Silently updated security data files in Monterey

Each of the main security services in macOS, like XProtect and MRT, relies on data which is commonly stored in separate files on the Data volume so that it can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

macOS Monterey brings only small changes from those in Big Sur. Currently, those most frequently updated are XProtect data files and MRT, which are generally pushed out on a 2 week cycle, although MRT isn’t always updated alongside XProtect.

This article details each of the main security data files found in macOS 12 Monterey, together with others involved in related system functions. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

Latest version: 17.0.0, 18 October 2021 (12.0.1 release).
This is a very long list of kernel extensions which are to be treated as exceptions to Big Sur’s security rules, and is stored on the Data volume in Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist.

MRT Configuration Data
Latest version: 1.85, 9 November 2021.
This is Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/, so that it can remove any malware which macOS detects. It doesn’t use a separate data file, instead embedding its details with the executable code. This is normally updated every 2-6 weeks. Further details are here.

Latest version: 1.0 2151, 16 September 2021.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle on the Data volume at Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in LegacyEntitlementAllowList.plist, which presumably allows code with those cdhashes to use legacy entitlements. This is linked to from the System volume via a symbolic link at /System/Library/CoreServices, and normally updated every 2 weeks.


Latest version: 1.0.8.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible.

Core Services Application Configuration Data
Latest version: 120.72 (separate update after 12.0.1 release).
This is a bundle on the System volume at /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle, which is firmlinked to the Data volume, and contains a list of app exceptions in /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist

EFI Allow List
Latest version: no number.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Intel Macs without T2 chips. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Although this is still included in macOS Big Sur when installed on Intel Macs with T2 chips, and on Apple Silicon Macs, as eficheck can’t be used on them, it is functionless on those models.

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db which is now believed to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. This hasn’t been updated for more than a year, and Macs which have never had Catalina or earlier installed normally have the very old version 94, indicating this database is no longer used in macOS 10.15 and later. Further details of checks are given here.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0.
This is an SQLite database on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which are now believed to provide whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since then.

Latest version: 120.186.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products. This hasn’t changed in Monterey.

Latest version: 17612.
This is a bundle on the Data volume at Library/Apple/System/Library/CoreServices/SafariSupport.bundle which contains nine Mach-O executables and ten property lists to support Safari, and the Passwords preference pane new to Monterey.

TCC Compatibility Bundle
Latest version: 150.19.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. In Monterey, this is normally empty.

Last updated: 9 November 2021.