hoakley November 10, 2022 Macs, Technology, Updates

Apple has pushed updates to XProtect and XProtect Remediator

Apple has just pushed its regular fortnightly update to XProtect Remediator security software for Macs running Catalina or later, bringing it to version 84. Accompanying it is an update to XProtect’s data, bringing them to version 2165 (Apple doesn’t appear to have released 2164).

Apple doesn’t release information about what security issues these updates might add or change, and this update doesn’t add any further scanning modules to XProtect Remediator. In XProtect’s Yara definitions, it adds a new detection for MACOS.da36796, whose true identity may be discovered shortly.

You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Ventura available from their product page. If your Mac hasn’t yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

Although my Content Caching server itself had no problems installing these updates, it has persistently refused to serve them to local clients, so I have once again had to disable the Content Caching server to perform the updates. Sigh.

If you want to install these as named updates in SilentKnight, their labels are
XProtectPlistConfigData_10_15-2165 XProtectPayloads_10_15-84

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

26Comments

Add yours

1

Bernd on November 10, 2022 at 9:40 pm

If you want to install these as named updates via command line (eg. ARD) use:
/usr/sbin/softwareupdate -i –include-config-data ‘XProtectPlistConfigData_10_15-2165’ ‘XProtectPayloads_10_15-84’

Do not use /usr/sbin/softwareupdate -ia –include-config-data if you not want to upgrade to Ventura.

LikeLiked by 1 person
- 2
  
  hoakley on November 11, 2022 at 9:02 am
  
  Thank you.
  Actually, the first step if you’re going to do this in Terminal is to list available updates, before trying to download or install anything.
  This is all far simpler in my free SilentKnight, which doesn’t require the use of Terminal at all.
  Howard.
  
  LikeLike
3

EcleX on November 11, 2022 at 8:07 am

Wow, both SilentKnight and LockRattler featured with screen captures in such web site I rather not include here. You are becoming really famous!

LikeLiked by 1 person
- 4
  
  hoakley on November 11, 2022 at 9:10 am
  
  Thank you. That’s very enigmatic.
  Howard.
  
  LikeLike
- 5
  
  EcleX on November 11, 2022 at 11:35 am
  
  The title of such blog article is (please edit or delete if needed — just for your eyes only):
  
  macOS Monterey Update 12.6.1 Tends to Kernel Panic Machines Using SoftRAID — Apple XProtect Bug?
  
  LikeLiked by 1 person
  - 6
    
    hoakley on November 11, 2022 at 3:42 pm
    
    You’re such a tease! Do I get another clue?
    Howard.
    
    LikeLike
  - 7
    
    EcleX on November 11, 2022 at 4:42 pm
    
    Well, not really, searching for it in Google shows 10 hits, being the penultimate. Searching between quotation marks finds just three hits and is the last one.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on November 11, 2022 at 6:02 pm
      
      Are, you are just being a tease, then.
      Howard.
      
      LikeLike
9

Bill Smith on November 11, 2022 at 12:41 pm

Interestingly my 2018 Mac mini running 13.0.1 would not acknowledge either of these two updates existed, verified missing in both About this Mac/ Installed Software list and Silentknight. SilentKnight then allowed me to use install update by name successfully to update both.

My 2012 Mac mini running 13.0.1 via open core did install both updates normally via software update, also confirmed by SilentKnight.

Without SilentKnight, my 2018 would have fallen behind. Thanks Howard.

LikeLiked by 1 person
- 10
  
  hoakley on November 11, 2022 at 3:59 pm
  
  Thank you.
  Howard.
  
  LikeLike
11

dafoxe1 on November 11, 2022 at 5:45 pm

Interestingly, my main MacPro6,1 with Content Caching turned on updated manually after booting using Intall All Updates in SilentKnight 2.3. My Macmini7,1 updated automatically when booted and checked with SilentKnight 2.1 and my second 2nd MacPro6,1 had to be updated manually with Install All Updates in SilentKnight 2.1 after booting. I’m happy that all 3 Macs updated w/o disabling Content Caching this time. The two different outcomes is not explanable by me but both worked so I’m definitely not complaining. We’ll see what happens in 2 weeks….

LikeLiked by 1 person
- 12
  
  hoakley on November 11, 2022 at 6:04 pm
  
  Thank you. This is really weird now.
  Howard.
  
  LikeLike
13

Matt on November 13, 2022 at 5:08 pm

Thanks for the updates, Howard.

Just wondering, as SilentKnight and LockRattler seem to do a lot of the same things, is there a reason to use one rather than the other?

