hoakley July 12, 2019 Macs, Technology

How do you get a security update to work?

There are three good ways of installing one of Apple’s ‘silent’ security updates:

By far the easiest now is using SilentKnight. Open the app, wait until it has checked for available updates. If there’s an update, the Install all updates button will appear. Click on that, and watch the end of the lower text report give you information about the updates as they’re downloaded and installed. Once that’s complete, the app tells you the latest installations. To get its upper boxes to show the update, quit the app and open it again. If the Install all updates button doesn’t appear, you can run this from the command in the File menu.
Using LockRattler, first click on the List all pending updates button. If that shows that updates are available, click on the Install all pending updates, or paste the name of the update into the text box next to the Install update named: button and click on that.
The command line equivalents, which are documented in those apps’ Help books, are
softwareupdate -l --include-config-data to list updates, and
softwareupdate -ia --include-config-data to install them all.

You can of course wait for this to happen automagically, but that may take a day or even more sometimes.

With the update(s) installed, the next question is how to make it/them effective. For XProtect, Gatekeeper and TCC, that isn’t an issue: once the update is installed, the next time there’s an app scanned with a quarantine flag set, or another reason for a scan/check, the new data should be used without any further ado.

For KEXT blocker updates, the update will be enforced the next time that you Mac starts up. So far, updates to the KEXT blocker have come with full macOS updates, which invoke a restart anyway, so ensuring that its new rules come into force immediately.

The problem comes with MRT, an app in /System/Library/CoreServices which either runs in agent or daemon mode. In normal use, it will only actively scan and clean your Mac during startup, or (probably) when called by another tool such as XProtect (probably). To get the new version of MRT to scan your Mac, you can therefore either restart your Mac, or run it manually in agent mode.

To run MRT manually in agent mode, open Terminal and type in the command
/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a
where the -a option specifies agent mode (daemon mode requires -d instead).

You should then see output such as
MRT[39175:14142487] Running as agent MRT[39175:14142487] failed to check loginItems MRT[39175:14142487] Agent finished. MRT[39175:14142487] Finished MRT run
or something indicating that it has detected and removed malware (or the Zoom web server, perhaps).

I hope this makes things clearer, and will incorporate this advice into SilentKnight’s and LockRattler’s Help books in due course.

Thanks to AndyInCali on MacAdmins Slack, via @ClassicII_MrMac for the MRT information.

13Comments

Add yours

1

David B. on July 12, 2019 at 6:59 am

This is MY result! 😦

Last login: Fri Jul 12 07:42:57 on console
Davids-iMac:~ davidgbrooks$ /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -a
2019-07-12 07:53:25.496 MRT[1971:533565] Running as agent
2019-07-12 07:53:25.581 MRT[1971:533565] failed to check loginItems
2019-07-12 07:53:25.669 MRT[1971:533565] Agent finished.
2019-07-12 07:53:25.669 MRT[1971:533565] Finished MRT run
Davids-iMac:~ davidgbrooks$ /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT -d
2019-07-12 07:54:43.633 MRT[1993:535243] Permission denied.
Davids-iMac:~ davidgbrooks$

Please advise!

David

LikeLiked by 1 person
- 2
  
  hoakley on July 12, 2019 at 8:34 am
  
  Thank you.
  I recommend that you run it in agent mode, as described, and as you have done. Only the system can run it in daemon mode, as far as I’m aware. You could conceivably run that as sudo, but there’s no indication that does anything purposeful here.
  Howard.
  
  LikeLike
3

David B. on July 12, 2019 at 7:20 am

FYI MBAM scan result:- https://imgur.com/a/PVniH1K

LikeLiked by 1 person
- 4
  
  hoakley on July 12, 2019 at 8:34 am
  
  I don’t believe that any 3rd party anti-malware product tries to detect or remove Zoom software – only MRT.
  Howard.
  
  LikeLike
5

El Pablo on July 12, 2019 at 5:50 pm

Thanks for all the great information and tools you provide!

LikeLiked by 1 person
- 6
  
  hoakley on July 12, 2019 at 8:31 pm
  
  Thank you for your kind words.
  Howard.
  
  LikeLike
  - 7
    
    David B. on July 12, 2019 at 9:10 pm
    
    Have you received any formal training in ‘computing’, Howard?
    
    I suspect other folks might be interested in just HOW you have become a bit of a computer whizz!
    
    Do tell!
    
    Maybe you should write a feature article all about yourself. If you do, I for one will read it! 😉
    
    David
    
    LikeLiked by 1 person
    - 8
      
      hoakley on July 12, 2019 at 10:46 pm
      
      I started computing some 45 years ago, with a mixture of early ‘office computers’ which were little more than programmable calculators, teletype Fortran from Cardiff to Bristol, and a course in Algol statistical analysis. Things got more serious in 1987, when I was heavily involved in parallel processing with the Inmos Transputer, and started work on a project for Commodore. Then in 1989, I switched to the Mac, to develop CAD/CAM software which we sold primarily to sailmakers. I also developed some of the first design and manufacture software for paragliders, and for a while commuted to Italy every few weeks to develop lab systems in one of the world’s leading composite manufacturers. I’ve written about computers over a similar period, for a range of clients including Apple Europe, then mainly for MacUser from about 1990 until its closure a few years ago. Since then, I’ve written for MacFormat and Mac|Life. I’ve also presented and published AI research, specifically genetic programming. Beyond those headlines, I think it would just get boring for most readers, and too self-promotional. There are some exciting bits – like the customer in Italy who (thankfully when he didn’t owe me any money) blew his brains out in a police cell after being arrested for fraud – but I digress.
      Howard.
      
      LikeLike
    - 9
      
      David B. on July 13, 2019 at 9:13 pm
      
      Thank you.
      
      You could have said more in your digression!
      
      Whenever did you find the time to carry out your medical duties?!!!
      
      D.
      
      LikeLiked by 1 person
10

Valdo on August 16, 2019 at 7:53 am

Hello,
the two mentioned terminal command lines are related to all updates included in LockRattler or restricted to MRT only?

Thank you

LikeLiked by 1 person
- 11
  
  hoakley on August 16, 2019 at 7:56 am
  
  Those commands work on all Macs running recent versions of macOS, and apply to all security updates, not just MRT.
  Howard.
  
  LikeLike
12

Valdo on August 16, 2019 at 8:05 am

Thank you very much Howard! Related to the just now downloaded MRT update.
It’s enough to restart the Mac to have it active or again by command line to start it?
If user action is necessary, then which one, agent or daemon mode ???

LikeLike
- 13
  
  hoakley on August 16, 2019 at 8:20 am
  
  According to Apple, to ensure that updated MRT is run, you should restart your Mac once the update has been installed.
  However, looking at recent updates, the updater does seem to run the new version shortly after updating. Whether that is sufficient, Apple doesn’t say, and as Apple doesn’t tell us what this update changes, we won’t know whether any of this is necessary.
  The simplest thing is just to restart, I suggest.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related