hoakley April 15, 2022 Macs, Technology

How should security data updates work?

Thank you to all who have responded to my first article concerning MRT updates being installed repeatedly. It’s clear from your responses that many of you are seeing this, but in almost every case this is normal. Let me explain.

MRT and XProtect, the main updatable security tools in recent macOS, are pushed independently of macOS updates and Security Updates. In the normal run of events, you’d expect to see an update sequence such as:
2021-10-26 macOS 12.0.1 2021-11-09 MRT 1.85 2021-12-13 macOS 12.1 2021-12-16 XProtect 2153 2022-01-20 MRT 1.86 2022-01-26 macOS 12.2 2022-01-26 XProtect 2154 2022-02-03 MRT 1.88 2022-02-03 XProtect 2155 2022-02-10 macOS 12.2.1
and so on.

Sometimes, macOS updates and Security Updates install versions of MRT or XProtect which are already out of date. This had been quite common in the past, but Apple has improved considerably in Monterey. However, it’s still not uncommon with Security Updates. In that case, once the Security Update has been installed, the current version of MRT or XProtect has to be reinstalled. You might then see (a hypothetical example):
2022-02-03 MRT 1.88 2022-02-03 XProtect 2155 2022-02-10 macOS 12.2.1 2022-02-10 MRT 1.88 2022-02-10 XProtect 2155
where each version of MRT and XProtect get installed twice.

The next complication occurs when you have automatic security data updates enabled and use SilentKnight or LockRattler too. If you run those straight after one of those Security Updates, you might choose to manually install the updates offered, unaware that softwareupdate is about to do the same. If that happens, you could see (hypothetically):
2022-02-03 21:16:27 MRT 1.88 2022-02-10 18:49:55 macOS 12.2.1 2022-02-10 19:34:02 MRT 1.88 2022-02-10 19:34:23 MRT 1.88
Note how close together those two re-installs of MRT 1.88 are.

When this system is malfunctioning, what you’ll see is very different, and more like
2022-02-03 21:16:27 MRT 1.88 2022-02-10 18:49:55 macOS 12.2.1 2022-02-10 19:34:02 MRT 1.88 2022-02-11 10:52:23 MRT 1.88 2022-02-14 08:11:05 MRT 1.88 2022-02-18 17:41:33 MRT 1.88
and so on.

In that case, MRT was updated again to 1.88 following the macOS update, but for an unknown reason, it keeps on being updated repeatedly. Explaining why that’s happening is important, as one cause could be that something is damaging or removing MRT, in which case it may not be available to do its job by detecting and removing malware. That would be serious.

There are two other phenomena that you’re seeing when studying the results from SystHist: missing updates from the right panel, and additional updates possibly for other systems, notably in the left panel.

Unlike the left and centre panels, the list in the right is built from installer receipts created when an installer has finished. Prior to Catalina, those were stored as a ‘Bill of Materials’ (BoM) in the folder /System/Library/Receipts, but with the use of the System Volume Group in Catalina and later, that location became read-only. Eventually, BoM files were written to /Library/Apple/System/Library/Receipts, but for most systems there are large gaps during 2020-21, and this list has only become reliable again in Monterey.

The left and centre panels take their data from a different source, the Property List file at /Library/Receipts/InstallHistory.plist, which should contain entries for all installations performed by Installer and its equivalents when that system was running. Some users report that it may also contain entries for other updates, which appear confusing. For example, it might mix Security Updates for an older macOS with updates for Monterey. That shouldn’t happen, as those two sets of updates should occur when booted into different systems, and be recorded in their own local InstallHistory.plist files. I’m not sure why this is happening on some Macs.

I hope this has made clear the different patterns seen in software update histories, and how some apparently strange patterns can occur. Most of all, I hope this has shown the pattern of repeated updates which is pathological, and could indicate that macOS security isn’t working properly.

12Comments

Add yours

1

EcleX on April 15, 2022 at 7:14 am

Thanks. When “Apple – About – This Mac – Software Update – Automatically keep my Mac up to date” and “- Advanced – Automatically” are NOT checked (selected), macOS updates and upgrades may not install security updates, firmware, etc. Even re-installing macOS through recovery mode may install older versions of security updates, etc than the ones previously installed. I wonder why Apple does it. Yet, then SilentKnight finds and installs them.

I do not have such macOS updates automatic, because sometimes they may cause trouble (I remember now a MRT one that drove CPU to the roof, as shown by MenuMeters), and updating manually makes it easier to identify culprits.

LikeLiked by 1 person
- 2
  
  hoakley on April 15, 2022 at 5:33 pm
  
  Thank you. I use the same settings too.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on April 16, 2022 at 6:25 am
    
    Thanks. And why SilentKnight is needed to install such updates? Why Apple – About – This Mac – Software Update” or macOS updates and upgrades do not install them?
    
