hoakley April 27, 2023 Macs, Technology, Updates

Apple has just released an update to XProtect Remediator

Apple has just released an update to XProtect Remediator security software for Macs running Catalina or later, bringing it to version 96.

Apple doesn’t release information about what security issues this update might add or change. However, it adds two new scanning modules, for malware identified as RankStank and RoachFlight.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Ventura available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

Those using Content Caching servers should find that this update installs correctly and without tears.

If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-96.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Postscript

It appears that Apple may have pulled this update, as of 28 April. Several of us who have installed it have seen what may be spurious reports of anomalies, although I’ve not seen any that are proper reports of detections or remediations. If you have installed it already, then check carefully using XProCheck whether a warning message is followed by NoThreatDetected or Success: if it is, then you can safely ignore reports of an anomalies. Only if XPR reports that it has detected and/or remediated malware should you suspect that it might have.

I suspect version 97 may be released later today to address these issues.

28Comments

Add yours

1

Brian on April 27, 2023 at 7:17 pm

Just updated XProtect and ran XProtect Check and this popped up:

2023-04-27 14:58:52.252 KeySteal ⚠️{“caused_by”:[],”status_message”:”BadPluginServiceSignature”,”status_code”:31,”execution_duration”:9.0003013610839844e-05}

Is this a cause for concern or just a bug? I checked LaunchItems for ~/Library/LaunchAgents/com.apple.googleserver.plist and /Library/LaunchDaemons/com.apple.googlechrome.plist and didn’t find either.

LikeLiked by 1 person
- 2
  
  hoakley on April 27, 2023 at 7:23 pm
  
  If you’re running XProCheck version 1.4, those should no longer be flagged with the warning triangle.
  No, those are simply because XProtect Remediator has been updated – they will occur twice after each update, as the components switch over to the new version. This results in a clash of signatures between parts of the service, once for the service running as root, and once for the user.
  Howard.
  
  LikeLike
3

Brianb on April 27, 2023 at 7:38 pm

Thank you! Installing 1.4 fixed the issue.

LikeLiked by 1 person
4

Old Coot on April 27, 2023 at 10:57 pm

Mine flagged these two for BadGacha
{“process”: {“pid”:1873, “name”: “MessengerHelper”}, “status”: null, “action”: “report”}
{“process”: {“pid”: 1869, “name”: “1Password Extension Helper”}, “status”:null, “action” :”report”}

LikeLiked by 1 person
- 5
  
  hoakley on April 28, 2023 at 7:06 am
  
  Following those lines, XPR should also give a status message and code for BadGacha, as its overall report. If that reads NoThreatDetected, then these are reports not detections, and may be entirely innocent. If the report tells you that it’s a detection or remediation, then it means those were likely to have been malware, but have now been removed.
  I too have a report for WaterNet since this update, but the overall report for that check concludes NoThreatDetected.
  Howard.
  
  LikeLike
  - 6
    
    Yuriy Varbanets on May 24, 2023 at 12:51 pm
    
    Such warnings are shown for processes whose program files have been removed after they were started. Programs should now terminate if their executable is deleted.
    
    LikeLiked by 1 person
    - 7
      
      hoakley on May 24, 2023 at 3:43 pm
      
      Thank you – that’s much appreciated.
      Howard.
      
      LikeLike
8

Old Coot on April 28, 2023 at 5:07 am

I should add that after looking through your help file I found that it was a code 23. “if the report contains a status_code of 23, a status of null, or an action “report”, it’s an ⛔️ alert to a detection of remediation. So I have blocked both the helper and app, though it might be to late from accessing the net.

LikeLiked by 1 person
- 9
  
  hoakley on April 28, 2023 at 7:18 am
  
  If the report states that BadGacha was detected and/or remediated, then I recommend that you contact Apple Support.
  We still don’t know what BadGacha is known as outside Apple, I’m afraid.
  Howard.
  
