XProtect and MRT Updates for macOS.

1PW · Feb 21, 2024

Apple has released an update to XProtect Remediator (21-February-2024)

XProtect (XProtectPlistConfigData) remains at version 2186 as of 19-February-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 126 as of 21-February-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Feb 27, 2024

Apple has released an update to XProtect and Yara definitions (27-February-2024)

XProtect (XProtectPlistConfigData) has been updated to 2187 as of 27-February-2024.

XProtect Remediator (XPR) (XProtectPayloads) remains at version 126 since 21-February-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Mar 5, 2024

Apple has just released updates to XProtect, XProtect Remediator and Yara definitions (05-March-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2188 as of 05-March-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 128 as of 05-March-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Mar 12, 2024

Apple has just released updates to XProtect, and Yara definitions (12-March-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2189 as of 12-March-2024.

XProtect Remediator (XPR) (XProtectPayloads) remains at version 128 as of 05-March-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Mar 19, 2024

Apple has just released updates to XProtect, XProtect Remediator, and YARA rulesets have been amended (19-March-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2190 as of 19-March-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 129 as of 19-March-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Mar 26, 2024

Apple has just released updates to XProtect, and YARA rulesets have been amended (26-March-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2191 as of 26-March-2024.

XProtect Remediator (XPR) (XProtectPayloads) remains at version 129 as of 19-March-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Apr 2, 2024

Apple has just released updates to XProtect Remediator, and a Bastion rule has been added. (02-April-2024)

XProtect (XProtectPlistConfigData) remains at version 2191 as of 26-March-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 130 as of 02-April-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Apr 23, 2024

Apple has just released updates to XProtect, XProtect Remediator, YARA definitions, and Bastion rules. (23-April-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2192 as of 23-April-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 131 as of 23-April-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Apr 30, 2024

Apple has just released updates to XProtect, XProtect Remediator, and YARA definitions. (30-April-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2193 as of 30-April-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 132 as of 30-April-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · May 5, 2024

Apple has just released an update to XProtect Remediator. (02-May-2024)

XProtect (XProtectPlistConfigData) remains at version 2193 as of 30-April-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 133 as of 02-May-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

NOTE: Incorporates changes in the detection of Pirrit malware that often give false positives with components in Xcode, and with some third-party security software.

Additional Reference: macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · May 7, 2024

Apple has just released an update to XProtect and YARA definitions. (07-May-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2194 as of 07-May-2024.

XProtect Remediator (XPR) (XProtectPayloads) remains at version 133 as of 02-May-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · May 28, 2024

Apple has just released updates to XProtect, XProtect Remediator, and Yara definitions. (28-May-2024)

XProtect (XProtectPlistConfigData) has been updated to version 2195 as of 28-May-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 135 as of 28-May-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Jun 18, 2024

Apple has just released updates to XProtect, XProtect Remediator, and Bastion rules. (18-June-2024)

XProtect (XProtectPlistConfigData) has been updated to version 5268 as of 18-June-2024. Yes, a change to the numbering.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 137 as of 18-June-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Jun 29, 2024

What do XProtect BehaviourService and Bastion rules do?

Not content with two different XProtects, Apple added a third to macOS Ventura, XProtect BehaviorService (XBS), part of the new Bastion behavioural-based malware detection system. Rather than performing on-demand or periodic scans of static code, this watches for potentially malicious behaviours, such as attempts to access folders used by browsers such as Safari and Google Chrome. This article summarises what XBS is doing as we prepare to upgrade from Sonoma to Sequoia.

What they do
Apple tells us precious little about XBS and Bastion, mentioning them in its Platform Security Guide: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”

At present, XBS and Bastion only record suspicious events in the XBS database at /var/protected/xprotect/XPdb, report them to Apple, but don’t attempt to intervene in any way. They determine what to report according to a set of rules applied by syspolicyd that are compiled from source files updated inside XProtect Remediator update bundles. Changes in those, in XPR’s scanning modules, and in XProtect’s detection signatures, are reported on this blog for each update released by Apple.

Development
Over the period since its introduction, Bastion rules have grown steadily, from four to 12:

In macOS 13.5 (24 July 2023) there were 4 rules, increasing to 5 in September 2023.

XProtect Remediator (XPR) 108 (8 August 2023) brought the first separate Bastion rule update.

XPR 112 added rules 6 and 7.

XPR 123 added rules 8 and 9, and adjusted rule 7.

XPR 130 added rule 10.

XPR 131 added rule 11.

XPR 137 added rule 12, and amended rules 6 and 7.

Updates provided in XProtect Remediator contain two files for XBS and Bastion:

bastion.sb, a text file containing the latest Bastion SystemPolicyConfiguration, its rules;

BastionMeta.plist, a property list defining behaviour dictionaries for XBS and Bastion.

