BenjaminYing:

系统版本是 macOS 26 25A5349a （目前最新版本 Public Beta ）。删除了 ClashX （在 macOS 26 中寄了）、Bartender （有了系统自己的控制项目，觉得不再需要了） 和 OPPO O+Connect 后，系统设置的菜单栏 - 允许在菜单栏显示项目中仍然残留有相关条目

问了 ChatGPT ，已经试过了所有给出的方法，但都没什么用。难道以后 App 被删除了，只要它曾经在菜单栏显示过图标，就会一直留在里面？有没有相关的文档有说这个新设置和哪些配置文件或者 plist 文件相关的？

NMMN:

MacOS 用 Edge 浏览器观看 B 站或者 YouTube 视频，双击视频最大化全屏播放时，上方菜单栏总是会显示出来，非要移动一下鼠标才会真正全屏，这个是 MacOS 的 bug 还是本来就是设计如此？大家有遇到过或者有什么解决方法吗？应该不是 Edge 浏览器的问题，用 Safari 浏览器也是一样的。

johnsonyeen:

Mac OS 26 的声音 屏幕亮度等提示, 不再出现在屏幕的下方正中间了 , 现在按键盘快捷键的时候 现在还需要做额外的抬头动作... 劝退...

PaperZai:

图片空格预览，鼠标移入到图片元素之上的时候，按下空格键，图片将会放大预览，再次按下空格键或者 esc 键则关闭图片预览。灵感来源于 macOS 的空格预览，对于查看市场要查看图片细节的用户来说，这绝对是一个很方便的脚本。

1. 部分视频网站上，空格暂停播放会和空格预览发生冲突，我暂时不知道怎么解决。
2. 如果部分网站异常，请在油猴脚本中排除该网站，不过因为功能简单也很少有什么 bug 。、
3. 默认屏蔽了网站了空格翻页功能。
4. 百分百 ai 写的代码，不过能实现功能就好，之前也一块做了链接空格预览，但最后 bug 有点多，删除了代码。

脚本安装地址： https://greasyfork.org/zh-CN/scripts/547832-%E5%9B%BE%E7%89%87%E9%A2%84%E8%A7%88-image-preview

演示地址： https://www.bilibili.com/video/BV1DkhizEEFn/

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Well-guarded like West Berlin was, it holds your greatest secrets.

2: Motor nerve processes your images.

3: Cloth or worsted to connect it all together.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

fmzheng:

升级到 MacOS26 beta 版本以后（从 beta1 到 beta7 ），外放音量调到正常（例如 50%），这时候插上耳机播放，再拔掉耳机不做其他操作，外放音量无法恢复到正常，听着就像是插上耳机（不是戴耳朵上）然后从耳机里面发出的声音一样小。这时候把音量拖到 100%差不多才能达到之前设置为 50%的效果。检查 Mac 的音量设置和 App 的音量设置和没插耳机之前一样，目前只能重启 Mac 解决。有没有遇到的？

f1ynnv2: 买了个佳能 LBP623Cdn ，确实可以通过 air print 连上，但是这个 air print 的驱动版本是 4.0 的，每次打印 Word ，PDF 之类的时候没有 A4 的选项，默认纸张都是美国 letter 。
打印机报警无法打印，非要去打印机上按一下强制使用当前 A4 纸进行打印才行。

客服说要安装驱动，装了驱动后确实正常了，Word/PDF 打印有 A4 选项能正常打印了。后来准备在 macmini m4 上装的时候提示要先安装 rosetta 又纠结了，现在 macos 下基本没有需要装 rosetta 的软件了，结果为了个驱动再装上去很不爽。

不知道佳能啥时候能与时俱进一下

Apple has just released its weekly update to XProtect for all supported versions of macOS, bringing it to version 5312. As usual, Apple doesn’t release information about what security issues this update might add or change.

This version adds three new detection rules: MACOS.SOMA.AUENB augmenting rules for the Soma/Amos family, MACOS.DUBROBBER.CHBI for another Dubrobber variant, and MACOS.ODYSSEY.LELI for an additional Odyssey variant.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5312

Sequoia and Tahoe systems only

This update has now been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5312 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

In the last few months I have had reports from several whose Macs have experienced a “SEP Panic” rather than a regular kernel panic. Although the immediate effects are the same, and my previous advice on how to deal with a kernel panic still applies, this article looks in more detail at what should be exceedingly rare events.

Essentials

If your Mac restarts or shuts down spontaneously, or ‘freezes’ for you to force it to shut down, chances are that was a kernel panic. When it starts up again, look out for the dialog inviting you to send a report to Apple. Expand that so you can see the panic log, copy and paste that into a text document, and save it. That’s the only record you have of that report, and that provides valuable clues as to what went wrong and how you might go about fixing it.

Apple will not contact you in response to sending the panic log. If you want advice or assistance about your Mac, contact Apple Support, and ensure you have your copy of the panic log ready, as they’ll need to see it.

Secure enclave

No matter how secure you try to make an operating system, if its most precious secrets are being processed by the main CPU cores, an attacker will find a way to access them. The proven solution to this is to build in a separate part of the chip with its own processor, and isolate that from everything else – a secure enclave, with its own secure enclave processor, SEP, as patented by Apple 13 years ago.

Two Mac architectures have secure enclaves and SEPs: Intel Macs with T2 (and T1) chips, where the SEP is in the T2/T1, and Apple silicon Macs, where the SEP is an integral part of the chip. These handle several different security features, including biometrics in Touch ID, management of secure encryption keys including those for FileVault, and performing encryption and decryption for the internal SSD.

