Silently updated security data files in Ventura

Each of the main security services in macOS, like XProtect, relies on data commonly stored in separate files on the Data volume so that they can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

Currently, that most frequently updated is XProtect Remediator, which is normally pushed on a 2 week cycle, on alternate Thursdays at around 1800 GMT.

This article details each of the main security data files found in macOS 13 Ventura, together with others involved in related system functions. Several other bundles which formerly had roles in security have now been emptied, or left frozen in time. Those are listed below for the sake of completeness. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

XProtectPayloads, alias and XProtect Remediator
Latest version: 99, 8 June 2023.
This contains a suite of specialised malware detection and remediation tools, in the app bundle on the Data volume at /Library/Apple/System/Library/CoreServices. This was first installed with macOS 12.3, then version 62 was pushed to Catalina, Big Sur, Monterey and Ventura on 17 June 2022. Executables include a replacement for MRT, and a dozen specialised scanners for specific malware types. Initially these ran alongside MRT, but have now replaced it. Further details are here.

Latest version: 1.0 2167, 30 March 2023.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle on the Data volume at /Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in LegacyEntitlementAllowList.plist, which presumably allows code with those cdhashes to use legacy entitlements. This is updated when required, now relatively infrequently.

Latest version: 18.0.0, 18 October 2022 (13.0 release).
This is a huge list of kernel extensions which are to be treated as exceptions to Ventura’s security rules, and is stored on the Data volume in /Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist.


Core Services Application Configuration Data
Latest version: 130.75, 18 October 2022 (13.0 release).
This is a bundle on the System volume at /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle, and contains a list of app exceptions in /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist. This used to be firmlinked to /Library/Apple/System/Library/CoreServices/CoreTypes.bundle, but oddly that now links to XProtect data files, which appears to be a bug.

EFI Allow List
Latest version: no number.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Intel Macs without T2 chips. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Although this is still included in macOS when installed on Intel Macs with T2 chips, and on Apple Silicon Macs, as eficheck can’t be used on them, it is functionless on those models.

Latest version: 130.188 (13.0 release).
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products.

Vestigial Data

Latest version: 1.93, 29 April 2022.
This was Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/, so that it could remove any malware which macOS detected. This has now been replaced by the XProtectRemediatorMRTv3 executable module in XProtect Remediator, and may disappear in future versions of Ventura.

TCC_Compatibility Bundle
Latest version: 150.19.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which is normally empty.

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db may have been used to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. Macs which have never had Catalina or earlier installed normally have the very old version 94, indicating this database is no longer used in macOS 10.15 and later.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0.
This is an SQLite database on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which may have provided whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since then.

Latest version: 1.0.8.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible. This appears to have fallen into disuse and hasn’t been changed since macOS 10.15.

Latest version: no number (empty).
This is an empty bundle on the Data volume at /Library/Apple/System/Library/CoreServices/SafariSupport.bundle which used to contain executables and property lists to support Safari and the Passwords preference pane.

Last updated: 8 June 2023.