El Capitan’s XProtect extends its coverage beyond simple malware, to block a long list of incompatible kernel extensions (KEXTs), and a shorter list of undesirable Safari extensions which I detailed here.
The list of blocked kernel extensions is split between Incompatible Kernel Extension Configuration Data, kept in /System/Library/Extensions/AppleKextExcludeList.kext, and XProtectPlistConfigData. The former data is seldom updated, and currently remains at version 3.30.1 of 5 April 2016. XProtectPlistConfigData changes more frequently, the last update being on 9 July 2016, but its version number seems fixed at 1.
Kernel extensions are vital – they include all the main hardware drivers which make your Mac work – but because they operate so close to the kernel, are an Achilles heel. Even simple conflicts can make a Mac unusable, and a malware kernel extension would be catastrophic. Objective-See’s KnockKnock is an excellent tool for inspecting your extensions, and checking that they are all above board.
Listed known kernel panics
These kernel extensions are generally old – most first caused problems in OS X Mavericks – and El Capitan should stop them from occurring, by blocking the incompatible extension.
MediaTek RT2870 USB Wireless Driver normally installed at /System/Library/Extensions/RT2870USBWirelessDriver.kext the extension known as
com.Ralink.driver.RT2870USBWirelessDriver versions 4.1 to 4.2
Norton Internet Security Firewall Plugin normally at /Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/PlugIns/SymFirewall.bundle/Contents/Resources/SymFirewall.kext the extension known as
com.symantec.kext.fw versions 5.0 to 5.2.
Razer Device Driver normally installed at /System/Library/Extensions/RazerHid.kext the extension known as
com.razer.common.razerhid version 6.25
Sophos Anti-Virus on-access scanner: old versions of the virus scanner known as
com.sophos.kext.sav versions 8 to 9.1. The files which cause the conflict are installed at /Library/Sophos Anti-Virus/InterCheck.app/Contents/Resources/Sophos Anti-Virus.kext and /Library/Extensions/SophosOnAccessInterceptor.kext.
Tuxler: version 1 of the Tuxler VPN app known as
com.osxkernel.tuxlerext version 1.0. This consists of /System/Library/Extensions/tuxlerext.kext, /System/Library/ExtensionTuxler/tuxlerext.kext, /Library/LaunchAgents/com.apple.tuxler.plist, /Library/LaunchDaemons/com.apple.tuxlerext.plist and the app itself /Applications/Tuxler.app.
Excluded kernel extensions
XProtect should prevent the following kernel extensions, known by their bundle identifiers, from loading, because of known issues. Again they are generally quite old versions now, although they could still come across when migrating from an old OS X installation.
at.obdev.nke.LittleSnitch – LE 4041 – Little Snitch kernel panics, fixed
com.AmbrosiaSW.AudioSupport – LE 4.0.0 – Ambrosia Software Audio Support
com.apple.driver.AppleHWAccess – LE 1.1 – an old Apple driver
com.apple.driver.LuaHardwareAccess – LE 1.0.13 – an old Apple driver to support the language Lua
com.baltaks.driver.DoubleCommand – LE 1.6.9 – old keyboard remapper
com.BT.kext.bpkkext – LE 1.0.0 – Blazing Tools Perfect Keylogger
com.contentwatch.ghoti.NARCPacketInterceptor – LE 1 – an old security tool
com.coresystems.driver.DirectHW – LE 9999 – old open source tools to provide hardware functions on x86 systems
com.Creative.driver.TruStudioPCUSBAudioPlugin – LE 2.2.4 – Sound Blaster Omni Surround system
com.eltima.SyncMate.kext – LE 0.2.5b15 – old Eltima SyncMate support
com.getgreenbytes.driver.zfs – LE 2012.09.14 – old support for zfs file system
com.getgreenbytes.filesystem.zfs – LE 2012.09.23 – old support for zfs file system
com.kaspersky.kext.kimul.44 – 44 – old Kaspersky anti-virus support
com.kaspersky.kext.klif – LE 3.2 – old Kaspersky anti-virus support
com.kaspersky.kext.mark.1.0.5 – 1.0.5 – old Kaspersky anti-virus support
com.kaspersky.nke – LE 2.1.3 – old Kaspersky anti-virus support
com.ncryptedcloud.osxmonitor – LE 1 – old cloud support
com.pgp.kext.PGPnke – LE 1.1 – old PGP encryption support
com.sektioneins.driver.SUIDGuardNG – LE 1.0.6 – old security protection from Stefan Esser
com.silex.driver.sxuptp – LE 1.11.1 – old Silex hardware support
com.spyresoft.dockmod.driver – 1 – SpyreSoft DockMod Dock customisation
com.trusteer.wado-d – LE 1 – old release of Trusteer Rapport authentication system
com.visicom.ManyCam.VideoDevice.driver – LE 3.0.11 – old ManyCam videocam support
com.vmware.kext.vmci – LE 3.1.4 – old VMWare support
com.vmware.kext.vmioplug – LE 0053.60.16 – old VMWare support
com.vmware.kext.vmnet – LE 0053.60.16 – old VMWare support
com.vmware.kext.vmx86 – LE 0053.60.16 – old VMWare support
com.vmware.kext.vsockets – 90.1.3 – old VMWare support
com.webroot.driver.SecureAnywhere – LE 104 – old Webroot SecureAnwhere device support
org.pqrs.driver.NoEjectDelay – LE 5.3.0 – old NoEjectDelay enhancement
org.virtualbox.kext.VBoxDrv – LE 4.3.24 – old VirtualBox support
If you have any of those, you should uninstall the software as completely as possible, and refer to the vendor’s support site for an updated replacement.
Permitted kernel extensions
XProtect’s current configuration files list more than 10,000 signed kernel extensions which are permitted to load in OS X. These are the ones which KnockKnock should tell you are fine and dandy.