What happened to XProtect? Has it been forked?

If you follow macOS security updates, by now you’re probably completely confused over XProtect. Although it has been a long time since Apple’s primary malware checking tool in macOS has been anywhere near the forefront of malware detection, it comes with all recent versions of macOS, and has an expanded role in Catalina. But XProtect has changed in 2019 (the year, not the version!), and there’s no longer a single version which works much as it has in the past.

When Catalina was in beta-testing, some noticed that its XProtect bundle in CoreServices had grown an additional file, a small database named gk.db, where gk clearly refers to Gatekeeper. With its full release, this persisted, but the version number given by the XProtect bundle stayed in sync between Catalina and earlier versions of macOS.

Then when Apple released the 10.15.2 update, it – but not previous versions of macOS – included a new version of the XProtect bundle, which added seven new detections. There was speculation that the version of XProtect in Mojave and earlier might not be capable of performing those detections.

Yesterday, Apple put minds at rest when it pushed updates to XProtect which can be installed and used on all recent versions of macOS, version 2110. Only that isn’t actually a single security update which applies to all those systems, and what this update does for Catalina is a bit different. To understand this, we need to look at what has happened in the XProtect bundle on Catalina systems, and those on Mojave and earlier.

When Mojave and earlier systems install the update from 2108 to 2110 (2109 not being released for them), they don’t install any opaque gk.db file, and gain detection for four new items: MACOS.9bdf6ec, MACOS.e79dc35, MACOS.d92d83c and MACOS.0e62876.

When Catalina systems install the update from 2109 to 2110, they do install a new gk.db file, updated to its current version dated 10 December 2019, have amended detection strings for MACOS.9bdf6ec, and lose the ability to detect three items which had been added in 2109: MACOS.7726045, MACOS.0dd569a and MACOS.bca65d5.

The end result, once 2110 has been installed on any Mac, is identical except for Catalina’s new gk.db file, which isn’t installed on any earlier version of macOS. So yes, Apple has forked the XProtect bundle, and did so for Catalina. But after a couple of days during which Catalina detected different malware from previous versions of macOS, detection should now be uniform again. Except, of course, for gk.db and the crucial fact that Catalina runs XProtect checks on every app, command tool and other code that it runs, regardless of whether the quarantine flag is set.

The XProtect bundle may be more uniform again, but XProtect itself certainly isn’t.

2Comments

Add yours

1

DaFoxE1 on December 13, 2019 at 9:12 pm

Howard, thanks again for your excellent web site. Using Lockrattler 4.24 I discovered that my Mac Pros were all updated automatically to XProtect 2110 and MRT 1.51 this morning. However, my 2011 11″ MacBook Air running 10.3.6 was not automatically updated nor through running Sec Update 2019-007 and remained at 2108 and 1.50 respectively. Lockrattler detected the updates using the “List all pending updates” button and installed 2110 and 1.51 respectively using the “Install all pending updates” button. Lockrattler is greatly appreciated by me.

LikeLiked by 1 person
- 2
  
  hoakley on December 13, 2019 at 11:45 pm
  
  Thank you – I’m delighted it did its job for you.
  Howard.
  
  LikeLike

Share this:

Related