The SEP runs its own operating system, sepOS, thought to be a derivative of L4, and communicates with the rest of the chip using mailboxes. When the CPU needs something from the SEP, it posts a message in the SEP mailbox, then retrieves the response when the SEP has processed that request.

What could possibly go wrong?

Like all processors, the SEP can hit problems that it can only manage by a reset, and those will result in it panicking, which in turn provokes the kernel running on the CPU to panic. Those problems can result from anything from a hardware fault to a bug in sepOS.

The SEP in a T2 chip is also known to be vulnerable to some exploits including blackbird, which can be used to ‘jailbreak’ a device using checkra1n or with malicious intent.

Reading the SEP panic log

When a kernel panic is the result of a SEP panic, the panic log is different from normal, and contains considerable detail about the SEP and what went wrong with it. As usual, though, much of that information is cryptic to say the least.

The first line in the panic log confirms that the panic originated in the SEP
panic(cpu 1 caller 0xfffffe001f55e344): SEP Panic: […]

You’re then given the version of sepOS
Root task vers: AppleSEPOS-2772.140.4

Unfortunately, further down it disclaims knowledge of that
Firmware type: UNKNOWN SEPOS

The status of the SEP’s mailboxes are given
Mailbox status:
IDLE_STATUS: 0x00000008
INBOX0_CTRL: 0x00105601
OUTBOX0_CTRL: 0x00023301
and
Mailbox entries:
Unavailable
Mailbox queue pointers: […]

This is confirmed as a panic
Debugger message: panic

The version of macOS is given by build number, with details of the kernel running on the CPU
OS version: 24G90
Kernel version: Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000
For a T2 chip, the kernel version given should be for a T8010
root:xnu-11417.140.69~1/RELEASE_ARM64_T8010

Apple silicon Macs should then confirm their iBoot versions, first the LLB (Stage 1) then iBoot Stage 2, and whether Secure Boot was used
iBoot version: iBoot-11881.140.96
iBoot Stage 2 version: iBoot-11881.140.96
secure boot?: YES

T2 SEPs don’t normally give an iBoot Stage 2 version, but provide information about the Intel (x86) host
iBoot Stage 2 version:
secure boot?: YES
roots installed: 0
x86 EFI Boot State: 0xe
x86 System State: 0x0
x86 Power State: 0x0
x86 Shutdown Cause: 0x5
x86 Previous Power Transitions: 0x20002000200
PCIeUp link state: 0x94721611

Information is provided about the task running on the CPU, which should normally be the kernel
Panicked task 0xfffffe1fb0037248: 0 pages, 654 threads: pid 0: kernel_task

Towards the end of the panic log are details about kernel extensions. In SEP panics, that includes the SEP Manager
Kernel Extensions in backtrace:
com.apple.driver.AppleSEPManager(1.0.1)[UUID]@0xfffffe001f5366e0->0xfffffe001f566a63
and
last started kext at 242997189818: com.apple.iokit.SCSITaskUserClient 500.120.2 (addr 0xfffffe001ce0f6a0, size 2206)
loaded kexts:
In the list of loaded kernel extensions that follows, ensure there are no third-party entries, unless your Mac is expected to load them.

Actions

Although you should take a SEP panic seriously, there’s no need to panic yourself. This doesn’t mean that your Mac’s SEP has died, has been attacked by malware, or has released all the secrets it protects. A single panic in isolation could well just be chance, and not indicative of anything serious.

Provided that your Mac starts up correctly and then runs normally, your only essential task is to ensure that you capture and keep a copy of the panic log. If you wish, you can run hardware Diagnostics, but I doubt whether that performs any specific test intended to detect problems in the SEP. If you have potentially problematic peripherals, or any third-party kernel extensions, then you should take the hint and try to eliminate them.

If your Mac suffers any further kernel panics, capture their panic logs, and contact Apple Support with those to hand. Alternatively, book your Mac into an Apple store or authorised service provider for them to check it out for you.

Summary

• SEP panics are exceedingly rare, but are readily identified from the first line of the panic log.
• Ensure you copy and save a copy of the panic log.
• Much of the panic log will appear meaningless, but there is some information about version numbers and kernel extensions that may be helpful.
• Follow the normal recommendations, considering hardware diagnostics, and updating/removing potentially troublesome peripherals and third-party kernel extensions.
• If there are any further panics, capture those and obtain support from Apple.

References

How to deal with a kernel panic (this blog)
Apple, Platform Security Guide
Manu Gulati, Michael J Smith and Shu-Yi Yu, US Patent 8,832,465 B2, Security enclave processor for a system on a chip, filed 25 September 2012, granted 9 September 2014.
Tarjei Mandt, Mathew Soling and David Wang (2016), Demystifying the Secure Enclave Processor, Black Hat USA 16 (PDF)
Blackbird SEP exploit, Apple Wiki.

I’m very grateful to Joe, Marc and another for sharing their SEP panic logs.

I hope that you enjoyed Saturday’s Mac Riddles, episode 322. Here are my solutions to them.

1: It’s about evolution, and open source for 25 years.

Click for a solution

Darwin

It’s about evolution (when Steve Jobs announced Darwin as open source in 1999, he said this to link it with Charles Darwin), and open source for 25 years (first released as open source in 2000, and still being posted on GitHub). (Darwin consists of the open source components in macOS, and includes its kernel.)

2: If the kernel isn’t Unix, this is it.

Click for a solution

XNU

If the kernel isn’t Unix, this is it (XNU is the open source kernel within Darwin, and is available as part of the GitHub distribution. Its name is an abbreviation for X isn’t Unix).

3: Mud puddles in Pittsburgh misheard as the basis for 2.

