Apple has just released updates to XProtect and XProtect Remediator
Apple has just released updates to XProtect Remediator security software (Catalina or later), bringing it to version 131, and to XProtect (for all macOS from El Capitan or so) bringing it to version 2192.
Apple doesn’t release information about what security issues these updates might add or change.
Unusually, XProtect’s Yara definitions remove previous signatures for MACOS.d444820, MACOS.8a20735, common data for MACOS.ADLOAD, MACOS.ADLOAD.GEN, and MACOS.ADLOAD.SMC. They add a great many new signatures for different components and variants of Adload, including named items such as smolgolf, gardna, magicplant, python, biter, airplay, toy drop and others as MACOS.ADLOAD. These are greatest changes I have ever seen in XProtect’s Yara definitions, and appear to be a major restructuring of the detection of Adload.
No new scanning modules are added to XProtect Remediator. Bastion rules for the behavioural version of XProtect (Ventura and Sonoma only) add Rule 11, to detect execution of processes whose names are prefixed by the stop/period . in /Users/Shared/, flagging them with a signature of macOS.Persistence.HiddenShared.Exec.
You can check whether these updates have been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.
If you want to install these as named updates in SilentKnight, their labels are XProtectPayloads_10_15-131 and XProtectPlistConfigData_10_15-2192.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
I maintain lists of the current versions of security data files for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.
