Silent High Sierra night: security settings files in macOS High Sierra

In amongst the tens or hundreds of thousands of files which together make macOS High Sierra work, there are security and other settings files which Apple normally updates silently. These are almost completely undocumented, but can sometimes cause problems, by disabling an old version of Flash, Java, or Silverlight, or even breaking your network connection. Here’s a quick roundup of those which you are most likely to come across.

Core Suggestions Configuration Data
Latest version: 1.0 680.0.3.1, 9 August 2017.
These are support data for /System/Library/PrivateFrameworks/CoreSuggestions.framework, to be used in various travel features.

CoreLSKD Configuration Data
Latest version: 9.13.1, 25 July 2017.
These are support data for /System/Library/PrivateFrameworks/CoreLSKD.framework and go into /usr/share/kdrl.bundle for internal use.

EFI Allow List
No version given. 25 August 2017.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running High Sierra. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. New in High Sierra, as detailed here.

Gatekeeper Configuration Data
Latest version: 181, 26 August 2019.
This is an SQLite database which is placed in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db to provide blacklists and whitelists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper Disk Image Configuration Data
Latest version: 7.2, 15 July 2017.
This provides data for checking signed disk images, which is kept in /private/var/db/gke.bundle/Contents/Resources/gke.auth It remains unchanged from Sierra.

Incompatible Kernel Extension Configuration Data
Latest version: 13.2.1, 7 December 2017.
This is a list of kernel extensions (KEXTs) which will be excluded at startup, and is stored in /System/Library/Extensions/AppleKextExcludeList.kext. This is a new version, different from that in Sierra, which apparently reflects High Sierra’s new policy of third-party extension blocking. It was updated as part of the 10.13.2 update on 7 December, although the list of blocked KEXTs appears unchanged from that of 15 July.

MRT Configuration Data
Latest version: 1.93, 29 April 2022.
These are the settings for Apple’s Malware Removal Tool /System/Library/CoreServices/ and go into that app, so that it can remove any malware which OS X detects.

Latest version: 1.0 2167, 30 March 2023.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist,
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara.

Latest version: 1146.2, 21 September 2017
These settings are placed in /System/Library/PrivateFrameworks/SystemMigration.framework for use by Migration Manager.

Details last updated 30 March 2023.