Click for a solution

Mach

Mud puddles in Pittsburgh misheard (it was originally intended to be called Muck in honour of these, but was misheard and incorrectly written down as Mach) as the basis for 2 (the Mach microkernel, developed by Richard Rashid and Avie Tevanian, formed the basis of XNU. Tevanian went on to work at Apple, then NeXT, where he designed NeXTSTEP).

The common factor

Click for a solution

They are all open source elements in macOS.

I look forward to your putting alternative cases.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: It’s about evolution, and open source for 25 years.

2: If the kernel isn’t Unix, this is it.

3: Mud puddles in Pittsburgh misheard as the basis for 2.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

hwhtj: 求一个远程控制 mac 的软件，前提使用过 todesk 、rustdesk,各种问题
控制端大多数情况是 windows,被控端是 mac mini.使用过
todesk 免费版总是服务器繁忙
rustdesk 则是无法使用键盘

Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5311. As usual, Apple doesn’t release information about what security issues this update might add or change.

This version adds eight new detection rules, for MACOS.BANSHEE.MA, MACOS.BANSHEE.MA2, MACOS.SOMA.GEGO, MACOS.POSEIDON.B, MACOS.TIMELYTURTLE.FUNA, MACOS.TIMELYTURTLE, MACOS.TIMELYTURTLE.INDRBYSE and MACOS.TIMELYTURTLE.INDR. Banshee, Poseidon and TimelyTurtle are new names in XProtect’s Yara rules.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5311

Sequoia and Tahoe systems only

This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5311 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

I hope that you enjoyed Saturday’s Mac Riddles, episode 321. Here are my solutions to them.

1: Where to sell an image of the Knolls in a two-year exclusive.

Click for a solution

Photoshop

Where to sell (a shop) an image (a photo) of the Knolls (originally developed by brothers Thomas and John Knoll, and licensed by Adobe) in a two-year exclusive (from February 1990 until its release on Windows in November 1992, it was exclusive to Mac).

2: Rembrandt, Claude Monet, JMW Turner and Corel.

Click for a solution

Painter

Rembrandt, Claude Monet, JMW Turner (all three were painters) and Corel (originally released in 1991 by Fractal Design, Painter was eventually bought by Corel).

3: One of the first two, it could be beige acrylic and written by Bill.

Click for a solution

MacPaint

One of the first two (together with MacWrite, it was one of the two apps bundled with the 128K Mac), it could be beige acrylic (paint the same colour as the 128K Mac) and written by Bill (Atkinson, 1951-2025, who wrote the app).

The common factor

Click for a solution

They have all been major raster graphics editors on the Mac.

I look forward to your putting alternative cases.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Where to sell an image of the Knolls in a two-year exclusive.

2: Rembrandt, Claude Monet, JMW Turner and Corel.

3: One of the first two, it could be beige acrylic and written by Bill.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

XProtect is the front-line tool in macOS for detecting known malware. When a downloaded app is run for the first time and put through Gatekeeper checks, those rely on detection rules defined in the XProtect.yara file inside the XProtect bundle in /System/Library/CoreServices. Those are updated periodically to extend their coverage as new malware is detected and analysed by Apple’s security engineers. This article looks at how they have changed over the last six years.

My starting point is XProtect version 2103 released on 2 May 2019, in the heyday of macOS 10.14.4 Mojave. That contains a total of 92 rules in a text file of 42,903 bytes, for an average rule size of 456 bytes. Among those are many old chestnuts such as Bundlore.

My end point is version 5310 released this week, on 12 August 2025, for macOS 15.6 Sequoia and earlier. That contains a total of 372 rules in a text file of 969,662 bytes, giving an average rule size of 2,572 bytes. Still among those are the same old chestnuts including Bundlore.

Thus the number of rules is now 4 times what it was six years ago, and they take over 22 times as much space.

For the period up to the end of 2023, I have analysed XProtect’s Yara file in updates every 6 months, in May and November, or the closest update available. From the start of 2024 updates became more frequent, and I have therefore analysed the last update in each month. In late 2024, XProtect in macOS Sequoia started using iCloud to deliver its XProtect data updates. For this analysis I have excluded version 5273, which was only released via iCloud and wasn’t provided through the regular softwareupdate route used by all previous versions.

The number of Yara rules increased steadily until updates became more frequent in 2024, following which there was a very steep rise early that year. Since then they have continued to rise more steeply than before 2024, but now appear more linear, as seen in the red line of regression. Over this period, hardly any Yara rules have been removed.

Total size of the Yara file has followed a similar pattern, with little change until the start of 2024. It then peaked briefly before reducing slightly, pausing a little, then undergoing a step increase from 288 KB to 877 KB. Growth has been steadier for the last year, although it appears to be on track to reach 1 MB in 2026.

Average size of Yara rules changed little between 2021-2023, but increased greatly with the addition of some very large rules in June-July 2024. It has since declined slowly, as more recent rules have been far smaller.

This prodigious growth in the number of Yara rules and their size has inevitably had its effect on the time taken to complete Gatekeeper checks that include XProtect scans. macOS Tahoe has been promised to limit that, by not scanning notarized apps with XProtect, so improving app launch times.

Given that remarkably few old Yara rules have been removed over the last six years, this growth has been inevitable. However, unless old malware is incapable of being run on Macs still supported by XProtect updates, it’s hard to see how it could be safe to remove old rules. When support for running x86 code (except that for “older unmaintained gaming titles”) is dropped from macOS 28, many older Yara rules could be dropped from XProtect updates without putting Apple silicon Macs at risk, but even that isn’t an easy decision. In the meantime, at least our faster Macs should be able to complete XProtect scans more quickly.

Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5310. As usual, Apple doesn’t release information about what security issues this update might add or change.

This version adds a single new detection rule for MACOS.SOMA.AUENA, further extending its coverage of Soma/Amos.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5310

Sequoia systems only

This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5310 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

I hope that you enjoyed Saturday’s Mac Riddles, episode 320. Here are my solutions to them.

1: What ET wants is a call coming to the Mac.

Click for a solution

Phone

What ET wants (to phone home) is a call (a phone call) coming to the Mac (macOS Tahoe is bringing the Phone app).

2: A glass to enlarge among the liquid.

Click for a solution

Magnifier

A glass (a magnifying glass) to enlarge (what it does) among the liquid (Tahoe’s Liquid Glass interface feature).

3: Daybook you might already have started elsewhere.

Click for a solution

Journal

Daybook (a journal) you might already have started elsewhere (it was released in iOS 17.2, and is coming to macOS in Tahoe).

The common factor

Click for a solution

They are all new apps coming to macOS 26 Tahoe.

I look forward to your putting alternative cases.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: What ET wants is a call coming to the Mac.

2: A glass to enlarge among the liquid.

3: Daybook you might already have started elsewhere.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5309, and to XProtect Remediator for all macOS from Catalina onwards, to version 153. As usual, Apple doesn’t release information about what security issues these updates might add or change.

Yara definitions in this version of XProtect add a single new detection rule for MACOS.SOMA.JUENB, part of the Soma/Amos family.

XProtect Remediator doesn’t change the list of scanner modules.

There are extensive changes to the Bastion rules, which add a new definition for common system binaries, extend Rule 1 coverage to include support folders for more browsers, tweak Rules 3 and 14-17, and add new Rules 18-24.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-153 and XProtectPlistConfigData_10_15-5309.

Sequoia and Tahoe systems only

The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

I hope that you enjoyed Saturday’s Mac Riddles, episode 319. Here are my solutions to them.

1: Successor to 3 inside a scheme was part of a popular atelier.

Click for a solution

InDesign

Successor to 3 (Adobe developed it to replace the ailing PageMaker) inside (in) a scheme (a design) was part of a popular atelier (for many years it was one of the leading apps in Adobe’s Creative Studio).

2: High speed subatomic particle took the lead in the 1990s.

Click for a solution

QuarkXPress

High speed (express) subatomic particle (a quark) took the lead in the 1990s (by the mid-1990s it had taken around 90% of the desktop publishing market on Macs).

3: Creator of a squire’s assistant was the first, but died before Mac OS X.

Click for a solution

PageMaker

Creator (maker) of a squire’s assistant (a page) was the first (released in July 1985 for the Mac), but died before Mac OS X (by 2000, it was moribund as Adobe was replacing it with InDesign, released in 1999, and it was never ported to Mac OS X).

The common factor

Click for a solution

They have all been leading desktop publishing apps for Macs.

I look forward to your putting alternative cases.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Successor to 3 inside a scheme was part of a popular atelier.

2: High speed subatomic particle took the lead in the 1990s.

3: Creator of a squire’s assistant was the first, but died before Mac OS X.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

This week’s dive into RunningBoard tackles one of the central questions: this subsystem repeatedly uses the term assertion, but what are these assertions, and how does RunningBoard handle them?

In computing, assertions may have their origin in hardware verification languages like Verilog, where they’re used to state required conditions in declarative form. They appear to have entered macOS through the background service assertiond, which made a name for itself as a killer of processes and apps. Power assertions have been noted in the log and elsewhere for at least the last decade, and are mentioned in IOPMLib, part of IOKit. Since macOS Catalina, assertions have been at the centre of RunningBoard, which remains essentially undocumented.

Developer app

To get a better idea of how assertions are used, I launched Apple’s Developer app on a Mac mini M4 Pro running macOS 15.5, and followed log entries for a period of over 14 seconds from the start of the launch process. Although RunningBoard’s job description records this app’s platform as 6, typical of a Catalyst app, in other log entries it’s claimed not to be a Catalyst app.

At an arbitrary start time of 01.126 seconds, LaunchServices decided to launch this app initially through CoreServicesUIAgent, which 0.04 seconds later requested RunningBoard to execute the launch request. This eventually led to a connection being initialised to FrontBoard Scene Manager, where the app was registered as a new scene, and activated.

Example assertion

FrontBoard set the process visibility to Foreground:
01.593239 com.apple.FrontBoard [app<application.developer.apple.wwdc-Release.9312198.9312203~>:2946] Setting process visibility to: Foreground

RunningBoard then announced it was acquiring a new assertion, giving its descriptor and the PID of the target process
01.593248 com.apple.runningboard Acquiring assertion: <RBSAssertionDescriptor| "com.apple.frontboard.after-life.subordinate" ID:(null) target:2946>
01.593288 com.apple.runningboard PERF: Received request from [osservice<com.apple.uikitsystemapp(501)>:748] (euid 501, auid 501) (persona (null)): acquireAssertionWithDescriptor:error:
01.593289 runningboardd acquireAssertionWithDescriptor

A fuller description followed, including the RunningBoard ID, and the attributes of the assertion
01.593324 com.apple.runningboard Acquiring assertion targeting [app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946] from originator [osservice<com.apple.uikitsystemapp(501)>:748] with description <RBSAssertionDescriptor| "com.apple.frontboard.after-life.subordinate" ID:424-748-2228 target:2946 attributes:[
<RBSDomainAttribute| domain:"com.apple.frontboard" name:"AfterLife-Subordinate" sourceEnvironment:"(null)">
]>

