you that it has intercepted your attempt to bypass its protection.
From a user’s point of view, this can only be good. macOS security protection is designed and applied in multiple layers so that, even if something manages to trick its way past one check, the next layer is there to stop it in its tracks.
The strangest thing about XProtect Remediator isn’t the fact that, left to its own devices, it doesn’t inform the user when it detects malware, but that it will happily remove the malware it detects and let you carry on using your Mac as if nothing had happened. If you’re as old school as me, you might wonder why you shouldn’t have to wipe your Mac completely, restore it in DFU mode if an Apple silicon model, and rebuild it from scratch. Surely the slightest suspicion of anything malicious demands such a scorched earth approach?
That too depends on what security protection your Mac has active. If that includes SIP and the SSV, then there’s no known malware that can alter anything on the SSV, and what it can do on your Data and other volumes is also limited. The days of viruses wreaking havoc throughout your entire Mac thankfully seem long since past. Viruses, of course, were designed to replicate themselves throughout a Mac’s storage, but today’s trojans and stealers are after two things, and those are your secrets and money.
But that depends on the behaviour of potential victims of malware. Like any business, those who try to profit from theft of our secrets and other malicious behaviour have to consider the size of their market of victims. For many years, this was one of the Mac’s defences against malware: why would anyone want to develop for such a small proportion of potential victims, when PCs readily provided far more? More recently, some have unfortunately recognised our potential, and now we’re suffering the consequences.
This is where standard macOS security protection comes into play. At present, the great majority of Macs running Big Sur or later have SIP enabled and their SSV fully protected. The victim market for malware requiring write access to the System volume is tiny. But what if it became more usual for Macs to be unprotected, and all that malware had to do was gain root privileges to be able to write to the System volume?
This is a phenomenon akin to vaccination and resulting herd immunity in pandemics like Covid. States and nations with low protection by vaccination and little herd immunity suffered the highest rates of infection and consequent death rates. But so few realised that exercising their personal choice to remain unvaccinated had that effect, despite the fact that humans throughout the world had eliminated the deadly disease of smallpox by building herd immunity in the late twentieth century.
Security protection in macOS works in layers. Each layer you disable opens wider the window of opportunity for attackers. The more Macs that have any given layer of protection disabled, the lower the herd immunity to attack, and the more likely that malware will try to take advantage of that.
Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 142. It appears this version was first released over 12 hours ago, early in the morning GMT, but was then removed from Apple’s update servers. It has just now been made available again.
Apple doesn’t release information about what security issues this update might add or change. For the first time since its release, this update removes a scanning module, for RedPine. Bastion rules remain unchanged.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-142.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Apple has just released updates to XProtect Remediator security software (Catalina or later), bringing it to version 141, and to XProtect (for all macOS from El Capitan or so) bringing it to version 5271.
Apple doesn’t release information about what security issues these updates might add or change.
XProtect’s Yara definitions add two further signatures to its long list of those for MACOS.DOLITTLE, these being qualified as DOFNPXR and DOFDLMARM.
XProtect Remediator adds a new scanning module for Dolittle, the same codename that has just had a family of 14 detection rules added in XProtect. There are no changes to Bastion rules for the behavioural version of XProtect (Ventura and Sonoma only).
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-141 and XProtectPlistConfigData_10_15-5271.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Apple has just released updates to XProtect Remediator security software (Catalina or later), bringing it to version 140, and to XProtect (for all macOS from El Capitan or so) bringing it to version 5270.
Apple doesn’t release information about what security issues these updates might add or change.
XProtect’s Yara definitions have a single change, adding a DOFMVAD signature to its long list of those for MACOS.DOLITTLE.
No new scanning modules are added to XProtect Remediator, and there are no changes to Bastion rules for the behavioural version of XProtect (Ventura and Sonoma only).
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-140 and XProtectPlistConfigData_10_15-5270.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
XProCheck is one of my unique utilities, to the best of my knowledge the only app that checks whether your Mac has been running its XProtect Remediator (XPR) anti-malware scanner, and reports the results of its scans in full detail. I’m delighted to release a new version of XProCheck that improves both its checks and reports.
Apple introduced XPR two years ago, as a greatly enhanced replacement for its Malware Removal Tool, MRT, which is no longer maintained. XPR is installed on all Macs running Catalina or later, and normally performs two sets of scans, one as the user and the other as root, every 24 hours or so. It currently contains scanning modules for 22 different types of malware, and one to cover those previously included in MRT’s checks. Its scans will not only detect known malware, but will also try to remove (‘remediate’) those that it does detect.
Strangely, XPR doesn’t report detections or remediations to the user, but can report them to third-party security software using Endpoint Protection (Ventura and later). As far as I’m aware, though, few if any security products make use of that, leaving XProCheck as the only way to monitor XProtect Remediator scans and reports.
XProCheck version 1.6 brings one major improvement, in changing the method used to check log entries for XPR’s reports. Previous versions have used the log show command, but this new version now reads the log directly using the OSLog API. Although this does have a small memory leak that would only be significant if you were to run dozens of checks in succession, it brings considerable improvements in speed, particularly when checking scans over longer periods, and on Apple silicon Macs.
This version of XProCheck typically takes less than 60 MB of memory before running any checks, rising to less than 70 MB after it has completed its first check. That may rise by less than 1 MB with each subsequent check made before quitting the app, so is almost unnoticeable.
There are two more cosmetic improvements: XProCheck reports now also give the time of its checks in local time as well as GMT/UTC, and the width of the scanner name field is a little greater, to better accommodate CardboardCutout.
