SilentKnight and LockRattler: A Masterclass

SilentKnight and LockRattler are the two most popular of my free apps, available from their Product Page. This article is an explanation of how you can get the best out of them.

Why use them at all?

Both apps look at three broad areas:

  • basic Mac security settings, such as SIP being turned on,
  • updates to key macOS security data files, and system updates more generally,
  • firmware and its updates.

LockRattler is the older of the two, written because some years ago Apple distributed a batch of Macs with SIP turned off. Although you can check whether your Mac’s security settings are what you expect using other methods, none of them is as simple or convenient. You’d be surprised at the number of people who run either app for the first time, only to discover that their Mac has been running for months with SIP turned off.

Apple has been silently pushing updates to the macOS security tools including XProtect and MRT for many years, but never informs us when updates are available, or which versions we should be running. Normally, within a day or so of an update being released by Apple, the vast majority of Macs are automatically updated. Sometimes this doesn’t work: again, you’d be shocked to hear of the number of users who open either app for the first time, to discover that their Mac has been using security data files which are several years out of date.

Keeping your Mac’s firmware up to date is another issue which should have been simple. Every time that you install a macOS update or Security Update, a complete set of firmware updates is included. Should your Mac’s firmware be older than the version bundled in the update, then it should automatically be updated when you install the system update. The reason that I developed SilentKnight was to make it simpler to check that your Mac does have the latest firmware installed, something which is possible using LockRattler, but not as simple.

Which to use?

Although both apps cover common ground, they do so in different ways. SilentKnight is designed to be simple and cater for the most common situations as simply as possible. LockRattler is more complex, and looks at some fairly arcane aspects of security such as whether you have disabled privacy in the log. It can’t check whether your Mac’s firmware is current, but leaves you to look that up for yourself. But it also offers power features which can come in handy, such as the ability to download and install only some of the updates offered by Apple. I use both: why not, as they’re both free?

silnitsk

I check for new updates several times every day, so that I can inform you as soon as possible when new updates become available. For the great majority of users, checking once a day or less frequently should be sufficient. To do that, I use SilentKnight, which automatically looks for updates whenever you open the app.

If you shut your Mac down each day, and start it up each morning or evening, then macOS should automatically look for updates as part of its startup procedures. For those who run their Macs for longer periods between restarts, running SilentKnight on a regular basis should ensure that you get any updates promptly. If you don’t do that, it can take a day or sometimes even longer for pushed security updates to be automatically downloaded and installed. You also aren’t normally informed when these ‘silent’ updates are installed. That’s relevant for some tools like MRT, which is only run in full when your Mac starts up. After MRT has been updated, it’s run again, but evidence suggests that its checks then may not be as thorough as those following startup.

If you just want to run those simple checks, download and install any waiting updates, then that should be all you need to do – two clicks/taps with SilentKnight and it’s all finished.

There’s a large update waiting

Sometimes you open SilentKnight and it tells you that there’s a large update, a new version of macOS or a Security Update, waiting to be downloaded and installed. Although you can use SilentKnight (or LockRattler) to install such updates, I prefer to do this in the Software Update pane, which at least gives me a little more information and a progress bar.

One of the strange side-effects of checking for updates using either SilentKnight or LockRattler is that often nudges the Software Update pane to report that an update is waiting.

If there are other security data updates also available, I normally download and install the large update first, then once that has been installed, I run SilentKnight to check again for any outstanding updates. This is good practice, as it’s not unusual to have to download a security data update immediately after a macOS update.

You don’t want to install all the updates

You may have an update which you don’t want to install, at least not just now. In that case, SilentKnight’s simple download-everything button isn’t a good choice. This is where LockRattler with its greater flexibility comes into its own.

silnitlr

In LockRattler, click on its List all pending updates button, which should result in a listing of everything that’s available in the adjacent text view. Choose the item(s) in that list which you do want to install, and one by one paste their name in the lowest (editable) text box and click on the Install update named: button to the side, for each one.

The only tricky thing here is working out what to paste in that box. In the listing, updates should be given with the first line containing the name you need, and a second describing what it is. The name you need to paste into the text box won’t contain any spaces. A little experimentation may be necessary, but it’s not really that hard. Unfortunately, parsing the response and offering you a choice, perhaps in a popup, is very difficult because the result and naming convention vary.

How do they work?

The two apps do their jobs quite similarly. When you open either of them, they check their own code signature for security purposes, then automatically check on my Git site whether they are up to date (a maximum of once in 12 hours). They then check the version numbers on the existing security data files on your Mac, and look at settings such as that for SIP, and check which firmware is installed.

SilentKnight (not LockRattler) then connects to the database files on my Git site to see whether security data versions are current according to those, and looks up the expected firmware version for that specific model of Mac, again in a database there.

At the same time, SilentKnight calls the softwareupdate command tool to check for updates with Apple’s update servers, and when it gets a response it writes that to its scrolling text view. Most of SilentKnight’s actions are performed in separate threads, so the exact order of results varies according to how quickly it gets the information it has requested.

The recommended button to use on LockRattler is List all pending updates, which calls the same softwareupdate command as SilentKnight. If you then want to install all the updates available, click on Install all pending updates, which does the same thing as SilentKnight’s button.

What do these error messages mean?

If either app encounters an error, it’s normally written to the main scrolling text view in its window. Errors have been extremely unusual in the past, but have lately increased, due in part to the recent Mojave Security Update 2020-005. One good way of working out whether an error is significant, and where it has come from, is to look at the results displayed in the window: if the app hasn’t been able to perform one of its checks, those results should make that clear.

If you can’t understand an error, or anything else, and can’t find the answer in the Help book, then please post a comment to a relevant article here, or send me an email. I try to answer as quickly as I can, particularly if it’s something potentially significant or serious.

Where can I find more information?

Both apps have extensive Help books, provided in the Help menu, and in a separate PDF file in their Zip archive. To keep it simpler, the SilentKnight Help command shows a short text summary; to read all the details, use its Reference instead. You’ll also find a lot of additional information, and a detailed listing of all security data, macOS and Security Updates for the last couple of years on their Product Page. You’ll also find there silnite, which is my command tool equivalent of SilentKnight, intended for those looking after multiple Macs, who want to schedule automatic checks, or just feel more at home in Terminal.

I hope this helps you get the best out of these apps, and enables you to keep your Mac more secure and up to date.