hoakley August 23, 2021 Macs, Technology, Updates

Apple has pushed updates to XProtect and MRT

Apple has just pushed two updates, to the data files used by XProtect, bringing its version number to 2150 dated 23 August 2021, and to its malware removal tool MRT, bringing it to version 1.82, also dated 23 August 2021. These are the first security data updates since 28 June 2021.

Apple doesn’t release information about what these updates add or change, and obfuscates the identities of malware detected by XProtect using internal code names.

Changes found in the XProtect Yara definitions include the addition of one new signature for MACOS.7c241b4 (Adload/Climpi), replacement of MACOS.ef3df25 (Bundlore script) with MACOS.f5d33c9, replacement of MACOS.a9ea9b4 (Bundlore) with MACOS.8a20735 and changes in their signatures, and changes to the signature of MACOS.2afe6bd (Adload).

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan, Sierra, High Sierra, Mojave, Catalina and Big Sur, available from their product page. If your Mac has not yet installed this update, you can force an update using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

I am grateful to Phil Stokes at Sentinel Labs for decoding of the obfuscated malware names here, and to Stuart Ashenbrenner at Jamf for identifying the new addition.

Postscript

Some users are reporting that certain old apps, including those from Citrix, RSA, Cisco and Pulse, stop working after installing these updates. This is because those apps rely somewhere on code signed against the Symantec CA, which is no longer trusted by Apple (and hasn’t been for some time). If one of these apps stops working on your Mac, you’ll need to refer to its vendor for an update which no longer relies on the untrusted Symantec CA. Until then, that app will be flagged as malware, and should be removed.

28Comments

Add yours

1

Jim MacDonald on August 23, 2021 at 7:21 pm

my gatekeeper seems woefully out of date… according to lockrattler I’m on ver 94 and should be on ver 181. how do I update it?

LikeLiked by 1 person
- 2
  
  hoakley on August 23, 2021 at 7:24 pm
  
  You don’t need to. Apple stopped updating it over 2 years ago and any Mac which didn’t get one of those old updates is now set at that old version. It’s function is now performed by OCSP.
  Howard
  
  LikeLike
  - 3
    
    Jim MacDonald on August 23, 2021 at 7:28 pm
    
    ahhh thanks….
    
    LikeLiked by 1 person
4

frogola on August 24, 2021 at 3:01 am

How to force an update using the command line? Running Big Sur 11.5.2 on Intel. Thank you for your attention.

LikeLiked by 1 person
- 5
  
  hoakley on August 24, 2021 at 8:44 am
  
  The easy answer is to use my free SilentKnight, but if you want to do it manually
  softwareupdate -ia –include-config-data
  will download and install all pending system updates.
  Howard.
  
  LikeLike
6

alvarnell on August 24, 2021 at 3:03 am

Note that both the XProtect and MRT updates were ready to go back on Aug 5!

LikeLiked by 1 person
- 7
  
  hoakley on August 24, 2021 at 8:44 am
  
  Thank you. I suspect there’s a story behind that!
  Howard.
  
  LikeLike
8

Nagesh on August 24, 2021 at 5:50 pm

From today, I am noticing non notarized applications are not running. Any one noticing that?

LikeLiked by 1 person
- 9
  
  hoakley on August 24, 2021 at 6:15 pm
  
  I’m not aware of that here, but seldom run non-notarised apps.
  Can you give us any more info: which macOS? Intel or M1? Just quarantined code or whenever it’s run? What’s the error message? Have you looked in the log? Which app(s)?
  Howard.
  
  LikeLike
10

Chris L. on August 24, 2021 at 9:29 pm

Today (24 Aug 2021) the RSA SecurID app, probably version 4.2.1, stopped working suddenly. Does that imply the SecurID app is not notarised? What does that mean in practice? And how does the problem get fixed again?

LikeLiked by 1 person
- 11
  
  hoakley on August 24, 2021 at 9:33 pm
  
  This is a problem with RSA using QtCore 5 framework with a signature which relies on Symantec CA, which is no longer accepted. Please contact RSA who should be able to help.
  Howard
  
  LikeLike
12

satya on August 25, 2021 at 3:51 am

how to exclude Symantec CA cert validation in xProtect?

LikeLiked by 1 person
- 13
  
  hoakley on August 25, 2021 at 6:59 am
  
  Thank you.
  This has nothing to do with XProtect, which isn’t concerned with certificates. The problem with Symantec CAs is that they are now distrusted by macOS. AFAIK there’s nothing that you can do to change that. Anything that you have which relies on them will now fail when checked. You need to contact the vendor and get an updated version which doesn’t rely on Symantec CAs.
  Howard.
  