This assertion was made active, and RunningBoard stated how many assertions were currently targeting that process
01.593343 com.apple.runningboard Assertion 424-748-2228 (target:[app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946]) will be created as active
01.593389 com.apple.runningboard app<application.developer.apple.wwdc-Release.9312198.9312203(501)> is now targeted by 11 assertions

That triggered a state update for the process
01.593400 runningboardd state update

In this case, RunningBoard couldn’t do anything, so left the process’s assertions as they were
01.593461 com.apple.runningboard _checkForSuspendableAssertionCycle for app<application.developer.apple.wwdc-Release.9312198.9312203(501)> bailing out since it's not holding a suspendable assertion
01.593466 com.apple.runningboard Removing 0 assertions

This did, though, alter the inheritance of existing assertions
01.593556 com.apple.runningboard Process: [app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946] has changes in inheritances: {(
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2215 0>,
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2215 0>,
<RBSInheritance| environment:(none) name:com.apple.launchservices.userfacing origID:424-391-2214 0>,
<RBSInheritance| environment:(none) name:com.apple.frontboard.visibility origID:424-420-2216 0>
)}

This completed the acquisition of this assertion, and the process’s new state was calculated
01.593564 com.apple.runningboard Finished acquiring assertion 424-748-2228 (target:[app<application.developer.apple.wwdc-Release.9312198.9312203(501)>:2946])
01.593741 com.apple.runningboard Calculated state for app<application.developer.apple.wwdc-Release.9312198.9312203(501)>: running-active (role: UserInteractiveFocal) (endowments: <private>)

This was all accomplished in around 0.0005 seconds. FrontBoard then continued processing the app’s scene
01.593743 com.apple.FrontBoard Ingesting properties from UIApplicationSceneSettings...

RunningBoard assertion numbers are of the form 424-748-2228, where the second group 748 is the PID of the source of the assertion, and the third group 2228 is a sequential number.

Assertions recorded

• Assertion 424-620-2211 for LaunchServices to launch the app. For this, RunningBoard created its job description with its process ID of 2946, assigned it memory limits, stated the process will be managed, and stated it was running-active with a role of UserInteractive.
• Assertion 424-424-2212 RunningBoard Underlying Assertion. RunningBoard stated the process will be created as active, calculated its processStartTime, created a new RunningBoard Coalition with an ID of 4460, set its Jetsam priority to 0 (the lowest priority over memory use), and set its Darwin GPU to “deny”. Its state was given as running-interactive-NotVisible with a taskState of 4.
• Assertion 424-391-2213 foregroundApp 2946. This changed its role to UserInteractiveNonFocal, and was repeated in assertion 424-391-2214.
• Assertion 424-391-2215 frontmost 2946. RunningBoard changed it to running-active-NotVisible, with a Jetsam priority of 100 (extremely unlikely to be killed to free memory), and Darwin GPU to “allow”.
• Assertion 424-391-2217 LaunchServices notification. It was changed to running-active with a role of UserInteractiveFocal, handshaking took place with the process, and the launch request was recorded. Slightly later, RunningBoard announced it had started “death monitoring” of the process, in case its launch request was denied and the process was killed.
• Assertion 424-748-2218 FrontBoard Bootstrap Background. Following this, the process acquired its first power assertion ID 34241, outside of RunningBoard.
• Assertion 424-2946-2219 Shared Background Assertion
• Assertion 424-655-2220 File Coordination Claim, the first of a series of five similar assertions. For each, RunningBoard recorded Prevent Task Suspend, Prevent Task Throttle Down. After the last it checked for a Suspendable Assertion Cycle, then removed several assertions held for the process.
• Assertion 424-2946-2227 App Nap adapter assertion. RunningBoard then enabled and configured AppNap for the process, and set the AppNap state.
• Assertion 424-748-2228 FrontBoard AfterLife-Subordinate. This is the assertion detailed above.
• Assertion 424-748-2229 FrontBoard Visibility Workspace Foreground Focal. With this, RunningBoard set the process to running-active-Visible with taskState 4.
• Assertion 424-420-2230 App Drawing. Following that, storekitagent was running as PID 2947, accompanying the Developer app.
• Assertion 424-2946-2232 CFNetwork StorageDB.
• Assertion 424-2946-2233 System Animation Fence.
• Assertion 424-420-2234 App Visible. Following that, uikitsystemapp was drawing, presumably for the Developer app.
• Assertion 424-420-2236 FuseBoard Process Window State Visible.
• Assertion 424-2946-2238 system animation fence, which was repeated a total of five times.
• Assertion 424-2946-2244 Shared Background Assertion 1, following which were two more assertions for system animation fence.
• Assertion 424-2946-2247 com.apple.CFNetwork.StorageDB again.
• Assertion 424-655-2248 File coordination claim, repeated in Assertion 424-655-2250.

All these assertions were completed in 14 seconds.

Reading RunningBoard

As shown in the series of assertions recorded in the log for the Developer app, RunningBoard provides a detailed account of milestones through the launch and early running of this app, covering much other than its security and TCC activity.

This starts with a job description containing a great deal of useful information about the app, when it’s neither visible nor focal. At that stage it’s given a minimal Jetsam priority, putting it in the front line to be forcibly quit if memory was short, and it’s denied access to the GPU. As launch proceeds, its Jetsam priority is raised to 100 and it’s allowed GPU access. Its role is then changed to UserInteractiveFocal, its window management is handled by FrontBoard and it becomes visible, and able to undergo AppNap. Two supporting services are engaged, storekitagent to handle its data, and uikitsystemapp to draw its interface.

