Apple has released an update to XProtect

Apple has just pushed a surprise update to XProtect (not Remediator) security software, bringing it to version 2166.

Apple doesn’t release information about what security issues this update might add or change. In XProtect’s Yara definitions, it adds four new detections covering MACOS.KEYSTEAL.A, and HONKBOX_A, B and C. For the first time in several years, Apple is again using recognised malware names, rather than obfuscating identities as it has in the past.

As this is an XProtect update, it should be available for and install on all versions of macOS from El Capitan if not earlier.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Ventura available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

Those using Content Caching servers shouldn’t need to disable their server before downloading this update, which worked perfectly here.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-2166.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.