  LikeLike
10

FreeDom on April 28, 2023 at 6:38 am

It’s strange, I’m not able to update XPR to 96 with SilentKnight (nor with LockRattler ) : no updates available. I have 2 different Intel computers, and one M1. Same result. I’m using the latest Ventura beta 13.4. Is it an other way to force the update?

LikeLiked by 1 person
- 11
  
  hoakley on April 28, 2023 at 6:54 am
  
  Have you tried restarting the Mac and trying again? If that doesn’t work, then start it up in Safe mode and try there.
  As you’re running a beta, if that still fails to find the update I think you need to report it using Feedback. Such are the joys of betas.
  Howard.
  
  LikeLike
  - 12
    
    FreeDom on April 28, 2023 at 7:08 am
    
    Thank you for your help. I restarted in Safe mode, without success… so yes, it must be the beta, indeed. Thanks again for your good work!
    
    LikeLiked by 1 person
    - 13
      
      hoakley on April 28, 2023 at 7:33 am
      
      I’m sorry about that.
      Howard.
      
      LikeLike
- 14
  
  kapitainsky on April 28, 2023 at 12:19 pm
  
  The same here. First time for me:
  
  SilentKnight says XPR should be 96 but then is not finding any available update…
  
  ✅ XProtect 2167 should be 2167
  ❌ XPR 95 should be 96
  ✅ MRT 1.93 should be 1.93
  ✅ TCC 150.19 should be 150.19
  ✅ KEXT 18.0.0 should be 18.0.0
  ✅ SIP & SSV enabled.
  ✅ XProtect assessments enabled
  ✅ FileVault is On.
  XProtect Remediator scans not checked.
  macOS Version 13.3.1 (Build 22E261)
  Latest updates installed:
  XProtectPlistConfigData 2023-03-31 6:22:32 am +0000 : 2167
  XProtectPayloads 2023-03-31 6:22:32 am +0000 : 95
  MRTConfigData 2022-10-24 7:28:42 pm +0000 : 1.93
  Mac model MacBookPro16,1
  EFI version found 1968.100.17.0.0 (iBridge: 20.16.4252.0.0,0); expected 1968.100.17.0.0 (iBridge 20.16.4252.0.0,0)
  ✅ EFI firmware appears up to date.
  ✅ Software Update Tool
  
  Finding available software
  No new software available.
  
  LikeLiked by 1 person
  - 15
    
    Panda Mery on April 28, 2023 at 2:48 pm
    
    Same problem here on an M2 Macbook Pro.
    
    I also tried to install the named update as per the blog post and got this result:
    
    Finding available software
    XProtectPayloads_10_15-96: No such update
    No updates are available.
    
    LikeLiked by 1 person
- 16
  
  Javier Gallardo on April 28, 2023 at 3:46 pm
  
  It’s happening exactly the same for me, and I’m not in a beta, just 13.3.1 on a M1 MacBook Pro. SilentKnight points XPR 95 as “old” (red cross), but finds “no new software”. Asking directly through the menu didn’t find “new software” either…
  Tried also after restart… and now calibrating restarting in safe mode. (Perhaps it’s easier to give up and let MacOS do its things alone…)
  SilentKnight has worked wonderfully always… but I feel, in small details, that this System doesn’t like to be tuned or corrected… .:-(
  
  LikeLiked by 1 person
  - 17
    
    hoakley on April 28, 2023 at 4:13 pm
    
    Please: I’ve added a postscript above.
    I suspect that Apple has pulled the update because of some problems that we’ve been noticing with what appear to be spurious warnings. However, I can’t see any info from Apple saying that, so I can’t announce that the update has been pulled.
    I suspect we’ll see version 97 fairly soon.
    In the meantime, if I leave the latest version for SilentKnight set at 96, then all those who can’t update yet will complain; if I set it back to 95, then all those who have updated will complain. So I can’t win! If only it wasn’t an integer, I could try version 95.5 as a compromise?
    Howard.
    
