Normal view

There are new articles available, click to refresh the page.
Today — 9 July 2025Main stream

Apple has just released major updates to XProtect and XProtect Remediator

By: hoakley
9 July 2025 at 02:45

Apple has just released updates to XProtect for all supported versions of macOS, bringing it to version 5304, and to XProtect Remediator for all macOS from Catalina onwards, to version 152. As usual, Apple doesn’t release information about what security issues these updates might add or change.

Yara definitions in this version of XProtect add two private rules for Shebang, to match shell scripts by ‘shebang’, and _golang_macho, to match machos compiled by Golang. There are also 19 new rules for a novel family of what appear to be stealers based on the name BONZAI, including MACOS.BONZAIBONANZA.AUTO, MACOS.BONZAIBONANZA.TAAP, MACOS.BONZAIBONANZA.TAFI, MACOS.BONZAIBONANZA.VACA, MACOS.BONZAIBONANZA.VASN, MACOS.BONZAIBONANZA.FU, MACOS.BONZAIBONANZA.SC, MACOS.BONZAIBARRICADE.PE, MACOS.BONZAIBARRICADE.PA, MACOS.BONZAIBARRICADE.KE, MACOS.BONZAIBLASTER.FU, MACOS.BONZAIBLASTER, MACOS.BONZAIBLASTER.TA, MACOS.BONZAIBONDER.SO, MACOS.BONZAIBONDER.PE, MACOS.BONZAIBONDER.TEPL, MACOS.BONZAIBONDER.LA, MACOS.BONZAIBONDER.FU, and MACOS.BONZAIBANANA.

XProtect Remediator doesn’t change the list of scanner modules.

There are changes to the list of Bastion rule 2 paths, and four new Bastion rules 14-17. These cover sending AppleEvents to browsers, the Finder and Terminal, mach-lookup for com.apple.pasteboard.1, and writing to a long list of shell-related hidden directories in the user’s Home folder.

These are probably the greatest changes to XProtect’s Yara rules and Bastion rules for more than a year.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight and SystHist for El Capitan to Tahoe available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight or at the command line.

If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-152 and XProtectPlistConfigData_10_15-5304.

Sequoia and Tahoe systems only

The XProtect update has already been released for Sequoia and Tahoe via iCloud. If you want to check it manually, use the Terminal command
sudo xprotect check
then enter your admin password. If that returns version 5304 but your Mac still reports an older version is installed, you may be able to force the update using
sudo xprotect update

❌
❌