Once the novelty of RunningBoard had worn off, I had come to consider its incessant chatter in the log as a distraction. However, a log extract obtained with the subsystem set to com.apple.runningboard provides a detailed account of events during an app’s life cycle, without the nuisance of privacy censorship, or the app having to make its own log entries.

Key points for close reading of the log

• Set a predicate for obtaining log entries for the com.apple.runningboard subsystem, and initially filter entries on Acquiring assertion in the Messages field.
• Identify the Process ID of interest.
• Track assertion descriptions, giving the reason for each assertion.
• Note assertion IDs, and interpret them with the aid of the PID given in their second number field.
• Follow assertions for linked processes through their PIDs.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Total banker’s order quickly verifies integrity.

2: 1 broke by 2005, 2 is still cryptographic, 3 is even better, but not in Iran.

3: Missing from …MNOPQTUVW… but present in CD.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5305. As usual, Apple doesn’t release information about what security issues this update might add or change.

This version adds a single new rule for MACOS.SOMA.JLEN, part of the Amos/Soma family of malware.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5305

Sequoia systems only

This update has already been released for Sequoia via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5305 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

I hope that you enjoyed Saturday’s Mac Riddles, episode 316. Here are my solutions to them.

1: From PageRank and 10^100 to a set of letters.

Click for a solution

Google

From PageRank (Google Search was founded on the patented PageRank algorithm for ranking search results) and 10^100 (its name is derived from the very large number googol, 10 to the power of 100) to a set of letters (in 2015 it restructured under the ownership of Alphabet Inc.).

2: A hooligan went from directory to search then declined into finance and news.

Click for a solution

Yahoo!

A hooligan (a yahoo) went from directory (it started as a curated web directory) to search (followed by a search engine) then declined into finance and news (what now remains).

3: After changing name three times, this directory has gone wavy.

Click for a solution

DMOZ

After changing name three times (originally GnuHoo, it then became NewHoo, almost ZURL, next Open Directory Project, before becoming DMOZ), this directory (it was a human-curated web directory) has gone wavy (DMOZ was superseded by Curlie in 2018).

The common factor

Click for a solution

They have been web directories or search engines.

I look forward to your putting alternative cases.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: From PageRank and 10^100 to a set of letters.

2: A hooligan went from directory to search then declined into finance and news.

3: After changing name three times, this directory has gone wavy.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

This week’s security data updates were quite a surprise. We’ve grown accustomed to Apple tweaking XProtect’s data most weeks, but this week was a bit different, and came with an update to XProtect Remediator as well, the first in four months. This article explores what they have brought.

Although this security data all goes under the name of XProtect, there are three different protection systems involved.

The traditional XProtect contains a set of ‘Yara’ rules used when performing Gatekeeper scans of new executable code, most notably when a quarantined app is first run, although recent macOS also runs XProtect checks on other occasions. Those rules are used to determine whether the code being scanned is known to be malicious, and if it’s found to be positive, macOS refuses to run that code and you’re told to trash the app.

XProtect Remediator only runs in Catalina and later, where it performs daily background scans to detect and remove software it believes to be malicious. It currently contains 24 separate scanning modules, each designed to detect and ‘remediate’ a different family of malware. Some of its modules also use the detection rules in traditional XProtect, so are improved by regular XProtect data updates. Surprisingly, if XProtect Remediator detects and removes malware, you aren’t notified, although that is recorded in the log and reported as an Endpoint Security event that can be detected by some third-party security software.

Inside the XProtect Remediator app are two files used by the third XProtect, which detects potentially malicious activity such as tampering with parts of a browser’s files. This is therefore referred to as XProtect Behavioural, or by the name it gives to the detection rules it uses, Bastion. Unlike the other two XProtects, this doesn’t rely on performing static checks, but is watching constantly for malicious activity. Although it records that in its local database, at present it doesn’t inform the user, but reports the activity to Apple, to help it acquire intelligence to improve the battle against malware.

XProtect

XProtect version 5304, provided by Apple on 8 July, makes substantial changes to its Yara detection rules to add what appears to be a new family of malware, code-named Bonzai. New rules refer to five different forms, which are most likely to be different components in the same malware, or separate variants, named Bonanza, Barricade, Blaster, Bonder and Banana. It’s likely that independent security researchers will identify these in the coming days, but for the moment the public name of this malware isn’t known.

Looking through these new Yara rules, they look most likely to be for a ‘stealer’, a type of malware that’s currently prevalent, and steals your secrets to send them to a remote server. There are references to Chrome, Brave, Edge and Firefox extensions, and most interestingly some of the malware has been compiled from code written in the Go language, which is becoming popular in cross-platform malicious code.

The last times that Apple added detection rules as substantial as these were in XProtect version 5284 for Adload and Bundlore, and in 5269 for Dolittle, each being major threats.

Bastion

Until now, the behavioural rules used by Bastion have evolved steadily, and the most rules added in one release has only been two, when XProtect Remediator version 123 came with rules 8 and 9, and changes to rule 7, back in January 2023. This update brings four new rules:

• Rule 14 detects sending AppleEvents to Safari, Firefox or Chrome.
• Rule 15 detects sending AppleEvents to the Finder or Terminal.
• Rule 16 detects Mach lookups for com.apple.pasteboard.1.
• Rule 17 detects writing shell files hidden in ~/ or /etc, such as ~/.zlogin, or /etc/zlogin.

The first two may be intended to detect AppleScript being used to control those browsers, the Finder or to run scripts in Terminal. Rule 16 may also be related to Apple’s recent announcement on controlling access to the pasteboard in macOS 26. Rule 17 concerns settings files commonly used by command shells, readily seen if you reveal hidden files for your Home folder.