    LikeLiked by 2 people
18

Rich I on April 28, 2023 at 1:55 pm

I’m also getting the “No new software available” reply from the server. Could Apple have “pulled back” the update?

🍏 Mac model Macmini9,1
Apple Silicon Security:
🍏 Secure Boot: Full Security
🍏 System Integrity Protection: Enabled
🍏 Signed System Volume: Enabled
🍏 Kernel CTRR: Enabled
🍏 Boot Arguments Filtering: Enabled
🍏 Allow All Kernel Extensions: No
User Approved Privileged MDM Operations: No
DEP Approved Privileged MDM Operations: No
✅ XProtect assessments enabled
⚠️ FileVault is Off.
macOS Version 13.3.1 (Build 22E261)
Latest updates installed:
XProtectPlistConfigData 2023-03-30 18:33:56 +0000 : 2167
XProtectPayloads 2023-03-30 18:33:59 +0000 : 95
MRTConfigData 2022-11-15 19:29:19 +0000 : 1.93
Mac model Macmini9,1
iBoot version found 8422.100.650; expected 8422.100.650
🍏 iBoot firmware appears up to date.
✅ XProtect 2167 should be 2167
❌ XPR 95 should be 96
✅ MRT 1.93 should be 1.93
✅ TCC 150.19 should be 150.19
✅ KEXT 18.0.0 should be 18.0.0
✅ XProtect Remediator 30 scans, 0 alerts, 0 warnings.
✅ Software Update Tool

Finding available software
No new software available.

LikeLiked by 1 person
19

Bill Smith on April 28, 2023 at 2:16 pm

Same result here, 2018 Mac mini intel on 13.3.1 , not running any beta. No update available, tried rebooting.

LikeLiked by 1 person
20

Old Coot on April 28, 2023 at 3:00 pm

Same on my M1. Not updating. Haven’t tried my old Mac running Big Sur but I suspect it will give me the same results. Just wondered if the update was specifically for M2’s.

LikeLiked by 1 person
- 21
  
  hoakley on April 28, 2023 at 3:03 pm
  
  No. XPR is for all Macs running Catalina and later. Last night it installed here on Intel T2 and M1 Max.
  As I’ve written above, it looks like Apple has pulled it.
  Howard
  
  LikeLike
22

Old Coot on April 28, 2023 at 3:19 pm

Going of subject for a moment. Why is it that none of your apps show up in Little Snitch after being installed?

LikeLiked by 1 person
- 23
  
  hoakley on April 28, 2023 at 3:27 pm
  
  I’m sorry, I have no idea. Should they? I haven’t used Little Snitch for at least a year.
  Howard
  
  LikeLike
24

Old Coot on April 28, 2023 at 4:03 pm

It would be nice if they did like most apps that are installed on my machines. I’ll kicked around LS and see if I can get them to show up.

LikeLiked by 1 person
- 25
  
  hoakley on April 28, 2023 at 4:15 pm
  
  Well, they’re straight AppKit, notarized apps, as we’re supposed to release. Maybe something is wrong with Little Snitch or its settings?
  Howard.
  
  LikeLike
  - 26
    
    Old Coot on April 28, 2023 at 5:03 pm
    
    I found that I have to individually add them to Little Snitch, first by opening the folder that they are in and then clicking on the icon and then clicking add.
    
    LikeLiked by 1 person
27

MrC on April 28, 2023 at 7:05 pm

I just performed a check and received the update on my Intel iMac (which is the content cache server). When that completed, I tried my M1 Max Macbook – it fails to update. Disabling the content cache doesn’t help, so perhaps the update is no longer available for Apple Silicon.

LikeLiked by 1 person
- 28
  
  hoakley on April 28, 2023 at 7:42 pm
  
  Thank you. Currently the update isn’t available for any Mac at all. Your CC server may have already cached it, I don’t know.
  Howard.
  
  LikeLike