Apple has just released an update to XProtect for all macOS
Apple has just released an update to XProtect for all supported versions of macOS, bringing it to version 5277. As usual, Apple doesn’t release information about what security issues this update might add or change.
Relative to the last version released for all supported versions of macOS (5276), this version contains extensive changes, largely of an editorial nature. It adds one new detection rule for MACOS.PIRRIT.CHU, and removes rules for OSX.Genieo.C, OSX.Genieo.B, OSX.Genieo.A and OSX.Leverage.a.
Many rules have changes to their detection hashes, where existing SHA1 hashes are replaced with SHA256. Among the rules changed by this are 36:
OSX.Proton.B
OSX.Vindinstaller.A
OSX.OpinionSpy.B
OSX.InstallImitator.C
OSX.Eleanor.A
OSX.InstallImitator.A
OSX.VSearch.A
OSX.Machook.A
OSX.Machook.B
OSX.iWorm.A
OSX.iWorm.B/C
OSX.NetWeird.ii
OSX.NetWeird.i
OSX.GetShell.A
OSX.Abk.A
OSX.CoinThief.A
OSX.CoinThief.B
OSX.CoinThief.C
OSX.HellRTS.A
OSX.MacDefender.B
OSX.QHostWB.A
OSX.Revir.A
OSX.Revir.ii
OSX.Flashback.A
OSX.Flashback.B
OSX.Flashback.C
OSX.FileSteal.ii
OSX.MaControl.i
OSX.Revir.iii
OSX.Revir.iv
OSX.SMSSend.i
OSX.SMSSend.ii
OSX.eicar.com.i
OSX.AdPlugin.i
OSX.AdPlugin2.i
OSX.Prxl.2
You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.
A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sequoia available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.
If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5277.
For Sequoia only: so far, I have seen no sign of this update in iCloud, which still returns an XProtect version of 5272. If you download and install it using Software Update, softwareupdate or SilentKnight, then once that is complete you need to update the primary XProtect bundle in Terminal using the command
sudo xprotect update
then entering your admin password.
I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.
I maintain lists of the current versions of security data files for Sequoia on this page, for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.