    LikeLiked by 1 person
    - 4
      
      hoakley on April 16, 2022 at 6:48 am
      
      That’s the way that these security data updates work – you either have them on automatic, or not at all. Unlike more substantial macOS updates, they don’t get queued in Software Update, so the only alternative to auto updates is to detect and install them manually. That’s our choice.
      Howard.
      
      LikeLike
    - 5
      
      EcleX on April 16, 2022 at 10:45 am
      
      Thanks. All understood now. But that is a bad implementation by Apple. It is fine that macOS does not install such security updates automatically, since automatic updates are turned off. But when you manually check for updates, they show show. And then allow to install them. And when manually updating or upgrading macOS, all available security updates should also install (now they do not even show). And when re-installing macOS using Recovery Mode, they should also install. And in such later scenario, they should also install previously manually installed security updates (now they are downgraded).
      
      It is shocking that Apple says that the Mac security is unacceptable and below iOS one, yet does not fix the above serious flaws in macOS.
      
      Fortunately, the great SilentKnight fixes all those issues, but many Mac users may not know about it, being unprotected.
      
      LikeLiked by 2 people
    - 6
      
      hoakley on April 16, 2022 at 7:23 pm
      
      I don’t agree. Apple recommends that all users allow automatic updates, which will correctly install the updates that are necessary. If you choose not to, then the onus is on you to provide your own means to support that. Some users combine both, and have auto updates enabled as well as using SilentKnight, and there’s nothing wrong with that approach either. SilentKnight doesn’t do anything magic – you could do exactly the same yourself using command tools if you prefer. Where SilentKnight is unique is in checking installed versions and firmware to see whether they are current, which macOS can’t do, and Apple doesn’t even publish lists to help users do this manually. But, as it advises users to update automatically, that’s fine with me.
      Howard.
      
      LikeLiked by 1 person
    - 7
      
      EcleX on April 17, 2022 at 6:37 am
      
      Thanks. Automatic update installations are not an option for me (not only with macOS, but also with any application), because sometimes they generate serious problems. They might be not common, but may happen and actually do happen. And when they hit, they may break your productivity workflow. So, automatic updates may be an option for other Macs, but not for production ones.
      
      I have learned that the hard way. For instance, when the iTunes update prevented booting (and if then the user tried to repair, all disk content was lost) to the recent MRT one that sent CPU to the roof. When the updates are manual, you know what you did and troubleshooting is much, much, much easier. That is what I meant.
      
      So, Apple should allow to perform full and complete macOS updates, including security ones, whenever the user checks for updates, independently from the automatic or manual setting of macOS updates. It is shocking that Apple does not allow that.
      
      Finally, we are in Mac, and most users do not know about these things or command-line interface (which, on the other hand, could be dangerous if you do not know what you are doing, trust any command published on Internet, or make mistakes when typing commands). That is the main reason people use Macs: the Graphical User Interface (GUI); otherwise many would be using Windows or Linux.
      
      LikeLiked by 2 people
    - 8
      
      hoakley on April 17, 2022 at 7:17 pm
      
      Thank you.
      Apple provides support for the things it recommends. It recommends allowing automatic updates. Apple is not obliged to provide support for alternatives which users may choose instead of its recommendations. In this case, you and I choose not to follow Apple’s recommendations. That’s our choice, not Apple’s. Therefore the responsibility is on us to make suitable alternative arrangements. In this case, you have SilentKnight or silnite to help. I don’t see what your issue is – we make many similar choices about which backup software we use, and much else.
      Howard.
      
      LikeLiked by 1 person
9

Maurizio on April 16, 2022 at 6:57 am

Sorry for the question , but , wich updatates are not included in with the option softwareupdate -l –include-config-data ?

it show me MRT and Xprotect as elegible updates , is there something missing ?

LikeLiked by 1 person
- 10
  
  hoakley on April 16, 2022 at 8:35 am
  
  All pending updates are listed by that command. Those include all classed as ‘config data’, which extends beyond MRT and XProtect to include all security data updates, miscellaneous other updates, and macOS updates. It doesn’t, of course, include App Store app updates with the exception of Safari Technology Preview, which is included.
  Howard.
  
  LikeLike
  - 11
    
    Maurizio on April 16, 2022 at 8:59 am
    
    Thank you so much , I really appreciate your effort to disclose all those little details. Most of them are not well documented ,a lot of inference is needed to understand the real behavior
    
    LikeLiked by 1 person
    - 12
      
      hoakley on April 16, 2022 at 7:18 pm
      
      Thank you.
      Howard.
      
      LikeLiked by 1 person

·Comments are closed.

Share this:

Related