Apple has pushed an update to XProtect

Apple has pushed an update to the ‘Yara’ data files used by XProtect, bringing its version number to 2102, dated 19 April 2019. This is the first update to XProtect this year.

This adds detection for just one new malware item, inscrutably named MACOS.d1e06b8. This contains both a distinctive signature and what the Yara file terms “PE binaries”, probably a Windows Portable Executable binary segment of the malware, which isn’t particularly informative.

Thanks to Patrick Wardle for identifying this as TrojanSpy.MacOS.Winplyer, which is discussed here by Trend Micro. Thanks to Al Varnell for provided a further link which may explain this too. As is painfully obvious from both, this dates back to February, which is hardly the rapid response which users might expect in Apple’s anti-malware protection.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by LockRattler and SystHist for El Capitan, Sierra, High Sierra and Mojave, available from their product page. If your Mac has not yet installed this update, you can force an update using LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.