hoakley Macs, Technology

Is your XProtect stuck on 5324?

Just before many of Apple’s engineers would have broken up for Christmas, XProtect version 5325 was released. Although most Macs should now have been updated to that new version, a few haven’t. As far as I’m aware, those are running macOS 15 Sequoia, although some might be on Tahoe. The reason for this disparity is that this update has only been released via Apple’s software update servers, and still isn’t available from iCloud, two weeks later.

Two XProtects?

There are in fact no less than four XProtects now:

  • regular XProtect installed in /Library/Apple/System/Library/CoreServices on all Macs since before El Capitan. Up to Sonoma, this is used to scan new apps for known malware during their Gatekeeper first-run checks.
  • new XProtect installed in /var/protected/xprotect on Macs running Sequoia or Tahoe, now used in place of regular XProtect by Gatekeeper in those more recent versions. Although not always identical to regular XProtect, it has been for over a year now, but it’s updated differently.
  • XProtect ‘Remediator’ on Macs running Catalina and later, a separate system that runs routine scans for the presence of malware, roughly every 24 hours.
  • XProtect ‘Behavioural’ on Macs running Ventura and later, another separate system that watches for specific behaviours such as accessing browser data files. This is part of Apple’s security intelligence, and reports back to Apple when it detects anything suspicious. It relies on Bastion rules that are contained in updates for XProtect Remediator, but is separate from that.

Two updates

Macs running Sequoia and Tahoe thus have two XProtect bundles to update, and Apple has changed the way that it updates the active copy of XProtect. At first, the user was able to force an update using the sudo xprotect update command in Terminal, that downloaded the update from iCloud to its new location. If it wasn’t available there, then an update would be performed using a copy already installed from Software Update, without requiring any further download.

Most recently, in Sequoia and Tahoe, this has changed yet again. Updates to the new copy of XProtect can no longer be converted by the user, but a background service that runs once a day can do the same thing. This leaves Sequoia and Tahoe only able to update their new copy of XProtect by two alternative methods:

  • Apple releases the update through iCloud, allowing you to download and install it manually using the command sudo xprotect update, or by waiting for a background process to do that.
  • If the ‘regular’ XProtect location has already been updated from Apple’s software update servers, as would happen if you use SilentKnight, then the background XProtectUpdateService can install that to the new location. However, the user can’t invoke that service manually, but must wait for it to be scheduled, as it should be every 24 hours or so.

Those are diagrammed below.

The wrong update

What has happened with XProtect 5325 is that the iCloud update hasn’t been made available. Therefore, Macs running Sequoia or later are expected to download the regular update from the software update service, and XProtectUpdateService recognises that and is able to use that update to update the copy in the new location. It turns out that not all Macs running Sequoia or even Tahoe can do that. If XProtectUpdateService isn’t run, or fails to update the new copy of XProtect data when it does run, then that doesn’t update XProtect in the new location, which continues using 5324 even though 5325 has already been installed in the old location.

Vulnerability

Those Macs running Sequoia or Tahoe that haven’t yet been updated to the ‘new’ XProtect version 5325 are demonstrations of the vulnerability that now affects XProtect in macOS 15.0 to 26.2. When Apple fails to release an XProtect update via iCloud, any failure in XProtectUpdateService to step in and install that in the new location prevents that Mac from using the latest detection rules in Gatekeeper checks.

That contrasts with ‘regular’ XProtect, which can always be updated manually using softwareupdate or SilentKnight, once it has been made available for download from Apple’s software update servers.

I suppose that’s progress.

Conclusion

If your Mac is running macOS Sequoia or Tahoe, and still has XProtect 5324 installed in its new location, then there isn’t much you can do about it but wait. You can try restarting your Mac, or even restarting it in Safe mode, but provided that it has updated its old location to 5325, only XProtectUpdateService can update the real XProtect now.