Apple has just pushed updates to XProtect and XProtect Remediator security software. While XProtect is generally supported by macOS at least as far back as El Capitan, Remediator is only available for Macs running Catalina or later. Following successful update, XProtect should be brought up to version 2162, and XProtect Remediator to version 71.

Apple doesn’t release information about what this update adds or changes, and obfuscates the identities of malware detected by both apps using internal code names.

XProtect Remediator doesn’t add any new executable code modules on this occasion, but most interestingly, XProtect adds a new detection signature for malware code-named snowdrift, which is already the name of one of the modules in XProtect Remediator. This implies that, whatever malware this represents, is now detected by all updated versions of macOS, and remediated on those running Catalina and later. Stuart Ashenbrenner @stuartjash at Jamf has identified this as CloudMensis, detailed here by Jamf and here by ESET. This spyware was first discovered by ESET back in April 2022, and at that time was considered to have undergone very limited distribution.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Ventura available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.