How do you get a security update to work?

There are three good ways of installing one of Apple’s ‘silent’ security updates:

  • By far the easiest now is using SilentKnight. Open the app, wait until it has checked for available updates. If there’s an update, the Install all updates button will appear. Click on that, and watch the end of the lower text report give you information about the updates as they’re downloaded and installed. Once that’s complete, the app tells you the latest installations. To get its upper boxes to show the update, quit the app and open it again. If the Install all updates button doesn’t appear, you can run this from the command in the File menu.
  • Using LockRattler, first click on the List all pending updates button. If that shows that updates are available, click on the Install all pending updates, or paste the name of the update into the text box next to the Install update named: button and click on that.
  • The command line equivalents, which are documented in those apps’ Help books, are
    softwareupdate -l --include-config-data to list updates, and
    softwareupdate -ia --include-config-data to install them all.

You can of course wait for this to happen automagically, but that may take a day or even more sometimes.

With the update(s) installed, the next question is how to make it/them effective. For XProtect, Gatekeeper and TCC, that isn’t an issue: once the update is installed, the next time there’s an app scanned with a quarantine flag set, or another reason for a scan/check, the new data should be used without any further ado.

For KEXT blocker updates, the update will be enforced the next time that you Mac starts up. So far, updates to the KEXT blocker have come with full macOS updates, which invoke a restart anyway, so ensuring that its new rules come into force immediately.

The problem comes with MRT, an app in /System/Library/CoreServices which either runs in agent or daemon mode. In normal use, it will only actively scan and clean your Mac during startup, or (probably) when called by another tool such as XProtect (probably). To get the new version of MRT to scan your Mac, you can therefore either restart your Mac, or run it manually in agent mode.

To run MRT manually in agent mode, open Terminal and type in the command
/System/Library/CoreServices/ -a
where the -a option specifies agent mode (daemon mode requires -d instead).

You should then see output such as
MRT[39175:14142487] Running as agent
MRT[39175:14142487] failed to check loginItems
MRT[39175:14142487] Agent finished.
MRT[39175:14142487] Finished MRT run

or something indicating that it has detected and removed malware (or the Zoom web server, perhaps).

I hope this makes things clearer, and will incorporate this advice into SilentKnight’s and LockRattler’s Help books in due course.

Thanks to AndyInCali on MacAdmins Slack, via @ClassicII_MrMac for the MRT information.