hoakley October 17, 2019 Macs, Technology

Security data files: how they’ve changed in Catalina

Each of the main security services in macOS, like Gatekeeper and XProtect, relies on data which is commonly stored in separate files so that it can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

macOS Catalina brings the greatest changes in security data files that I can recall: with the introduction of the read-only System volume, almost all of them have moved to new locations on the writeable Data volume, so that they can be updated more easily. Catalina also changes the behaviour of Gatekeeper, which now checks notarization when a quarantined app is first run, and XProtect, which runs its checks on every app when it is opened on every occasion.

This article details each of the main security data files found in macOS 10.15 Catalina, together with others involved in related system functions. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, not updated since 10.15 release.
This is an SQLite database which is placed on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db and is believed to provide blacklists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0, updated in 10.15.2 update, no change in version number.
This is an SQLite database which is placed on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which are believed to provide blacklists for Gatekeeper’s security system, possibly relating to notarization tickets. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db is new with Catalina.

MRT Configuration Data
Latest version: 1.93, 29 April 2022.
This is Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it can remove any malware which macOS detects. It doesn’t use a separate data file, instead embedding its details with the executable code.

TCC Compatibility Bundle
Latest version: 150.18, not updated since 10.15 release.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. This was essentially new for Mojave, and has changed substantially again in Catalina.

XProtectPlistConfigData
Latest version: 1.0 2194, 7 May 2024.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle stored on the Data volume at Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina (introduced with beta releases) is the SQLite database file named gk.db in its resources, whose purpose is unknown. This is linked to from the System volume via a symbolic link at /System/Library/CoreServices.

XProtectRemediator
Latest version: 133, 2 May 2024.
This contains a suite of specialised malware detection and remediation tools, in the app XProtect.app on the Data volume at /Library/Apple/System/Library/CoreServices. This was first installed with macOS 12.3, then version 62 was pushed to Catalina, Big Sur, Monterey and Ventura on 17 June 2022. Executables include an eventual replacement for MRT, and several specialised tools for specific malware types. Initially these run alonside MRT, but are expected to replace it once they have been proven. Further details are here.

XProtectPlistConfigData 1
Latest version: 1.0 2106, 15 October 2019 with Supplemental Update to 10.15.
This is a duplicate copy of the whitelists and blacklists used by XProtect, but lacks the gk.db database, and is stored on the System volume at /System/Library/CoreServices/XProtect.bundle 1. Currently, this appears to be a read-only backup copy, and was first installed with the 10.15 Supplemental Update.

KextExcludeList
Latest version: 15.6.1, 15 July 2020 with 10.15.6 update.
This is a list of kernel extensions which are to be treated as exceptions to Catalina’s new security rules, and is stored on the Data volume in Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist. Its equivalent in previous versions of macOS has been static, but this is new with Catalina.

Others

CompatibilityNotificationData
Latest version: 1.0.8, not updated since 10.15 release
This is a bundle on the Data volume at Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible.

CoreTypes
Latest version: no number, not updated since 10.15 release
This is a bundle on the Data volume at System/Library/CoreServices/CoreTypes.bundle, which contains a library of five further bundles including AppExceptions.bundle, iLifeMediaBrowserTypes.bundle, MachineTypes.bundle, MobileDevices.bundle, and RawCameraTypes.bundle. I have yet to examine these in detail, and will report on them in a future article.

EFI Allow List
Latest version: no number, 6 October 2019.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running Mojave. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Oddly, this currently appears to be on the System volume.

IncompatibleAppsList
Latest version: 15.178, not updated since 10.15 release
This is a bundle on the Data volume at Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing over 200 known incompatible versions of third-party products.

Last updated: 7 May 2024.

11Comments

Add yours

1

Mark Pleticha on October 29, 2019 at 11:04 pm

FYI KextExcludeList mine went to 15.1.1 with Catalina 10.15.1
and new EFI firmware 1037.40.118.0.0 for a 2019 iMac

LikeLiked by 1 person
- 2
  
  hoakley on October 29, 2019 at 11:47 pm
  
  Thank you.
  So there are some firmware updates – that’s messy!
  Howard.
  
  LikeLike
- 3
  
  hoakley on October 30, 2019 at 12:44 pm
  
  Thank you. That model and T2 models seem to be the only Macs with firmware updates this time. Unless anyone knows of any others?
  Howard.
  
  LikeLike
4

LSP93 on November 2, 2019 at 9:37 am

Our believe is that it got even messier than this for a MacMini2018:
XProtect version (/System/Library/CoreServices/XProtect.bundle) 2107
Last installed update 2019-10-30 08:07:28 +0000 : 2107
Gatekeeper version (/private/var/db/gkopaque.bundle) 181
Last installed update 2019-08-27 08:57:12 +0000 : 181
Gatekeeper E version (/private/var/db/gke.bundle) 8.0
KEXT block version (/System/Library/Extensions/AppleKextExcludeList.kext) 15.1.1
Last installed update 2019-10-30 08:07:28 +0000 : 15.1.1
MRT version (/System/Library/CoreServices/MRT.app) 1.50
Last installed update 2019-10-16 07:54:07 +0000 : 1.50
TCC version (/System/Library/Sandbox/TCC_Compatibility.bundle) 150.18
Last installed update 2019-06-06 07:56:20 +0000 : 17.0
Last installed macOS update 2019-10-30 08:07:28 +0000 : macOS 10.15.1 Update
Last installed security update No update installed
macOS Version 10.15.1 (Build 19B88)
EFI firmware version installed 1037.40.124.0.0
iBridge: 17.16.11081.0.0,0

BTW MRT.app has a Cross through the Icon, so it doesn’t run (?), but the CLT MRT does function in Terminal.

