XProtect version 2109 for macOS Catalina 10.15.2 only

Bundled, or perhaps buried, within the macOS Catalina 10.15.2 update released yesterday, 10 December, is an update to XProtect’s data version 2109. As normal, Apple doesn’t announce this update, nor provide any details of what it does. However, if you do look inside it, you’ll discover that it adds no less than seven detection signatures for malware which should now be discovered by XProtect scans.

Unfortunately, Apple doesn’t want us to know what XProtect does protect us against, so gives them internal code names. The new items are:

  • MACOS.9bdf6ec
  • MACOS.e79dc35
  • MACOS.d92d83c
  • MACOS.0e62876
  • MACOS.7726045
  • MACOS.0dd569a
  • MACOS.bca65d5

Thanks to @sdotknight for suggesting that these new rules appear to correspond with some of the following: Bundlore, Mac Magician, Mac Cleanup Pro, and Cleanup My Mac.

In addition, this update includes a new version of the gk.db database, dated 22 November 2019, which presumably includes additional information to aid XProtect’s malware detection. Apple doesn’t give that database its own version number, though.

So far, there is no sign of this update being delivered to earlier versions of macOS, which is unusual. This wasn’t bundled with the Security Updates for Mojave or High Sierra, nor has it yet been pushed as a standalone security update for those systems.

My free apps SilentKnight and LockRattler report this update correctly, and the database for the former now expects it to be present on 10.15 systems.

Updated 2010 UTC 11 December with provisional identification of malware.