These may well be related to Bonzai, and enable Apple to get a better idea of what is going on out here in the wild, and focus its efforts in improving its detection.

XProtect Remediator

Once samples of malware have been obtained, developing and testing new Yara rules to detect it is relatively quick, and often uses AI to accelerate the process. Writing a new scanning module for XProtect Remediator is more complicated, and takes more time. It may well be that an additional Bonzai scanner is already on its way, and might be delivered in a further update in the next couple of weeks, perhaps with some fine-tuning of the new Bastion rules. I’ll be keeping a lookout for those.

Above all, it will be interesting to see what changes are made in third-party security software, and how well those tackle what appears to be novel malware for macOS.

As Macs are computers, when they become overloaded with demands on their resources, they can slow down to a crawl. When Apple was developing its first iPhone it realised that wouldn’t work with a phone, so built safeguarding systems into iOS to ensure their continuing smooth function. When Apple was preparing for the transition from Intel Macs to using its own chips, it decided to bring similar safeguards to the management of their resources. These arrived in macOS 10.15 Catalina with the introduction of RunningBoard.

Launching apps in macOS had become increasingly complex, and required more than just running the executable using launchd. For an app to have its GUI, the code it uses has to be wired up with parts of macOS that run the GUI such as WindowServer. When it’s launched, its window(s) have to be created and brought into focus, in front of other windows. It needs its preference file opened, to be added to the Recent Items list, and for a list of its recently opened documents to be made available to its Open Recent menu command. Those latter services have been provided by LaunchServices, and to enable them it maintains a database of exhaustive details about every app it knows.

Prior to Catalina, it was LaunchServices that coordinated many of these aspects of launching an app from the Finder. Since then it has been handing more over to RunningBoard, while retaining many of its functions. RunningBoard has come to monitor and manage the entire life cycle of apps, from launch to exit. For regular macOS apps, its life cycle management remains supervisory, but for some, including Catalyst apps and those built for iPadOS, RunningBoard can manage and control their allocation of resources such as memory and access to the GPU.

As one of the newer and more pervasive services in macOS, RunningBoard writes a lot of detail in the log, indeed it’s garrulous almost to the point of excess. Although Apple documents almost nothing about its background service runningboardd except stating that it’s “a daemon that manages process assertions to ensure those processes are kept in the appropriate state while assertions are in effect”, and its information about LaunchServices is terse and largely deprecated, we can learn a great deal from the log.

I’ll start this series of articles by explaining how RunningBoard first gets involved in launching an application. I have recently summarised its key stages in the following diagram.

Here, for the sake of simplicity, I’m going to ignore the security side completely, so we’ll assume this app isn’t quarantined, has been run recently in this session, is notarised, and hasn’t changed its CDHashes since it was last run.

As soon as LaunchServices is informed of the action to open the app, it announces it will be launched through RunningBoard, a change from its previous behaviour in Catalina, where LaunchServices did more of the work at the start of the launch process. RunningBoard receives the launch request from CoreServices, and ‘acquires’ an ‘assertion’ targeting the app, with a description to launch the app in a User Interactive role.

RunningBoard works using these assertions, a type of declaration of an intention or intended event. Its next major task is to create a job description, which it helpfully writes to the log as a dictionary. This is a mine of useful information, and has replaced the copious data compiled by LaunchServices in the past. This includes:

• a dictionary of Mach services
• whether Pressured Exit is enabled
• a full listing of environment variables, such as TMPDIR, SHELL, PATH
• RunningBoard properties including another TMPDIR
• whether to materialise dataless files.

A full example is given in the Appendix at the end. If you ever want to obtain a similar summary for an app, just launch it and inspect log entries from the com.apple.runningboard subsystem for the first second or two after launch.

Shortly after that launchd announces that it will start (spawn) the app, and the user ID (UID) is obtained by OpenDirectory, confirming that ‘divined’ earlier by RunningBoard. This allows launchd to complete spawning the app, and RunningBoard to decide whether it will be managed, in terms of memory and other resources. RunningBoard goes through further preparations before declaring whether the process is subject to GPU, CPU or memory limits.

LaunchServices creates the ‘pending’ application, and a new LSApplication object for it. But it also expects the imminent death of the app, in two entries that might appear surprising:
com.apple.launchservices DEATH: Expecting to hear about the death of app App:"AsmAttic" asn:0x0-5b05b pid:3083 refs=4 @ 0x55402ae00, adding to sRunningBoardDeathNotificationsSetRef (pid=3083}.
com.apple.launchservices DEATH: Listening for death via runningboard notification for pending application, pid=3083.

Its fears are unfounded, though, and RunningBoard continues to receive assertions as the launch proceeds. Eventually you should see log entries confirming success:
com.apple.launchservices LAUNCH: Starting application with ASN 0x0-0x5b05b co.eclecticlight.AsmAttic because it was launched and still stopped.
com.apple.processmanager LAUNCH: 0x0-0x5b05b co.eclecticlight.AsmAttic starting stopped process.
com.apple.launchservices LAUNCH: Sending 0x0-0x5b05b 3083 co.eclecticlight.AsmAttic a SIGCONT to get process started ( it was launched in the stopped state )

This is the cue for launchd to ‘uncork’ the executable and create the process
launchd pid/3083 [AsmAttic] uncorking exec source upfront
launchd pid/3083 [AsmAttic] created

After that, you should see log entries from the app at last, retrieving the UID and loading its preferences
AsmAttic Retrieve User by ID
AsmAttic Loading Preferences From User CFPrefsD

Key points

• RunningBoard monitors and may manage the life cycle of apps, from launch to exit, and does so by acquiring assertions about the app’s status.
• RunningBoard now plays an active part in app launch, and fills the log with its entries.
• Soon after the start of the launch process, its job description is a mine of useful information about the app being launched.
• It’s normal for app launch entries to expect the app’s imminent death before it’s launched successfully.
• Don’t be surprised or concerned to see RunningBoard mentioned in early crash reports.