We don’t even want to start mentioning all the other bugs and problems Catalina brought (for one the display disconnect with HDMI-DVI)
Catalina is a real bummer.

LikeLiked by 1 person
- 5
  
  hoakley on November 2, 2019 at 9:43 am
  
  Thank you. That all looks fine and in accordance with what I’d expect in 10.15.1.
  MRT isn’t intended to be run as an app: there are two command line options for it, and it’s not a user tool, which is I think why its icon is defaced.
  Howard.
  
  LikeLike
6

Pico on January 27, 2020 at 9:42 pm

Just adding some specific info that I’ve learned recently to back to this community…

In regards to the “/usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle” file, you mention that “Oddly, this currently appears to be on the System volume.”

Previous to Catalina the “eficheck” tool would download the “EFIAllowListAll.bundle” file into this same folder if no match was found in “EFIAllowListShipping.bundle”. Now in Catalina, the “EFIAllowListAll.bundle” file is downloaded elsewhere.

Speculating here, I think that Apple put the “/usr/libexec/firmwarecheckers/eficheck/” folder on the System volume because they wanted to protect the “eficheck” tool itself as well as the “EFIAllowListShipping.bundle” file to only be able to be updated with a system update, while the “EFIAllowListAll.bundle” can be downloaded manually by the “eficheck” tool as needed.

Curious to figure out where the “EFIAllowListAll.bundle” is stored in Catalina, I used the Terminal “find” command and found that it is now stored in “[Data Volume]/Library/Apple/usr/libexec/firmwarecheckers/eficheck/EFIAllowListAll.bundle”.

This file won’t exist for all users because it’s only downloaded by “eficheck” when no match was found in “EFIAllowListShipping.bundle” (and only if “Check for updates” and “Download new updates when available” are turned on in System Preferences).

This would also be why if you search for “EFIAllowListAll.bundle” on Google, you’ll see lots of people wondering why this file got put into their “Relocated Items” folder after updating to Catalina.

LikeLiked by 1 person
- 7
  
  hoakley on January 27, 2020 at 11:21 pm
  
  Thank you: that’s fascinating. Sadly, I can’t investigate it here any more, as both my (modern) Macs have T2 chips, so eficheck has no purpose. But I will try to make a note somewhere to clarify this for other users.
  Howard.
  
  LikeLike
  - 8
    
    Pico on January 28, 2020 at 12:53 am
    
    Also, The current version listed in the “EFIAllowListAll.bundle” is currently 85, which I confirmed myself on High Sierra and Catalina.
    
    Since it will be hard for you to keep up-to-date with these changes since you’re on a T2 Mac, it may be worth using MrMacintosh’s info about this for your own cross-reference or just link to this page for your viewers: https://mrmacintosh.com/macos-system-status-version-info-for-macadmins/
    
    Lots of good info on that page. Some of the same that you have here as well as other interesting stuff.
    
    LikeLiked by 1 person
    - 9
      
      hoakley on January 28, 2020 at 5:32 pm
      
      Thanks – yes, Mr Macintosh is a valuable site. I’ll look at how I can work links into my accounts of eficheck.
      Howard.
      
      LikeLike
10

Rafael Prado on March 6, 2020 at 8:17 pm

Hi,
using SilenKnight Version 1.6 (9), somethin weird on TCC info, database on the software may need some update(?) don’t know, but it is telling me I have to regret. [ I think it is because my Catalina is developer beta…] and SilenKnigh may still don’t know that(?)

Anyway, this is just to inform you about this situation, since you are the developer it is important for you.

Details below (copied from SilenKnight and pasting here) I don’t know how to submit a picture here.

—————-
✅ System Integrity Protection status: enabled.
✅ XProtect assessments enabled
⚠️ FileVault is Off.
macOS Version 10.15.4 (Build 19E250c)
Latest updates installed:
XProtect 2020-03-05 22:40:42 +0000 : 2115
Gatekeeper 2020-02-27 22:55:23 +0000 : 181
MRT 2020-03-05 22:42:27 +0000 : 1.56
✅ XProtect 2115 should be 2115
✅ Gatekeeper 181, 8.0 should be 181, 8.0
✅ MRT 1.56 should be 1.56
❌ TCC 150.19 should be 150.18
✅ KEXT 15.1.1 should be 15.1.1
⚠️ Software Update Tool

Finding available software
Software Update found the following new or updated software:
* Label: SafariTechPreview-102
Title: Safari Technology Preview, Version: 102, Size: 61300K, Recommended: YES,
—————

Take a look on TCC, installed is newer, but it is telling it should be lower/older.

Regards,
Prado

LikeLiked by 1 person
- 11
  
  hoakley on March 6, 2020 at 8:25 pm
  
  Thank you.
  Yes, SilentKnight only considers Apple’s released updates, and not those which it might include in betas. You have a newer version of that database, which is apparently included in the current betas.
  I have quite an elaborate system for working out whether firmware updates might be from betas, which will alert to the difference without identifying it with the red X, but that’s too complicated to do for all the databases individually. As I have to maintain the lists myself, I’m afraid this is the most practical solution. If you’re using a beta, I just have to assume that you’ll recognise that the version installed with that beta is ‘correct’.
  Howard.
  
  LikeLike

·Comments are closed.

Main Security Data

Others

Share this:

Related