Silently updated security data files in Ventura

Each of the main security services in macOS, like XProtect, relies on data commonly stored in separate files on the Data volume so that they can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

Currently, that most frequently updated is XProtect Remediator, which is normally pushed on a 2 week cycle, on alternate Thursdays at around 1800 GMT.

This article details each of the main security data files found in macOS 13 Ventura, together with others involved in related system functions. Several other bundles which formerly had roles in security have now been emptied, or left frozen in time. Those are listed below for the sake of completeness. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

XProtectPayloads, alias XProtect.app and XProtect Remediator
Latest version: 99, 8 June 2023.
This contains a suite of specialised malware detection and remediation tools, in the app bundle XProtect.app on the Data volume at /Library/Apple/System/Library/CoreServices. This was first installed with macOS 12.3, then version 62 was pushed to Catalina, Big Sur, Monterey and Ventura on 17 June 2022. Executables include a replacement for MRT, and a dozen specialised scanners for specific malware types. Initially these ran alongside MRT, but have now replaced it. Further details are here.

XProtectPlistConfigData
Latest version: 1.0 2167, 30 March 2023.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle on the Data volume at /Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in LegacyEntitlementAllowList.plist, which presumably allows code with those cdhashes to use legacy entitlements. This is updated when required, now relatively infrequently.

AppleKextExcludeList
Latest version: 18.0.0, 18 October 2022 (13.0 release).
This is a huge list of kernel extensions which are to be treated as exceptions to Ventura’s security rules, and is stored on the Data volume in /Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist.

Others

Core Services Application Configuration Data
Latest version: 130.75, 18 October 2022 (13.0 release).
This is a bundle on the System volume at /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle, and contains a list of app exceptions in /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist. This used to be firmlinked to /Library/Apple/System/Library/CoreServices/CoreTypes.bundle, but oddly that now links to XProtect data files, which appears to be a bug.

EFI Allow List
Latest version: no number.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Intel Macs without T2 chips. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Although this is still included in macOS when installed on Intel Macs with T2 chips, and on Apple Silicon Macs, as eficheck can’t be used on them, it is functionless on those models.

IncompatibleAppsList
Latest version: 130.188 (13.0 release).
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products.

Vestigial Data

MRTConfigData
Latest version: 1.93, 29 April 2022.
This was Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it could remove any malware which macOS detected. This has now been replaced by the XProtectRemediatorMRTv3 executable module in XProtect Remediator, and may disappear in future versions of Ventura.

TCC_Compatibility Bundle
Latest version: 150.19.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which is normally empty.

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db may have been used to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. Macs which have never had Catalina or earlier installed normally have the very old version 94, indicating this database is no longer used in macOS 10.15 and later.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0.
This is an SQLite database on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which may have provided whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since then.

CompatibilityNotificationData
Latest version: 1.0.8.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible. This appears to have fallen into disuse and hasn’t been changed since macOS 10.15.

SafariSupport
Latest version: no number (empty).
This is an empty bundle on the Data volume at /Library/Apple/System/Library/CoreServices/SafariSupport.bundle which used to contain executables and property lists to support Safari and the Passwords preference pane.

Last updated: 8 June 2023.

2Comments

Add yours

1

Colstan on October 30, 2022 at 6:22 am

Thanks for this detailed article, Howard. I’ve learned far more about macOS security from you over the years than I have from Apple itself. Two things.

1. Why do you think Apple keeps these old databases around if they are no longer being used? Is it for compatibility, the possibility for use in the future, not worth putting engineering resources into, or another reason entirely? I realize that you can only speculate, but I am curious about your thoughts.

2. A small, unimportant typo in “XProtectPayloads”. You have this sentence, “Initially these ran alonside MRT, but have now replaced it.” I believe there’s a missing “g” in what should be “alongside”.

As always, thank you for the time and effort you put into informing Mac users, as well as your excellent software utilities. SilentKnight is particularly indispensable.

LikeLiked by 1 person
- 2
  
  hoakley on October 30, 2022 at 8:15 am
  
  Thank you – and for drawing attention to my typo, which I have now fixed.
  I think the reasons vary. Apple might want to keep MRT around as it’s the only malware removal tool for macOS prior to Catalina, and if it did want to fix a universal problem like the old Zoom web server vulnerability, it’s still the only way to do it. Others might be retained because some old software might still rely on them. But there are some that would appear to be suitable for removal. Maybe they’re deprecated, but as Apple can’t declare their deprecation, they’re just left?
  Howard.
  
  LikeLike

Main Security Data

Others

Vestigial Data

Share this:

Like this:

Related