hoakley October 10, 2024 Macs, Technology

A simple guide to how XProtect installs and updates in Sequoia

Many of you still seem puzzled as to how XProtect installs and updates in macOS Sequoia. This article tries to make this clear, so you can keep XProtect up to date.

Sonoma and earlier

Until this changed in Sequoia, XProtect has been straightforward: its data is stored in a bundle named XProtect.bundle, in the path /Library/Apple/System/Library/CoreServices, which is on the Data volume so it can readily be updated. When you or macOS downloads an XProtect update, it simply replaces that bundle with the new one. This is shown in the diagram below.

Sequoia

XProtect in macOS 15 prefers not to use the XProtect.bundle in its old location of /Library/Apple/System/Library/CoreServices (although it can do if there’s no alternative). Instead, it looks for XProtect.bundle in its new location, /var/protected/xprotect.

However, when you or your Mac use the old update system, including Software Update, softwareupdate or SilentKnight, that still installs the update in the old location, where it won’t normally be used by XProtect when making its checks. What’s supposed to happen is that at least once a day, macOS checks whether there’s a newer update in the old location. If there is, then it should automatically prepare and move that to the new location in /var/protected/xprotect for XProtect to use.

If you want that to happen immediately, then you can run the following command in Terminal:
sudo xprotect update
then enter your admin user’s password. The xprotect command tool will then complete the installation of that update from its old location in /Library/Apple/System/Library/CoreServices into its new location in /var/protected/xprotect.

There’s also a second way that XProtect in Sequoia can be updated, and that’s over a connection to iCloud. If that’s used, then the update is installed straight into its new location, and doesn’t change the XProtect bundle in the old location at all. Although Apple has used that earlier, all XProtect updates since the release of Sequoia have come using the old Software Update system, so have needed to be completed using the xprotect command in Terminal.

This is shown in the diagram below. The blue boxes show the old Software Update system, and the pink boxes are the new parts that ensure the update is installed in the new location.

SilentKnight

SilentKnight still works using softwareupdate, and can’t use the new xprotect command for updates yet, because that requires structural changes in the app that will be available in version 3. However, in Sequoia it reports the version of XProtect installed in the new location, as that’s the one that XProtect now uses.

When SilentKnight discovers a new version of XProtect via softwareupdate, it therefore installs that in the old location, in the path /Library/Apple/System/Library/CoreServices. It has no choice but to do that. Once that’s been installed to the old location, the version shown for XProtect won’t change, as that requires macOS to complete the second stage of the installation. You can then either:

leave macOS to complete the installation itself, which should happen over the next day or so, or
run sudo xprotect update in Terminal, which will complete that update immediately. SilentKnight will then show the updated version number correctly.

Key points

In Sequoia, when XProtect is updated by Software Update, softwareupdate or SilentKnight, you should either leave macOS to complete that installation, or run sudo xprotect update in Terminal if you want it to be updated immediately.

This only applies to macOS Sequoia: Sonoma and earlier still work as they always have done.

8Comments

Add yours

1

John Gilbert on October 11, 2024 at 2:58 am

Thanks, I learned a lot from that, but then started digging on my Intel 2019 iMac. Two things:

Firstly, from your description, I assumed that the “xprotect update” process copied the bundle from CoreServices to /private/var/protected/xprotect. But I began to have doubts when I noticed that the create, modified and added dates for /private/var/protected/xprotect/XProtect.bundle were all 19-Sept.

What is going on? Has the xprotect bundle not been copied from CoreServices?

I then looked inside both bundles and it seems that the xprotect update process copies files (info.plist and resources) from inside the CoreServices bundle into destination bundle. And, without changing the modified date of /private/var/protected/xprotect/XProtect.bundle though the folders inside (Contents and Resources) do have updated modified and added(!) dates, but the created dates remain 19-Sept.

OK, so that is the way it works. As you will have gathered that confused the naive expert.

Secondly, the xprotect update process does not seem to be reliable if left alone. It is now over 2 days since the CoreServices bundle was updated automatically (5277) and, so far, no changes to /private/var/protected/xprotect/XProtect.bundle (5276). I will leave it another day before doing a manual update.

I do hope we don’t have any zero-day exploits and need updates to be applied urgently.

LikeLiked by 1 person
- 2
  
  hoakley on October 11, 2024 at 11:13 am
  
  Thank you, John. Yes, when macOS installs the XProtect bundle in its new location, it isn’t simply copied, but undergoes a more complex process. We also don’t know what it might change that isn’t reflected in the new bundle.
  Thank you also for leaving yours to run – I’m not surprised that it doesn’t update itself promptly. Until Apple starts releasing these updates via iCloud, I think completing them manually is going to remain a wise choice.
  Howard.
  
  LikeLike
  - 3
    
    John Gilbert on October 14, 2024 at 1:22 am
    
    Status of waiting for macOS to update from CoreServices bundle to the active bundle:
    
    macOS has failed to do the update, even after a reboot. This is about 5 days since the CoreServices bundle was updated. So I have done it manually with sudo xprotect update.
    
    I will wait for macOS 15.1 before taking further action.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on October 14, 2024 at 6:46 am
      
      Thank you – that’s quite a shock. Given that almost all Mac users know nothing about this, and don’t check, that suggests there are a lot of Macs with outdated XProtect.
      Howard.
      
      LikeLike
5

Marc on October 11, 2024 at 5:06 pm

Thank you very much for all your articles on XProtect and updates. They have been very informative. (I am running Sequoia 15.01 on a Mac Studio.)

Most recently, I tried waiting out the XProtect updates but after several days of version 5276 not updating, I finally updated manually in terminal and everything seems fine. (It is nice to use Skint and SilentKight to monitor this.)

I also keep getting the notice in Skint that there have been no XPR scans in the last 36 hours. Every few days, a scan occurs but not most of the time. Does this just reflect limitations with the unified log? Skint says no XPR scans in last 36 hours but also says that the oldest log entry is less that 36 hours ago. (e.g. “Oldest log entry 17.15 hours ago.”)

LikeLiked by 1 person
- 6
  
  hoakley on October 11, 2024 at 5:21 pm
  
  Thank you. All this should get easier, although not necessarily simpler, when iCloud updates start rolling out.
  XPR scans can be hard to catch with short log lifetimes. What I’ve done in the past is used XProCheck to tell me when they’re likely to occur in a typical day’s use, then I open Skint a couple of hours later. That way, when it runs its next checks in 24 hours, it’s more likely that the next batch of log entries will remain in the log. Unfortunately there’s no way to get the log to retain its XPR entries any longer.
  Howard.
  
  LikeLike
7

LPBagley on November 13, 2024 at 3:47 pm

Just another data point here… In beta testing Sequoia (Developer Beta channel) I’ve had the slow and no update problem that others have experienced… UNTIL the 12 November update to Version 15.2 Beta (24C5079e)

It MAY be that Apple is addressing this problem.

LikeLiked by 1 person
- 8
  
  hoakley on November 13, 2024 at 3:50 pm
  
  Thank you. I must admit that I don’t hang around waiting for an update to occur, and run SilentKnight.
  Howard
  
  LikeLike

·Comments are closed.

Sonoma and earlier

Sequoia

SilentKnight

Key points

Share this:

Related