Silently updated security data files in Sonoma

Each of the main security services in macOS, like XProtect, relies on data commonly stored in separate files on the Data volume so that they can be updated easily outside of full macOS system updates. Most of these updates are released silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

Currently, that most frequently updated is XProtect Remediator, which is normally pushed on a monthly cycle, on Thursdays.

This article details each of the main security data files found in macOS 14 Sonoma, together with others involved in related system functions. Several other bundles which formerly had roles in security have now been emptied, or left frozen in time. Those are listed below for the sake of completeness. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

XProtectPayloads, alias XProtect.app and XProtect Remediator
Latest version: 112, 29 September 2023.
This contains a suite of specialised malware detection and remediation tools, in the app bundle XProtect.app on the Data volume at /Library/Apple/System/Library/CoreServices. This was first installed with macOS 12.3, then version 62 was pushed to Catalina, Big Sur, Monterey and Ventura on 17 June 2022. Executables include a replacement for MRT, and 19 specialised scanners for specific malware types. Initially these ran alongside MRT, but have now replaced it. My free XProCheck lets you inspect its reports for malware detection and remediation.

XProtectPlistConfigData
Latest version: 1.0 2172, 29 September 2023.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle on the Data volume at /Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in LegacyEntitlementAllowList.plist, which presumably allows code with those cdhashes to use legacy entitlements. This is updated when required, every month or two.

Bastion
Latest version: not given, but bundled in XProtectPayloads 112, 29 September 2023.
These provide rules and exceptions for XProtect Behaviour Service (XBS). First introduced in Ventura, this service monitors for and logs processes that access sensitive locations such as folders containing browser data. As of XProtectPayloads 112 it has seven Bastion rules, but doesn’t block behaviours, only records them in its database at /var/protected/xprotect/XPdb. Bastion rules are defined in bastion.sb and BastionMeta.plist inside /Library/Apple/System/Library/CoreServices/XProtect.app Those are updated infrequently at present, but it’s expected this service may become more active in Sonoma.

AppleKextExcludeList
Latest version: 19.0.0, 26 September 2023 (14.0 release).
This is a huge list of kernel extensions which are to be treated as exceptions to Sonoma’s security rules, and is stored on the Data volume in /Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist.

Others

Core Services Application Configuration Data
Latest version: 140.78, 26 September 2023 (14.0 release).
This is a bundle on the System volume at /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle, and contains a list of app exceptions in /System/Library/CoreServices/CoreTypes.bundle/Contents/Library/AppExceptions.bundle/Exceptions.plist. This used to be firmlinked to /Library/Apple/System/Library/CoreServices/CoreTypes.bundle, but oddly that now links to XProtect data files.

IncompatibleAppsList
Latest version: 140.190 (14.0 release).
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing many known incompatible versions of third-party products.

Vestigial Data

MRTConfigData
Latest version: 1.93, 29 April 2022.
This was Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it could remove any malware which macOS detected. This has now been replaced by the XProtectRemediatorMRTv3 executable module in XProtect Remediator, and may disappear in future versions of macOS. It now often isn’t installed as part of macOS, but may be later as a security data update.

TCC_Compatibility Bundle
Latest version: 150.19.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which is normally empty.

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, but can instead be 94.
This is an SQLite database on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db may have been used to provide whitelists for Gatekeeper’s security system, which checks the code signatures of apps. Macs which have never had Catalina or earlier installed normally have the very old version 94, indicating this database is no longer used in macOS 10.15 and later.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0.
This is an SQLite database on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which may have provided whitelists for Gatekeeper’s security system. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db was new in Catalina and hasn’t changed since then.

CompatibilityNotificationData
Latest version: 1.0.8.
This is a bundle on the Data volume at /Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible. This appears to have fallen into disuse and hasn’t been changed since macOS 10.15.

Last updated: 2 October 2023.