A great deal has happened in macOS over the last six years, since I first hacked a little app to check whether System Integrity Protection (SIP) was enabled. The reason was that Apple had delivered a batch of MacBook Pros with SIP disabled, and there was no easy way for a user to tell whether theirs might be affected. From that grew LockRattler, extending that check to cover XProtect, MRT, Gatekeeper and FileVault.
A couple of years later, with Mojave, Apple changed the way it numbered firmware versions, and LockRattler started taking a more serious look at Mac firmware. This proved a user-facing companion to Apple’s own
Recognising the difficulty of manually checking whether your Mac’s firmware was up to date, my next idea was EFIcienC, whose first beta appeared in early July 2019.
Later that month it changed into the intended successor to LockRattler, SilentKnight.
To the best of my knowledge, this was the first time that a Mac app could check so many facets of security, from firmware to SIP status and MRT version.
Of the security data items covered by SilentKnight’s checks, two have now fallen by the wayside. While Gatekeeper checks are more important than ever, the Gatekeeper databases fell into disuse some years ago, and in modern Macs are set to an ancient version, leading to much confusion.
Then, in April this year, Apple abandoned its malware removal tool MRT, in preference for its new ‘XProtect.app’ which has come to be known as XProtect Remediator, from the names of its scanning modules. Unlike MRT, when XProtect Remediator runs detection scans it writes its reports into the unified log, allowing apps like my own XProCheck to report whether it has detected malware or tried to remediate it.
Other additions for SilentKnight have come with Apple silicon Macs, and the firmware for the Apple Studio Display. What SilentKnight needs to do now for macOS Catalina and later is very different to what it has done so successfully for older versions of macOS, over the past three years.
Over the last couple of weeks, I have been working on a new version of SilentKnight to cater for all Macs running Catalina and later. Among its goals are:
- to make better use of XProtect Remediator, without duplicating the fuller features of XProCheck;
- to rebalance coverage of other security data for recent versions of macOS;
- to implement a proper Preferences/Settings dialog.
Thus to freshen up SilentKnight to be fit for our needs over the next couple of years.
I’ve completed the coding and local testing now, and am busy providing updated documentation. I intend making the new version available tonight, with its formal release on Monday morning.
For those still needing support for Mojave and earlier, SilentKnight 1.21 will remain available from its product page. I’ve put version 2 on a separate update stream, so if you do want to stay with 1.21 you won’t be nagged to update.
silnite, the command tool companion to SilentKnight, is also due an update soon. I don’t intend changing the older LockRattler for the time being. If you have any preferences (or settings, perhaps?) please let me know.
SilentKnight version 2.0 will be compatible with macOS Catalina and later, including macOS 13 Ventura. To get most benefit from it, I recommend that it’s run from an admin user account, which allows it to check XProtect Remediator scans in the log, but it should also run fine from a normal user account. I hope you find it as useful in the future as it has been in the past.