Last Week on My Mac: What happened with XProtect?

For many who prefer to wait a little, the x.3 update is a popular time to upgrade to the next major version of macOS. By then, most of the major bugs should have been fixed, and some fine tuning performed on new features. So if you’ve just joined Sequoia from something older, you might now be wondering what on earth is going on with XProtect, which still baffles those of us who have been here since 15.0.

Which XProtect?

First allow me to dispel a common confusion: this article is about the XProtect we know of old, run on demand during Gatekeeper checks before macOS launches code. This isn’t the same as XProtect Remediator (XPR), a suite of scanning modules, that periodically searches your Mac to detect and remove known malware. Unlike XPR, XProtect leaves little trace in the logs, merely that it has checked code for malware and didn’t find any.

XProtect relies on a handful of configuration files in a bundle that doesn’t itself contain any code. Most important among them is a file containing a large and growing set of rules used to detect malicious code, the Yara rules. Every two weeks, Apple’s security engineers assemble the latest set of Yara rules into the bundle named XProtect.bundle and it’s distributed as an update from Apple’s servers.

Whichever earlier version of macOS your Mac has been running, it has downloaded those updates using Software Update, SilentKnight or a similar mechanism, installed that bundle into /Library/Apple/System/Library/CoreServices, and the next time that XProtect is run on demand it uses those updated rules to improve your Mac’s protection against malware.

Changes in Sequoia

In the past, XProtect has been something of a quiet backwater, and its Yara rules changed little and infrequently. That has changed dramatically over the last couple of years, and the rules have grown in number, size and sophistication. They have also become more responsive, to ensure XProtect’s checks keep up with the latest malware and its changes.

For Sequoia, Apple has changed the way that XProtect is updated, and where its Yara rules and other files are kept, to /var/protected/xprotect/XProtect.bundle, although previous versions of macOS continue to receive their updates as before. Updates for Sequoia can be delivered either via a connection to iCloud, or the established method to Apple’s Software Update servers.

Last week’s updates

Last week, the regular fortnightly update to XProtect 5286 was ready for release on 27 January, but macOS Sequoia 15.3, security updates, and updates to all the other OSes were released instead. They put a heavy load on the Software Update servers, so it appears the update to XProtect 5286 was delayed. That was a wise decision: Apple has previously tried releasing security data updates at the same time as OS updates, and it doesn’t work out well for anyone.

In the early hours (GMT) of 29 January, XProtect 5286 was released for download to macOS Sequoia via its iCloud connection. As this doesn’t use the servers responsible for macOS and other OS updates, that took advantage of this new feature in Sequoia. Most of the Macs running 15.0 or later were most probably updated to 5286 by the end of that day.

Twenty-four hours later, in the early hours (GMT) of 30 January, the same updated version of XProtect was released for download from Apple’s Software Update servers, enabling those still running older versions of macOS to install the update, as the load must have been reducing on those servers.

Although that seems clear and straightforward, what users saw often appeared puzzling if not incorrect. If you were running Sequoia, your XProtect data bundle with its Yara rules was probably updated silently during 29 January, but the following day (when your Mac was already enjoying the protection of the update) you were offered the 5286 update by Software Update, softwareupdate or SilentKnight, as if your Mac still had’t been updated. Some of you thought that was the real update, but it wasn’t, as that only updated the bundle stored at the old location, which isn’t used by XProtect in Sequoia.

How it worked

For the great majority of folk who don’t even know what XProtect is or does, this is all irrelevant, as their Macs continue to work as before, just improve their malware detection silently. For those of us who take an interest, or want to know what’s going on, it can appear profoundly confusing. To help clarify, here are two different ways that a Mac running Sequoia could successfully install XProtect 5286.

The preferred way is using the new iCloud connection, which doesn’t require that you have connected to iCloud, as it’s made outside your Apple Account or iCloud Drive. To start with, both copies of the XProtect bundle are version 5285. Then, probably on 29 January, that Mac connects to iCloud and downloads the update direct to its new location (red). Although the copy in the old location remains at version 5285, the copy used by XProtect is now using the updated rules in 5286.

Then, when the Software Update copy is installed the following day, both copies are brought up to 5286.

