In the early morning (GMT), Apple pushed the first update to its new XProtect Remediator security software delivered outside a macOS update. This is now available for all Macs running Catalina, Big Sur, Monterey and Ventura. I don’t know whether this is also available for Mojave or earlier.
This update is listed as XProtectPayloads, with the label
XProtectPayloads_10_15-62, and is 10.497 MB in size. It brings XProtect.app in /Library/Apple/System/Library/CoreServices from version 2 to 62, a leap which might indicate that XProtect Remediator is now fully activated on supported Macs.
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
Although current versions of my apps don’t list this new component in macOS, you can force an update using SilentKnight or LockRattler, or at the command line. SystHist does show the installation, though. I will be building new versions of SilentKnight, LockRattler and SystHist in the next couple of days to track these updates. I will also be updating my pages of information about security data for supported versions of macOS.
This update replaces XProtect.app adding two new tools, named XProtectRemediatorDubRobber and XProtectRemediatorGreenAcre. DubRobber, also known as XCSSET, is a particularly versatile and troubling Trojan dropper which has been tough to detect and eliminate because it changes so frequently to evade protection. It will be a good test of this new approach to malware detection and remediation in XProtect Remediator. As yet I’ve been unable to associate the other new component with any known malware.
This update also replaces property lists in /Library/Apple/System/Library for LaunchAgents/com.apple.XProtect.agent.scan.plist, LaunchAgents/com.apple.XprotectFramework.PluginService.plist, LaunchDaemons/com.apple.XProtect.daemon.scan.plist and LaunchDaemons/com.apple.XprotectFramework.PluginService.plist. Those control XProtect Remediator launching and scanning.
In case you missed it, earlier this week I explained in detail how XProtect Remediator is set to take over from Apple’s existing MRT for the remediation of known malware in recent versions of macOS. We are currently in the period of transition, during which both MRT and XProtect Remediator cover this task. I expect that, once Apple is content that this replacement does its job reliably, supported versions of macOS will rely on the protection provided by XProtect Remediator rather than MRT. We don’t yet know where that will leave older versions of macOS which remain supported only by MRT.
Updated 1240 17 June 2022, to add Catalina and Big Sur to the list of supported versions of macOS. Mojave and earlier remain unknown. Thanks to those who have provided this information