How often has your Mac downloaded each update to Apple’s Malware Removal Tool, MRT? That may seem an odd question, but I’ve just come across some who report that their Macs download and install multiple copies of each version. So far the record is a total of 15 downloads of the current version, MRT 1.91. That seems a little extreme by any standards.

One problem is that this isn’t easy to discover using regular features. macOS only lists those updates in the Installations section of System Information, where it’s not readily noticed. My apps SilentKnight and LockRattler can arouse suspicion, but to see the full picture you’ll need to run my free utility SystHist.

SystHist details all system software updates, including those of MRT, in three panels.

–1

On the left, the panel concentrates on macOS updates, but you can open each of its disclose marks to reveal intermediate updates. In the screenshot above I’ve highlighted those, which in this case trace MRT from version 1.84 up to 1.91, with each version being installed just once.

In the middle panel is a simple list of updates in chronological order. Again, I’ve highlighted those for MRT, which start with 1.79 towards the bottom and ascend to 1.91 at the top.

The third panel, at the right, is based on a different list of updates, for which your Mac still has a ‘bill of materials’. or BOM file, detailing everything that was installed in each update. The filenames given are those of the BOM files, which usually don’t reveal their true version number, just the filename on Apple’s software update server. Again, the highlighted entries for MRT are for single updates which tally with the other two panels.

To my great surprise, users are now reporting that they get multiple entries for each version of MRT installed. One who’s still running macOS Sierra has sent me a screenshot showing 15 downloads of MRT 1.91, seven of 1.90, and at least ten of 1.88 (1.89 was never released). I’ve never seen anything like this before on a Mac.

There are three possible explanations for these multiple downloads and installs:

• These MRT updates are failing to install successfully. Thus, each time that softwareupdate sees the latest version, it downloads and installs it, but that doesn’t perform the expected update.
• The installed copy of MRT is being deleted or damaged, so the next time that softwareupdate checks the version installed, it can’t find the current one.
• softwareupdate (or softwareupdated) is broken, and is failing to recognise the installation of the new version of MRT.

It’s also significant that this only affects MRT, and not XProtect or other software.

In theory, it should be possible to distinguish these using SilentKnight or LockRattler: if they demonstrate that MRT is being correctly updated, then only the last of those could be the cause. If that’s true, then this appears to be a serious bug for Apple to deal with, in a version of macOS which is no longer supported, even for security updates.

The final check in that case is to reinstall macOS. If that doesn’t fix it, we need to draw Apple’s attention to what is most likely a bug.

I’d be very grateful if you could let me know, by commenting here, if you’re seeing multiple installs of MRT, XProtect, or any other macOS software, with the version of macOS affected, please. If this problem does appear to be more general, we need to let Apple know soonest. MRT is an important security tool in macOS, and it must function properly, however old that version of macOS is.

I am very grateful to Rick, who brought me this strange problem.