But Sequoia can still make use of the general release of the new version, as shown in this second diagram. Suppose that Mac running Sequoia didn’t have access to iCloud on 29 January, and the following day isn’t able to update to 5286 via iCloud. However, that update is still delivered from the Software Update servers. Over the next minutes or hours, macOS can then use that copy of the XProtect bundle to update the bundle now used by XProtect in Sequoia, as shown on the bottom line. If that doesn’t work, the user can run
sudo xprotect update
in Terminal, and that will force the local update.

Improvements

The benefits of this new system to the Sequoia user are therefore:

updating 24 hours earlier, when Software Update servers were still heavily loaded;
fall back to the traditional method if an iCloud update doesn’t occur, followed by local installation to the new location.

Now we can all return to trying out Genmoji. While they may be trivial by comparison, they bring a lot of fun to Messages, and we could all do with plenty of fun as well as better security.

10Comments

Add yours

1

thymine02rising on February 2, 2025 at 10:50 am

Thank you, Howard! It is so nice to understand a bit of what is happening before I notice unexpected changes that bring to mind questions, that without your work, insights and sharing would lead to me having way too many open brain loops! Will updating via my iphone hot spot – going forward- present any problems?

LikeLiked by 1 person
- 2
  
  hoakley on February 2, 2025 at 6:57 pm
  
  You should be able to update over any network connection that can go out to the Internet.
  Howard.
  
  LikeLiked by 1 person
3

Ingo on February 2, 2025 at 5:08 pm

Which impact do the System Settings for Software Update have on updates for XProtect on macOS Sequoia? Let’s assume “Install system data files and security updates” in the System Settings is not checked. Can we expect, that on a Mac running macOS Sequoia XProtect would still be updated automatically through the iCloud mechanism, while on a Mac running a version of macOS prior to Sequoia, XProtect would remain on a previous state?

LikeLiked by 2 people
- 4
  
  hoakley on February 2, 2025 at 7:00 pm
  
  That’s a good but unanswered question at the moment.
  The Software Update settings in general control softwareupdated and that side of updates, which wouldn’t be expected to include the CloudKit connection used now in Sequoia. So if you did shut off all updates there, you should still get them via iCloud. But only in Sequoia – that mechanism doesn’t apply to previous macOS.
  Howard.
  
  LikeLike
5

Dan on February 2, 2025 at 8:54 pm

Howard, I’ve been previously writing to you about a bug in Books.app – where in settings, the checkbox “download new purchases automatically” unchecks itself – and I used Console.app to see what’s going on:

error 11:51:59.611114+0200 Books Failed to change automatic download state to true: Error Domain=AMSErrorDomain Code=305 UserInfo={NSDebugDescription=<private>, AMSDescription=<private>, AMSFailureReason=<private>}

I was wondering if you could give me any debugging advice as to how I can find more of what’s going on? I’m trying to see if I can fix this – other than by reporting to Apple, which I have done.

LikeLiked by 2 people
- 6
  
  hoakley on February 2, 2025 at 9:26 pm
  
  Well done – excellent log sleuthing! However, although it’s possible to unmask those private contents, I don’t think you can do anything about it, even if you can reach an understanding. What would be helpful would be to add that log extract to your Feedback report, as it should save the engineers hunting it down for themselves, and may bring a resolution in 15.4.
  Howard.
  
  LikeLike
  - 7
    
    secretly071bf7b952 on February 2, 2025 at 9:49 pm
    
    Thanks for the complaint! I did that; however… this issue is been going on for a long time (some evidence here; but also older here).
    
    Do you think it’s worth reseting home folder permissions? This is a brand new machine… this makes me think there’s probably some corupt file that sync via iCloud – somehow.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on February 2, 2025 at 9:59 pm
      
      It affects 15.3 here too, so I don’t think this is peculiar to your Mac at all.
      You can’t reset Home folder permissions, and that seldom did anything useful anyway.
      While a problem with syncing specific files could prevent this from working, what I see here is that the control doesn’t even stick, and is immediately disabled before anything has been synced. It looks to me like a bug in the app.
      Howard.
      
      LikeLiked by 1 person
9

Ted on February 5, 2025 at 7:39 pm

Mac OS Sequoia 15.3 – the terminal command says “already updated” but Silent Knight says I am still at 5286 instead of 5287 ?

LikeLiked by 1 person
- 10
  
  hoakley on February 5, 2025 at 7:41 pm
  
  Did SilentKnight download the update? If so, run the update command given above in Terminal to complete the update.
  Howard
  
  LikeLike