xprotect update

Sequoia changed the way XProtect receives the updates.

For in depth details, see The Eclectic Light Company blog

There is a new 'xprotect' command line tool.

sudo xprotect --help
OVERVIEW: A utility for working with XProtect.

USAGE: xprotect <subcommand>

OPTIONS:
  -h, --help              Show help information.

SUBCOMMANDS:
  update                  perform an XProtect update
  logs                    display XProtect logs
  version                 print the XProtect update version
  check                   print the currently available XProtect update
  status                  print the status of the XProtect subsystem

  See 'xprotect help <subcommand>' for detailed help.

sudo xprotect check

Current update: date: 2024-08-28 19:55:39 +0000 version: 5272



sudo xprotect update

Current update: date: 2024-08-28 19:55:39 +0000 version: 5272

Starting update.

Update succeeded: Activated update LocalUpdate[5275]

AlWeir wrote:

The app I use says that it is suppose to be 5275. Do a search for a app called SilentKnight.app

Again, was this Mac running the beta? If so, did you reload macOS 15? If not, reload macOS 15 without restore, and check again. (Betas are best not run in production, and with the full expectation an erase-and-install-without-restore can be needed. And this reeks of a beta-related issue.)

As for the add-on app, either remove that third-party app, or log a bug report with the third-party and allow the third-party provider to work out this data issue either within their tool, or within their instructions around what to do with the information reported by the tool, or the third-party can pursue this issue with Apple if that’s warranted.

Jame Brickley: the third-party app used to report this (internal, undocumented, subject to change) XProtect data is likely one provided by that same party. There is expertise certainly, but various of the tools provided are best run with consideration of what is being reported. Not all data is information.

AlWeir wrote:

No it wasn't running beta, since I don't beta test. I get Howard Oakley RSS feed and I just happened to see it earlier this week that XProtect had been updated so I ran SilentKnight.

Okay.

I would resolve the source of the noise here, and would remove the third-party tool.

As etresoft mentions above, none of this is documented. All of it is subject to change.

Some add-on security tools tend to be noisy, and this is certainly an example of that added noise.

Why noise? Apple will do with XProtect what Apple does. Whether that might involve another XProtect update, or may involve the arrival of macOS 15.1 in October, or something else? Or Apple might deign to allow this current case to persist indefinitely. Again, this whole area is undocumented.

Why removal? This tool and its documentation has seemingly provided you with information that is not actionable. You wouldn’t be here if it was. Beyond causing “mere” concern here, some of these add-on security apps go further and either get themselves or the OS or their users tangled, or allow their users to disrupt themselves.

Got questions about this tool? Ask the app vendor.

Was this Mac previously running the macOS 15 Sequoia beta? If it was, then either reinstall macOS and it should clear, or wait for Apple to sort it.

Ronald Gold wrote:

On my MacBook Air (2020, Intel) running MacOS 15.0, unable to update XProtect to 5275. In terminal, sudo XProtect update says MBA is up to date when running 5272.

All you need to do is make sure you have System Settings > Software Update set to "Install Security Responses and system files" > Enabled

Don't worry about version numbers for XProtect. That is internal Apple data. You don't need to monitor it manually or do any manual updates.

Certain social media influencers have made a name for themselves telling people the opposite. They say that Apple has poor security and that it is the end user's responsibility to constantly check these versions and manually update them. That is false.

The day Sequoia was released, said social media influencer even ran this scary-sounding headline from their blog, "Apple has stopped all XProtect updates for macOS Sonoma and earlier". Strangely enough, the very next post was titled, "XProtect updates are available again". I guess the embarrassment of the "correction" was less than the embarrassment of deleting the obviously incorrect post. Personally, I would have preferred a straight-up mea culpa, something like "I got it wrong" maybe. Even better, wait a couple of days after a big event before making such a statement. But, in their defence, that's still better than what most social media influencers would have done.