LikeLiked by 1 person
- 14
  
  hoakley on November 13, 2022 at 9:57 pm
  
  Thank you.
  LockRattler was the original app, and does everything manually – it tells you what versions are installed, but not whether they’re up to date. You have to check those manually.
  SilentKnight does all its checking for you, whether your Mac’s firmware is up to date, and all the security data file versions too.
  I wanted to abandon LockRattler some time ago, but it’s still preferred by many users.
  Howard.
  
  LikeLike
15

Dakotamoons on November 23, 2022 at 3:32 pm

Recently I’ve been experiencing a big slow-down on my old iMac Pro running Cat 10.15.7. Checking Apple’s Activity Monitor is see that XProtectRemediator is coming in at a CPU usage figure of 174.4%. Obviously, I’ll reboot and see what happens next, but just reporting in for any feedback. Now that I think about it, this may have been going on for a few days. https://9581826.com/xprotect.JPG

LikeLiked by 1 person
- 16
  
  Dakotamoons on November 23, 2022 at 3:53 pm
  
  Upon rebooting, the XProtectRemediator is nowhere to be found.
  I’m left just curiously wondering what happened.
  Normal (fast) speed has returned to the iMac Pro.
  
  LikeLiked by 1 person
  - 17
    
    hoakley on November 23, 2022 at 9:18 pm
    
    Have you checked its reports using XProCheck?
    Howard.
    
    LikeLike
- 18
  
  hoakley on November 23, 2022 at 9:17 pm
  
  I’m sorry to hear that. Did you inspect its reports using XProCheck?
  Howard.
  
  LikeLiked by 1 person
  - 19
    
    Dakotamoons on November 23, 2022 at 9:59 pm
    
    No. Sorry. Getting ready to pack for a trip, so no time. But may be able to investigate later. Everything still good.
    
    LikeLiked by 1 person
20

Mike on December 7, 2022 at 1:13 pm

SilentKnight tells me that XProtect is disabled even though I have “Install Security Responses and system files” enabled. Have now spent hours on the internet trying to figure out how to enable XProtect without finding anything. Maybe someone here can help me out.

LikeLiked by 1 person
- 21
  
  hoakley on December 7, 2022 at 1:19 pm
  
  If only you had asked:
  XProtect isn’t enabled by any such setting in Software Update, which controls whether and when updates are downloaded and installed.
  You may be able to fix this using the command
  spctl –enable
  but chances are that you will instead need to invoke
  sudo spctl –global-enable
  which requires you to authenticate using your admin password. Be careful with those commands: the hyphens before enable and global-enable aren’t long dashes, but two separate hyphens.
  I wish you success.
  Howard.
  
  LikeLike
  - 22
    
    Mike on December 7, 2022 at 1:47 pm
    
    Thanks for your quick reply, Howard. The spctl –enable command did not solve the problem. The command sudo spctl –global-enable however did. Many thanks again!
    
    LikeLiked by 1 person
    - 23
      
      hoakley on December 7, 2022 at 1:52 pm
      
      Well done!
      Howard.
      
      LikeLike
24

thoolb on February 21, 2023 at 2:09 pm

I am not sure if I understand this article correctly (June 2022):
https://eclecticlight.co/2022/06/12/last-week-on-my-mac-introducing-xprotect-remediator-successor-to-mrt/
… respectively I wonder, if the current 3 months period of neither XProtect nor MRT updates in my Mojave indicates that they fully turned to ‘Remidiator’ on newer systems and fully quit for systems before Catalina.
– Can someone shed more light on this, possibly with a hint to an according Apple announcement? And, if Apple quit them for older systems, could a third party anti-malware tool (still) conflict with this security feature in older macOS, or be rather recommended because of getting updates? – Thank you!

LikeLiked by 1 person
- 25
  
  hoakley on February 21, 2023 at 3:34 pm
  
  Apple doesn’t announce or mention anything to do with security. We’re either not supposed to know, or just to guess what’s going on.
  The last update to XProtect was on 10 November 2022, and we’re probably due another in the next week or three. The last to MRT was in April last year, and as far as anyone knows it has now been discontinued. Latest Macs come without it.
  XProtect Remediator only comes with Catalina and later, and can’t run on any earlier macOS.
  Although I have expressed my concern for those still running older macOS, some third-party protection doesn’t cater well for older macOS either. You may decide that it’s now worthwhile, if you can find a suitable product.
  Howard.
  
  LikeLiked by 1 person
  - 26
    
    thoolb on February 24, 2023 at 9:57 am
    
    Thank you, Howard! … Ah, XProtext updates were not fully quit for Mojave: “XProtectPlistConfigData_10_14-2166” was provided these days.
    
    LikeLiked by 1 person