hoakley June 30, 2022 Macs, Technology, Updates

Apple has pushed updates to XProtect and XProtect Remediator

Apple has just pushed updates to XProtect and XProtect Remediator security software. While XProtect is generally supported by macOS at least as far back as El Capitan, Remediator is only thought to be available for Macs running Catalina or later. Following successful update, XProtect should be brought up to version 2161, and XProtect Remediator to version 64.

Apple doesn’t release information about what this update adds or changes, and obfuscates the identities of malware detected by both apps using internal code names.

Changes in the XProtect Yara detections add new detection signatures for MACOS.644e18d and MACOS.cbb1424, neither of which appears to have been identified previously. According to Stuart Ashenbrenner, the first of those is Proxit/TrojanProxy, and the other is a variant of WizardUpdate/AdAgent.

XProtect Remediator adds two more executable code modules apparently to address ‘ToyDrop’ and ‘WaterNet’, whatever they might be.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Ventura available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

I have yet again experienced problems with my Content Caching Server delivering updates which won’t install properly, even after turning caching off, flushing the cache, and turning it back on again. If you’re running your own local server, you may find you have to turn it off before you can get these updates to install successfully.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

8Comments

Add yours

1

Geroge on June 30, 2022 at 10:53 pm

Does SilentKnight automatically install XProtect updates after downloading, or do we have to manually install them from MacintoshHD>Library>Updates every time? The most resent XProtect updates downloaded fine, but I had to install them manually.

LikeLiked by 1 person
- 2
  
  hoakley on June 30, 2022 at 10:58 pm
  
  Thank you.
  That’s because you have changed the app’s settings so that it only downloads and doesn’t install them. This is explained in the Help reference, and this article makes it even clearer.
  I hope that fixes it for you.
  Howard.
  
  LikeLike
3

DaveG on July 1, 2022 at 2:48 am

Had the same problem as you with the caching server.

LikeLiked by 1 person
4

EcleX on July 1, 2022 at 7:15 am

Thanks. Curiously, right after updating macOS 12.4 (21F79) Monterey (model Identifier iMac18,3, mid 2017 Intel x86) with SilentKnight to the XProtect and XProtect Remediator indicated in the article above, I got the following warning when opening a web page with Safari 15.5 (17613.2.7.1.8) and clicking (that was required) its URL:

———————————
Compromised Password
The password for your “whatever.com” account has appeared in a data leak, putting your account at high risk of compromise. Safari can help you resecure your account.
———————————

But after a few minutes, such warning no longer shows. So, I understand that it was a bogus warning while XProtect/XProtect Remediator were doing something.

LikeLiked by 1 person
- 5
  
  hoakley on July 1, 2022 at 7:18 am
  
  I don’t think so. That’s a warning notification from the password manager, not a scan for malicious software.
  Try opening the Password pane and checking it there.
  Howard
  
  LikeLike
6

EcleX on July 1, 2022 at 8:52 am

Thanks. I forgot to say that it happened with any web page that I opened. As said, that no longer shows. You are right. It shows at “Apple – System Preferences – Passwords” as “Compromised, easily guessed password”.

But weird enough, it corresponds to an older URL that no longer works. The “Keychain Access – login – All Items” showed two entries for such site. One of them corresponds to a short older password (the one generating the warning), and the other newer one corresponds to a stronger larger password. I have deleted the older one, although, as said, such web site is no longer available.

LikeLiked by 1 person
7

Alberto.G on July 3, 2022 at 4:13 pm

Once again, the two updates XProtect version 2161 and XProtect Remediator version 64 are not automatically installed.
The previous time, following his advice, I managed to install versions 2160 and 62 by starting the Mac in safe or safe mode.
I repeated the same Mac functionality with the last two versions, but nothing to do! Updates not installed.
I ask if there is the possibility of forcing the installation of the two security software with a Terminal command.
Thanks Howard.

LikeLiked by 1 person
- 8
  
  hoakley on July 3, 2022 at 4:37 pm
  
  I’m sorry to hear that.
  Full details of your options are in this article. If the updates are downloading but failing to install, this article explains what to do.
  I wish you success.
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related