Ronald Gold wrote:

My use of XProtect commands was baed on my reading of Howard Oakley. However, his comments of Sequoia and XProtect have yet to explain the confusion on updating created by Apple. Running xprowct update on my M1 MacMini after updating to Sequoia got me to XProtect 5275, but on my MacBook Air (2020), XProtect has stayed at 5272 inspire of XProtect update.

He does sometimes write on interesting topics. But if you want more definitive information, it's better to go to the source - Apple's documentation. In cases where something isn't documented, like XProtect version numbers, that's a good indicator to avoid that particular data, because the facts themselves probably aren't definitive. I learned that long ago.

Like others, I was also infatuated with tracking these version numbers at one time. But I ran into a problem. If my software was telling someone that their security was out of date, but Apple disagreed, what was I supposed to tell my customers? That Apple was wrong about its own software? File a bug report? Erase their hard drive and reinstall the operating system? In my case, I realized, on Feb. 18th, 2018, only a few days after releasing EtreCheck 4.0 with this feature, that those version numbers simply didn't mean what I thought they meant. I was able to reproduce a situation using a combo updater where my XProtect data was definitely up-to-date, but had an unexpected version number.

These social media influencers are far more "influential" than I am. They definitely have more users of their freebie apps than I have paying customers. So I'm surprised at these situations. Oakley isn't the only person I'm talking about and this isn't the only issue. That's the difference between a developer and a social media influencer. With enough followers singing your praises every day, it's easy to think you're infallible. But all I need is Xcode to remind me every day how fallible I am. And I really don't like it when I miss errors and customers find them for me, as happened with these version numbers years ago.

• 24 Sep Software Update Service delivered 5275 for Sequoia; no change to Sonoma and earlier, and 5272 still available from iCloud.

Disregard influencers, seek out real pro's like Howard Oakley - The Eclectic Light Company. https://eclecticlight.co/ He's got a heck of a lot of highly detailed blog entries on XProtect. This one is highly relevant. https://eclecticlight.co/2024/09/25/how-xprotect-has-changed-in-macos-sequoia/

All I had to do was run sudo xprotect update and it fixed the issue with a stuck update that apparently needed to be activated but never was for some weird reason (bug).

True the average consumer may not care nor need to know about XProtect. But the reality is that I've found way too many Macs in a corporate managed fleet where they stopped receiving updates. Now it's trivial for me to fix them. Sure we use CrowdStrike but I would rather also make sure macOS is functioning the way it is supposed to.

I couldn't agree more about Howard Oakley and his wonderful The Eclectic Light Company blog. His posts on the current XProtect shambles go deep and are very informed. Also, yes, as a general rule, *and this does by no means apply here in any way, just in general*, avoid influencers (2=1? helps with self-upvoting?) and pseudo-informed self-promotion.

Dr. Howard Oakley is currently a developer of Mac software and is the founder of The Eclectic Light Company. Howard started life keenly interested in medicine, attended Oxford, and spent most of his career with the British Royal Navy as a doctor, ascending to the rank of Surgeon Commander. Along the way, he became heavily involved with computers and programming. His first encounter with a Mac SE and MPW hooked him for life.

Podcast

https://www.macobserver.com/podcasts/background-mode-howard-oakley/

James Brickley wrote:

Dr. Howard Oakley is currently a developer of Mac software and is the founder of The Eclectic Light Company.

The Eclectic Light Company is a blog. He's a retired magazine writer.

I understand your perspective perfectly. Etrecheck should avoid even looking at XProtect precisely because Apple hasn't documented it effectively for you to know for sure if there is a problem or not. Nothing wrong with that take. Not one bit.

The app I use says that it is suppose to be 5275. Do a search for a app called SilentKnight.app

No it wasn't running beta, since I don't beta test. I get Howard Oakley RSS feed and I just happened to see it earlier this week that XProtect had been updated so I ran SilentKnight.