Appendix: Example RunningBoard job description

<dictionary: 0x896c7dda0> { count = 23, transaction: 0, voucher = 0x0, contents =
“Platform” => <int64: 0x9f2093afcb6817e7>: 1
“ProcessType” => <string: 0x896c70de0> { length = 3, contents = “App” }
“EnableTransactions” => <bool: 0x1fd757390>: false
“_ManagedBy” => <string: 0x896c72490> { length = 22, contents = “com.apple.runningboard” }
“CFBundleIdentifier” => <string: 0x896c729a0> { length = 25, contents = “co.eclecticlight.AsmAttic” }
“_ResourceCoalition” => <string: 0x896c71740> { length = 61, contents = “app<application.co.eclecticlight.AsmAttic.753771.753789(501)>” }
“_DisablePointerAuth” => <bool: 0x1fd757370>: true
“ThrottleInterval” => <int64: 0x9f2093ac3497e817>: 2147483647
“MachServices” => <dictionary: 0x89696b120> { count = 0, transaction: 0, voucher = 0x0, contents =
}
“EnablePressuredExit” => <bool: 0x1fd757390>: false
“LimitLoadToSessionType” => <array: 0x896c70c90> { count = 2, capacity = 8, contents =
0: <string: 0x896c71680> { length = 4, contents = “Aqua” }
1: <<string: 0x896c71920> { length = 11, contents = “LoginWindow” }
}
“InitialTaskRole” => <int64: 0x9f2093afcb6817ff>: 2
“EnvironmentVariables” => <dictionary: 0x896c7e220> { count = 12, transaction: 0, voucher = 0x0, contents =
“__CF_USER_TEXT_ENCODING” => <string: 0x896c72df0> { length = 13, contents = “0x1F5:0x0:0x2” }
“TMPDIR” => <string: 0x896c722e0> { length = 49, contents = “/var/folders/x4/x00kny5x0_5dsnmmxhtw6hc80000gn/T/” }
“SHELL” => <string: 0x896c715f0> { length = 8, contents = “/bin/zsh” }
“HOME” => <string: 0x896c72370> { length = 14, contents = “/Users/hoakley” }
“SSH_AUTH_SOCK” => <string: 0x896c71b60> { length = 51, contents = “/private/tmp/com.apple.launchd.kofHVtGWoW/Listeners” }
“LOGNAME” => <string: 0x896c723d0> { length = 7, contents = “hoakley” }
“PATH” => <string: 0x896c70ae0> { length = 29, contents = “/usr/bin:/bin:/usr/sbin:/sbin” }
“XPC_SERVICE_NAME” => <string: 0x896c71560> { length = 16, contents = “com.apple.Finder” }
“__CFBundleIdentifier” => <string: 0x896c72c10> { length = 25, contents = “co.eclecticlight.AsmAttic” }
“COMMAND_MODE” => <string: 0x896c72070> { length = 8, contents = “unix2003” }
“USER” => <string: 0x896c726a0> { length = 7, contents = “hoakley” }
“XPC_FLAGS” => <string: 0x896c725e0> { length = 3, contents = “0x0” }
}
“_AdditionalProperties” => <dictionary: 0x896c7e100> { count = 1, transaction: 0, voucher = 0x0, contents =
“RunningBoard” => <dictionary: 0x896c7eb20> { count = 4, transaction: 0, voucher = 0x0, contents =
“TMPDIR” => <string: 0x896c72820> { length = 49, contents = “/var/folders/x4/x00kny5x0_5dsnmmxhtw6hc80000gn/T/” }
“HOME” => <string: 0x896c72430> { length = 14, contents = “/Users/hoakley” }
“RunningBoardLaunchedIdentity” => <dictionary: 0x896c7f1e0> { count = 5, transaction: 0, voucher = 0x0, contents =
“AJL” => <string: 0x896c727c0> { length = 51, contents = “application.co.eclecticlight.AsmAttic.753771.753789” }
“TYPE” => <int64: 0x9f2093afcb6817e7>: 1
“AUID” => <uint64: 0x9fa093afcb681847>: 501
“EAI” => <string: 0x896c717d0> { length = 25, contents = “co.eclecticlight.AsmAttic” }
“PLAT” => <uint64: 0x9fa093afcb6817e7>: 1
}
“RunningBoardLaunched” => <bool: 0x1fd757370>: true
}
}
“ExitTimeOut” => <int64: 0x9f2093afcb6817e7>: 1
“Label” => <string: 0x896c70ea0> { length = 51, contents = “application.co.eclecticlight.AsmAttic.753771.753789” }
“WaitForDebugger” => <bool: 0x1fd757370>: true
“MaterializeDatalessFiles” => <bool: 0x1fd757370>: true
“WorkingDirectory” => <string: 0x896c72760> { length = 1, contents = “/” }
“_LaunchType” => <int64: 0x9f2093afcb6817f7>: 3
“AbandonProcessGroup” => <bool: 0x1fd757370>: true
“ProgramArguments” => <array: 0x896c71080> { count = 1, capacity = 8, contents =
0: <string: 0x896c716b0> { length = 50, contents = “/Applications/AsmAttic.app/Contents/MacOS/AsmAttic” }
}
“Program” => <string: 0x896c71c20> { length = 50, contents = “/Applications/AsmAttic.app/Contents/MacOS/AsmAttic” }
}