Apple has pushed an update to XProtect

Overnight, Apple has pushed an update to the data files used by XProtect, bringing its version number to 2148 dated 11 June 2021.

Apple doesn’t release information about what this update adds or changes, and obfuscates the identities of malware detected using internal code names.

There are just two changed signatures in the XProtect Yara definitions, for MACOS.1db9cfa (XCSSET variants, which Apple had named DUBROBBER.D), and for MACOS.6eaea4b (XCSSET variants, which Apple had named DUBROBBER.E), both of which have additional matches added. No signatures to new malware appear to have been added.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave, Catalina and Big Sur, available from their product page. If your Mac has not yet installed this update, you can force an update using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

I am grateful to Phil Stokes at Sentinel Labs for decoding of the obfuscated malware names here. Thanks to Al for telling me of this update.