Behind the scenes: SilentKnight and updates

Not too long ago, macOS usually only checked for system software updates once a day. If your Mac’s routines didn’t coincide with Apple’s release of updates, they might arrive a day or two late, and sometimes they were left a lot longer. When I started writing this blog over 11 years ago, one of my goals was to spread information about those updates, so we could all have confidence that our Macs were as well protected as possible and got bugs fixed promptly. In those days, those mostly involved vulnerabilities in Java and Adobe Flash Player.

At first, this was all about what Apple has always been worst at, communicating. In spite of the unsung efforts of its engineers, Apple has chosen to remain as silent as possible about bugs and security. The only time I’m aware that its silence was broken was back in July 2019, when it released an update to its Malware Removal Tool MRT to remove a hidden web server installed by Zoom’s installer, and even then the information was passed on furtively.

Just before Christmas 2016, I released the first version of LockRattler to check and report on security systems, among them the installed version of XProtect. That was widened to include firmware version checks in EFIcientC in July 2019, which quickly turned into SilentKnight.

SilentKnight, and its more basic cousin Skint, compare versions of security data installed on your Mac with lists of those current, a simple task until you realise that Apple doesn’t provide any list of current versions of XProtect and others, nor of Mac firmware. Instead of being able to check with Apple, SilentKnight has to look these up in databases that I maintain on my Github.

For example, the most active of those is XProtect, currently updated most weeks. I keep a watch on the availability of its updates using the same tools that you have: SilentKnight, and the xprotect command in Terminal. Rather than running them once a day, I do this whenever I suspect an update is imminent. Some days I only check once, just to be sure a surprise update hasn’t appeared, but when I think we’re due for an update, I may run them every hour or more frequently.

When SilentKnight strikes gold, I first install the update here, and analyse what it changes. This is straightforward for XProtect, which holds its content in five files in the Resources folder inside its bundle. Using BBEdit, I compare the contents of the update with the previous version, and summarise those. This is a little more complex with XProtect Remediator, as that not only contains executable binary scanning modules, but a set of Bastion rules used by the Behavioural XProtect.

Since the release of macOS Tahoe, XProtect has been installed in two locations, the newer of which is updated separately over an iCloud connection, so I now have to check the version available from there.

Once I know that new version is available, I update the skint1 and sysupdates property lists on Github, so your SilentKnight and Skint will know about the update when they next check. I then put together an article announcing the update with the details of what has changed, post it here, and announce that on X (formerly Twitter).

The last step is to add that information to the list of updates on SilentKnight’s product page, and my main page listing all updates, and update version numbers in separate pages for those still using LockRattler, which can’t check my databases.

How quickly that all happens depends on how quickly I can identify the update, and when I can download and analyse it. If Apple releases the update after I have gone to bed, I’m afraid I won’t be able to do that until the following morning, as happened earlier this week. But if you thought my system was run automatically from some database maintained by Apple, I’m afraid that’s not the case, as it’s all down to SilentKnight and me.

If your Mac installs an update before I have updated my databases, SilentKnight will inevitably expect your Mac still to be using the older version, as that’s what’s listed in the database. When it discovers that it’s using a newer version, it will report that as an error. Please bear with it, as I shouldn’t take long to install and analyse the update, and correct the version number in the database.

Checking firmware versions and updates is more complicated again, as I have to maintain separate lists of the latest versions for each model. You can see those in my Github as well.

Is it worth all this effort? If you want to ensure that your Mac is running the current version of its security data such as XProtect, I don’t know of any alternative. If you know, then please tell me, as it could save me and SilentKnight a lot of effort.

Finally, my Github data is open to all. If you want to use it in your own tools, then feel free. However, if you intend using it commercially, thus to make money from my labour, please discuss it with me first.

9Comments

Add yours

1

Paul Cooper on March 6, 2026 at 8:52 am

Thank you for this detailed description. I am very grateful for all that you do and for the free stuff that you produce. I’m sure everyone else who follows this blog is too. Question: if SilentKnight detects that macOS is running a newer version than that listed in your database, is it truly an ‘error’?

LikeLiked by 1 person
- 2
  
  hoakley on March 6, 2026 at 11:49 am
  
  Unfortunately, this isn’t simple either.
  
  Currently, because so many testing betas with more recent firmware version numbers also use SilentKnight, when a firmware version number doesn’t match, SilentKnight checks whether it’s plausible that their firmware is more recent, and if it is, accepts it.
  
  Because all these version numbers are strings rather than numbers, comparing them in that way is elaborate, depends on the precise format of the string, and breaks easily. This has happened recently with iBoot firmware in 26.4 betas, and required a new version of SilentKnight to cope with that.
  
  So while I could work out, most of the time, whether a version is an update so probably not an error, as that is a transient situation for the hour or two it takes me (at most) to update the database, I’m reluctant to make changes that would also make SilentKnight more fragile.
  
  It should also be obvious to the user – if SK states that XProtect should be 5331 when it has just been updated to 5332, it’s surely not hard to guess that it’s the result of an early installation of that update? (That’s rather harder with firmware, though.)
  Howard.
  
  LikeLike
3

EcleX on March 6, 2026 at 12:40 pm

Thanks a million and more for your amazing work!

LikeLiked by 1 person
- 4
  
  hoakley on March 6, 2026 at 4:41 pm
  
  You’re most welcome.
  Howard.
  
  LikeLike
5

thymine02rising on March 6, 2026 at 2:02 pm

My world feels a little safer, saner and kinder with you in it – thereby making me a better person – grateful, supported, amazed
(Enriched also moments of art history)

LikeLiked by 1 person
- 6
  
  hoakley on March 6, 2026 at 4:43 pm
  
  Thank you.
  Howard.
  
  LikeLike
7

Duncan on March 6, 2026 at 3:46 pm

Since this past week seems to be primarily about getting system updates and the mechanisms so deployed, I wonder if you have any opinions on the opposite of that, namely preventing a system update/upgrade. Without turning this thread into a complaint-fest about MacOS 26, there is ample sentiment that many people don’t want it and don’t wish to be nagged incessantly about it:

https://mjtsai.com/blog/2026/03/05/avoiding-tahoe/

One possible solution for quieting the nags for 90-day periods (before they emerge again):

https://robservatory.com/block-the-upgrade-to-tahoe-alerts-and-system-settings-indicator/

If you care to weigh in on this topic, do you think this is a prudent way to go about this? Might there be a simply (hopefully GUI-based) way to accomplish the same results?

Thank you.

LikeLiked by 1 person
- 8
  
  hoakley on March 6, 2026 at 4:47 pm
  
  Thank you, Duncan. Yes, I did read that and decided I’d carry on doing what I’ve already described here.
  I only get a notification every few days, and they’re quick and easy to deal with. Other than that, there’s a red badge on System Settings in the Dock that I can happily ignore.
  So I really can’t be bothered with messing about like that.
  Howard.
  
  LikeLike
9

markbot2zero on March 6, 2026 at 8:05 pm

Thank you, Howard, for SilentKnight, and everything else.

If maintaining SilentKnight has become a Sisyphean task, which seems to be the case, there are perhaps thousands of grateful users who wish they could push the rock with you, and share your disappointment when it rolls back down the hill.

But we can only offer our gratitude and encouragement for your extraordinary efforts. They are certainly worth it for us — the question is are they worth it for you?

And not just SilentKnight but the entire corpus of your work here.

Best regards,

-Mark

LikeLiked by 1 person

Share this:

Related