Apple has pushed updates to XProtect and MRT

Apple has pushed two updates today, to the data files used by XProtect, bringing its version number to 2114, dated 20 February 2020, and to its malware removal tool MRT, bringing it to version 1.55, also dated 20 February 2020.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. Changes seen in the Yara detection rules include amendments for MACOS.e79dc35, MACOS.d92d83c, MACOS.de444f2, MACOS.b70290c, and MACOS.22d71e9. No new identifications have been added.

A new file has appeared in the XProtect bundle, named LegacyEntitlementAllowList.plist. This contains a very long array of ‘cdhashes’ which are encoded, and I can’t find any previous records of that file elsewhere in Catalina. It thus appears novel in this release of XProtect.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave and Catalina, available from their product page. If your Mac has not yet installed this update, you can force an update using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.