Apple pushes update to XProtect data

Apple has, over the last twenty-four hours or so, pushed another update to the XProtect data for macOS Sierra and, presumably, El Capitan.

Version 2091 adds protection against OSX.Proton.B, the new variant of Proton which was distributed for a few days from the HandBrake download site. As Patrick Wardle has pointed out, the ‘fingerprint’ used for this malware is very specific, and depends on a SHA1 hash of the file; it would take only a tiny change to it to evade detection by XProtect.

There is no sign of any additional protection against more variants of OSX/Dok which have been reported recently.

Most recent silent pushed updates like this have started to be pushed out to US sites at around midnight +/- 2 hours UTC, and have been pushed out in Europe around 18-20 hours later. I suspect that this is the way that Apple’s silent update system works.