  LikeLike
14

EcleX on August 25, 2021 at 7:15 am

Many thanks! I do not know if this is genuine, but after updating XProtect and MRT with SilentKnight, shutting down the Mac overnight and cold booting in the morning, I got this warning:

“ServiceRecords.app” will damage your computer.
This file was downloaded on an unknown date.
Report malware to Apple to protect other users.
OK

Yet, the small warning prompt window keeps on showing forever after clicking OK.

ServiceRecords lives in “/usr/local/libexec/ServiceRecords.app”. Selecting “File – Get Info” reveals that ServiceRecords is made by Citric:

Copyright © 2015 Citrix. All rights reserved.

I wonder if this is genuine or a bogus warning, and how to fix it.

LikeLiked by 1 person
- 15
  
  hoakley on August 25, 2021 at 7:23 am
  
  Thank you. This is nothing to do with XProtect or MRT, although probably results from a certificate check on your Citrix software. The reason is that software relies on trusting a Symantec CA, which is now no longer trusted. Therefore macOS security has blocked it. You’ll need to contact Citrix to obtain a replacement, as macOS no longer runs any software signed against a Symantec CA.
  Howard.
  
  LikeLike
  - 16
    
    EcleX on August 25, 2021 at 8:12 am
    
    Thanks for the quick reply. For the record, in case it may be helpful to someone else, Receiver (Citrix) was renamed as Workspace. I updated to the latest version and all was fixed (the updater also deleted-updated older files):
    
    Citrix Workspace app 2108 for Mac
    Release Date: Aug 10, 2021
    https://www.citrix.com/downloads/workspace-app/mac/workspace-app-for-mac-latest.html
    
    After updating I shut down the Mac and cold booted. No more warnings.
    
    LikeLiked by 1 person
17

Christian on August 25, 2021 at 1:05 pm

Hi!
Thanks for all your work! 🙂
Here on 10.11.6:
❌ XProtect 2148 should be 2150
❌ MRT 1.79 should be 1.82
SIP is enabled and all the rest is up to date (✅ everywhere in SilentKnight). I even tried softwareupdate -ia –include-config-data but XProtect and MRT seem stuck to the previous values no matter what I try… 😦
Did Apple forget El Capitan?

LikeLiked by 1 person
- 18
  
  hoakley on August 25, 2021 at 1:07 pm
  
  Did your Mac see these updates? Did it install them?
  Howard
  
  LikeLike
  - 19
    
    Christian on August 26, 2021 at 10:40 am
    
    Apparently not. LockRattler’s “List all pending updates” says:
    Software Update Tool
    Copyright 2002-2015 Apple Inc.
    Finding available software
    No new software available.
    
    And Info System/Software/Installations shows nothing new — although I can see the former:
    XProtectPlistConfigData :
    Version : 2148
    Source : Apple
    Date d’installation : 12/06/21 10:42
    and
    MRTConfigData :
    Version : 1,79
    Source : Apple
    Date d’installation : 29/05/21 14:02
    
    LikeLiked by 1 person
    - 20
      
      hoakley on August 26, 2021 at 11:38 am
      
      Oh dear, that’s worrying.
      In El Capitan, the correct command to download and install all updates is
      sudo softwareupdate -ia
      following which you’ll need to enter your password, and that’s what LockRattler and SilentKnight use.
      However, if that’s not showing any updates due, it may be that Apple has stopped making them available to El Capitan. If you can confirm that, I’ll put out a tweet to see if anyone else knows anything (which does sometimes catch the right eye!).
      Howard.
      
      LikeLike
    - 21
      
      Christian on August 26, 2021 at 12:37 pm
      
      sudo softwareupdate -ia gives “No updates are available”.
      I’ve tried on another relatively clean 10.11 on the same computer that has never been updated (SIP wise) and it gives:
      System Integrity Protection status: enabled.
      
      XProtect blacklist assessments enabled
      XProtect version (/System/Library/CoreServices/XProtect.bundle) 2095
      Last installed update No update installed
      Gatekeeper version (/private/var/db/gkopaque.bundle) 48
      Last installed update No update installed
      KEXT block version (/System/Library/Extensions/AppleKextExcludeList.kext) 3.30.1
      Last installed update No update installed
      MRT version (/System/Library/CoreServices/MRT.app) 1.0
      Last installed update No update installed
      Last installed macOS update No update installed
      Last installed security update No update installed
      macOS Version 10.11.6 (Build 15G22010)
      Firmware version installed 422.0.0.0.0
      Software update checks:
      Software Update Tool
      Copyright 2002-2015 Apple Inc.
      