XProCheck version 1.6 runs on all Intel and Apple silicon Macs in all versions of macOS from Catalina to Sequoia betas, and is available from here: xprocheck16-1
from Downloads above, from its Product Page, and through its auto-update mechanism.
Hot on the heels of the slightly earlier update to XProtect, Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 139.
Apple doesn’t release information about what security issues this update might add or change. There are no new scanning modules, and Bastion rules remain unchanged.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-139.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
Not content with two different XProtects, Apple added a third to macOS Ventura, XProtect BehaviorService (XBS), part of the new Bastion behavioural-based malware detection system. Rather than performing on-demand or periodic scans of static code, this watches for potentially malicious behaviours, such as attempts to access folders used by browsers such as Safari and Google Chrome. This article summarises what XBS is doing as we prepare to upgrade from Sonoma to Sequoia.
What they do
Apple tells us precious little about XBS and Bastion, mentioning them in its Platform Security Guide: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
At present, XBS and Bastion only record suspicious events in the XBS database at /var/protected/xprotect/XPdb, report them to Apple, but don’t attempt to intervene in any way. They determine what to report according to a set of rules applied by syspolicyd that are compiled from source files updated inside XProtect Remediator update bundles. Changes in those, in XPR’s scanning modules, and in XProtect’s detection signatures, are reported on this blog for each update released by Apple.
Development
Over the period since its introduction, Bastion rules have grown steadily, from four to 12:
In macOS 13.5 (24 July 2023) there were 4 rules, increasing to 5 in September 2023.
XProtect Remediator (XPR) 108 (8 August 2023) brought the first separate Bastion rule update.
XPR 112 added rules 6 and 7.
XPR 123 added rules 8 and 9, and adjusted rule 7.
XPR 130 added rule 10.
XPR 131 added rule 11.
XPR 137 added rule 12, and amended rules 6 and 7.
Updates provided in XProtect Remediator contain two files for XBS and Bastion:
bastion.sb, a text file containing the latest Bastion SystemPolicyConfiguration, its rules;
BastionMeta.plist, a property list defining behaviour dictionaries for XBS and Bastion.
Bastion rules
The Bastion SystemPolicyConfiguration file bastion.sb is prefaced with the line (version 3), which hasn’t changed since the first update.
This first defines four groups of processes: usual-offenders, common exceptions to several rules, and separate groups of exceptions to each of Bastion rules 1, 2, 3 and 12. For example, com.apple.mds and other Spotlight indexing processes are usual-offenders, while com.apple.Finder is only a rule-one-offender. Interestingly, three of the XProtect Remediator scanning modules (MRTv3, Pirrit and WaterNet) are included in the list of usual-offenders.
Using those lists of exceptions, Bastion rules are then built as filters:
excludes other processes from accessing private data for Google Chrome, Firefox and Safari;
excludes other processes from accessing private data for Messages, Microsoft Teams, Slack and WhatsApp;
excludes other processes from accessing the QuarantineEvents database;
controls access to two socket ioctl commands SIOCIFCREATE and SIOCGIFDESC;
controls access to writing files with a period/stop at the start of their name within Library/PrivilegedHelperTools/ directories.
controls creating or writing to files with a name starting with com within /Library/Application Support/
controls creating or writing to files with a name starting with com within /Library/Application Support/ and user /Library/Application Support/ directories
controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, in user /Library/Application Support/ directories
excludes other processes from creating or writing to files in user /Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/ directories
controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, .betamigrated and .localized, in the /Users/Shared/ directory
controls execution of processes from files with a name starting with a period/stop in the /Users/Shared/ directory
excludes other processes from accessing private data for Notes, Safari Cookies, Chrome, Brave, Microsoft Edge, Opera, Vivaldi, Firefox, Arc, other cookies, Electrum and Coinomi wallets, Exodus, atomic, Binance, Filezilla, Steam and Discord.
The updated bastion.sb file supplied in XPR updates is explicitly referenced by syspolicyd to replace the version embedded in its own code.
BastionMeta.plist
This property list contains a metadata dictionary of 12 behaviours, each correlating with a Bastion rule. Each has a Signature Name, such as macOS.NetworkSniffer.Generic, a Boolean value indicating the need for immediate reporting, and a binary flag ranging from 1 to 2048. The behaviours are named:
Browser
Messages
QntDb
NetworkSniffer
HiddenPrivilegedHelpers
ADLOAD NumericPath
ADLOAD PersistenceSearch
Persistence HiddenAppSupport
Safari ExtensionModification
Persistence HiddenShared Generic
Persistence HiddenShared Exec
InfoStealers.
Behaviours detected
Individual rules currently detect:
attempts to access private browser data
attempts to access private messaging data
attempts to access quarantine records
attempts to perform network packet sniffing
attempts to write to hidden privileged helper apps
Adload behaviours
Adload persistence behaviours
persistence behaviour using hidden files in user /Library/Application Support/ directories
attempts to create and use Safari extensions
persistence behaviour using hidden files in /Users/Shared/
persistence behaviour running hidden files in /Users/Shared/
attempts by an InfoStealer to access a wide range of private data.
Summary
In macOS Ventura and later, XProtect BehaviorService (XBS) and its Bastion rules detect suspicious behaviours that might reflect malicious activity.
Bastion rules are updated within XProtect Remediator updates, using two files bastion.sb and BastionMeta.plist.
There are currently 12 Bastion rules, covering generic behaviours such as accessing private data, to those indicative of Adload and InfoStealer malware.
Suspicious behaviour is recorded locally to the XBS database and reported to Apple, but isn’t notified to the user.
Currently the primary purpose of XBS and Bastion is to provide Apple’s security team with intelligence to improve protection provided by XProtect and XProtect Remediator.
Login