Bastion rules
The Bastion SystemPolicyConfiguration file bastion.sb is prefaced with the line (version 3), which hasn’t changed since the first update.

This first defines four groups of processes: usual-offenders, common exceptions to several rules, and separate groups of exceptions to each of Bastion rules 1, 2, 3 and 12. For example, com.apple.mds and other Spotlight indexing processes are usual-offenders, while com.apple.Finder is only a rule-one-offender. Interestingly, three of the XProtect Remediator scanning modules (MRTv3, Pirrit and WaterNet) are included in the list of usual-offenders.

Using those lists of exceptions, Bastion rules are then built as filters:

excludes other processes from accessing private data for Google Chrome, Firefox and Safari;

excludes other processes from accessing private data for Messages, Microsoft Teams, Slack and WhatsApp;

excludes other processes from accessing the QuarantineEvents database;

controls access to two socket ioctl commands SIOCIFCREATE and SIOCGIFDESC;

controls access to writing files with a period/stop at the start of their name within Library/PrivilegedHelperTools/ directories.

controls creating or writing to files with a name starting with com within /Library/Application Support/

controls creating or writing to files with a name starting with com within /Library/Application Support/ and user /Library/Application Support/ directories

controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, in user /Library/Application Support/ directories

excludes other processes from creating or writing to files in user /Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/ directories

controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, .betamigrated and .localized, in the /Users/Shared/ directory

controls execution of processes from files with a name starting with a period/stop in the /Users/Shared/ directory

excludes other processes from accessing private data for Notes, Safari Cookies, Chrome, Brave, Microsoft Edge, Opera, Vivaldi, Firefox, Arc, other cookies, Electrum and Coinomi wallets, Exodus, atomic, Binance, Filezilla, Steam and Discord.

The updated bastion.sb file supplied in XPR updates is explicitly referenced by syspolicyd to replace the version embedded in its own code.

BastionMeta.plist
This property list contains a metadata dictionary of 12 behaviours, each correlating with a Bastion rule. Each has a Signature Name, such as macOS.NetworkSniffer.Generic, a Boolean value indicating the need for immediate reporting, and a binary flag ranging from 1 to 2048. The behaviours are named:

Browser

Messages

QntDb

NetworkSniffer

HiddenPrivilegedHelpers

ADLOAD NumericPath

ADLOAD PersistenceSearch

Persistence HiddenAppSupport

Safari ExtensionModification

Persistence HiddenShared Generic

Persistence HiddenShared Exec

InfoStealers.

Behaviours detected
Individual rules currently detect:

attempts to access private browser data

attempts to access private messaging data

attempts to access quarantine records

attempts to perform network packet sniffing

attempts to write to hidden privileged helper apps

Adload behaviours

Adload persistence behaviours

persistence behaviour using hidden files in user /Library/Application Support/ directories

attempts to create and use Safari extensions

persistence behaviour using hidden files in /Users/Shared/

persistence behaviour running hidden files in /Users/Shared/

attempts by an InfoStealer to access a wide range of private data.

Summary

In macOS Ventura and later, XProtect BehaviorService (XBS) and its Bastion rules detect suspicious behaviours that might reflect malicious activity.

Bastion rules are updated within XProtect Remediator updates, using two files bastion.sb and BastionMeta.plist.

There are currently 12 Bastion rules, covering generic behaviours such as accessing private data, to those indicative of Adload and InfoStealer malware.

Suspicious behaviour is recorded locally to the XBS database and reported to Apple, but isn’t notified to the user.

Currently, the primary purpose of XBS and Bastion is to provide Apple’s security team with intelligence to improve protection provided by XProtect and XProtect Remediator.

1PW · Jul 11, 2024

Apple has just released updates to XProtect, XProtect Remediator and Yara definitions.. (09-July-2024)

XProtect (XProtectPlistConfigData) has been updated to version 5269 as of 09-July-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 139 as of 09-July-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

1PW · Jul 23, 2024 at 5:43 PM

Apple has just released updates to XProtect, XProtect Remediator and Yara definitions. (23-July-2024)

XProtect (XProtectPlistConfigData) has been updated to version 5270 as of 23-July-2024.

XProtect Remediator (XPR) (XProtectPayloads) has been updated to version 140 as of 23-July-2024.

The Malware Removal Tool (MRT) (MRTConfigData) remains at version 1.93 since 26-September-2023.

Although periodically checked by macOS, manually running the following undocumented macOS Software Update Tool command could hasten any of the above applicable pending software update(s):

% softwareupdate -ia --include-config-data

Versions Check:

% defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString; defaults read /Library/Apple/System/Library/CoreServices/MRT.app/Contents/Info.plist CFBundleShortVersionString

Log in or Sign up

XProtect and MRT Updates for macOS.

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

Log in or Sign up

XProtect and MRT Updates for macOS.

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

1PW Registered Member

Useful Searches