      Finding available software
      Software Update found the following new or updated software:
      * RAWCameraUpdate6.21-6.21
      MÀJ de la compatibilité avec le format RAW des appareils photo numériques (6.21), 7705K [recommended]
      * iTunes Device Support Update-
      Mise à jour iTunes pour la prise en charge d’appareils ( ), 105805K [recommended] [restart]
      * iTunesX-12.8.2
      iTunes (12.8.2), 273614K [recommended]
      
      FileVault is Off.
      Firmware password: not tested
      Software update: Automatic check is on.
      Checked by LockRattler 4.30 at 2021-08-26 12:17:02 +0000
      
      Tested same computer with 10.14 OS partition: all updates perfectly.
      Tested another computer with 10.11, just in case: no way.
      So I think we can assume Apple has stopped making them available to El Capitan. 😦
      Is there anyway to download them manually? (like updates at https://swscan.apple.com) I guess the ones that download in 10.14 won’t install in 10.11 if I copy them?
      It’s a pity because I’ve discovered you only a few months ago and I’ve always had all my computers with those updates disabled before that… 😉
      
      LikeLiked by 1 person
    - 22
      
      hoakley on August 26, 2021 at 1:02 pm
      
      Thank you for the additional checks.
      El Capitan does have a strange bug in Software Update, in which turning off automatic updates can prevent any updates from being seen. But that doesn’t happen by itself, and the report you give states that automatic update is on, so I think this needs further information. I’ll see if anyone else knows anything, and report back.
      I’m afraid that there’s nowhere else that users can obtain copies of these updates – they’re pushed through softwareupdate, and not available for users to download, although corporate customers may have an alternative in the SUS system.
      Howard.
      
      LikeLike
  - 23
    
    Christian on August 26, 2021 at 1:53 pm
    
    I’ve got interesting news! 🙂
    • While updating a 10.14 partition I was fast enough to copy MRTConfigData_10_14.pkg from /Library/Updates/ and installed it successfully in 10.11!
    • I wasn’t fast enough though to grab the installer for XProtect.bundle, but I’ve copied XProtect.bundle from 10.14 through the Root user in 10.11 and your utility shows the updated info!
    XProtect version (/System/Library/CoreServices/XProtect.bundle) 2150
    …
    MRT version (/System/Library/CoreServices/MRT.app) 1.82
    
    Is there any way to check if the OS really uses them or do you think it’s enough that the versions are seen as correct?
    
    LikeLiked by 1 person
    - 24
      
      hoakley on August 26, 2021 at 7:00 pm
      
      Hurrah! Well done!
      The version numbers are straightforward: XProtect is set by the version of the bundle, and MRT is the app version number. If you want to check them in action, restart your Mac and open Activity Monitor quickly. You should see both of them high in the CPU usage as they do an initial scan in the first minute or so.
      Howard.
      
      LikeLike
  - 25
    
    Christian on August 27, 2021 at 8:29 am
    
    Thanks, Howard, for your precious information!
    To sum up my final procedure (if anyone faces the same situation):
    – update a 10.14 partition with “softwareupdate -da –include-config-data” so you can grab the files from /Library/Updates/
    – install MRTConfigData_10_14.pkg and XProtectPlistConfigData_10_14.pkg in 10.11; alternatively, directly copying MRT.app and XProtect.bundle (through 10.11’s Root user) seems to work too.
    Further inquiries needed to check if the files are exactly the same across all MacOS versions, but at least I can confirm it works from 10.14 to 10.11.
    
    And Howard, if you find it interesting to make an article about this trick in your Mac Problems section, you obviously have my approval. 🙂
    
    LikeLiked by 1 person
    - 26
      
      alvarnell on August 27, 2021 at 10:04 am
      
      FYI, there are now only two versions of XProtect and MRT. The XProtect 10_14 pkg is for Mavericks through Mojave and the MRT 10_14 pkg is for El Capitan through Mojave. Both of the 10_15 pkgs are currently for Catalina and Big Sur.
      
      LikeLiked by 1 person
    - 27
      
      hoakley on August 27, 2021 at 10:07 am
      
      Thank you. Maybe the push didn’t work for some El Capitan systems?
      Howard
      
      LikeLike
    - 28
      
      Christian on August 27, 2021 at 11:59 am
      
      Thanks alvarnell! 🙂
      
      LikeLiked by 1 person