Silently updated security data files in Big Sur

Each of the main security services in macOS, like XProtect and MRT, relies on data which is commonly stored in separate files on the Data volume so that it can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

macOS Big Sur brings only small changes from those in Catalina, which saw a major reorganisation to cater for the new Volume Group. Currently, those most frequently updated are XProtect data files and MRT, which are generally pushed out on a 2 week cycle, although MRT isn’t always updated alongside XProtect.

This article details each of the main security data files found in macOS 11 Big Sur, together with others involved in related system functions. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

KextExcludeList
Latest version: 16.4.0, 24 May 2021 (11.4 update).
This is a very long list of kernel extensions which are to be treated as exceptions to Big Sur’s security rules, and is stored on the Data volume in Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist.

MRT Configuration Data
Latest version: 1.81, 28 June 2021.
This is Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it can remove any malware which macOS detects. It doesn’t use a separate data file, instead embedding its details with the executable code. This is normally updated every 2-6 weeks. Further details are here.

TCC Compatibility Bundle
Latest version: 150.19.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. In Big Sur, this is normally empty.

XProtectPlistConfigData
Latest version: 1.0 2149, 28 June 2021.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle on the Data volume at Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in LegacyEntitlementAllowList.plist, which presumably allows code with those cdhashes to use legacy entitlements. This is linked to from the System volume via a symbolic link at /System/Library/CoreServices, and normally updated every 2 weeks.

Others

CompatibilityNotificationData
Latest version: 1.0.8.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible.

CoreTypes
Latest version: no number (System bundle version 517).
This is a bundle on the Data volume at Library/Apple/System/Library/CoreServices/CoreTypes.bundle, which contains two links to the current XProtect data files XProtect.meta.plist and XProtect.plist. This is firmlinked to /System/Library/CoreServices/CoreTypes.bundle on the System volume, which contains much more data.

EFI Allow List
Latest version: no number.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Intel Macs without T2 chips. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Although this is still included in macOS Big Sur when installed on Intel Macs with T2 chips, and on Apple Silicon Macs, as eficheck can’t be used on them, it is functionless on those models.

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db which is now believed to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. This hasn’t been updated for more than a year, and Macs which have never had Catalina or earlier installed normally have the very old version 94, indicating this database is no longer used in macOS 10.15 and later. Further details of checks are given here.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0.
This is an SQLite database on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which are now believed to provide whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since then.

IncompatibleAppsList
Latest version: 110.183.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products.

SafariSupport
Latest version 16610.2.11.51.8.
This is a bundle on the Data volume at Library/Apple/System/Library/CoreServices/SafariSupport.bundle which contains nine Mach-O executables and ten property lists to support Safari.

Last updated: 28 June 2021.