Executables include an eventual replacement for MRT, and several specialised tools for specific malware types. This was first installed with macOS 12.3, then version 62 was pushed to Catalina, Big Sur, Monterey and Ventura on 17 June 2022. This contains a suite of specialised malware detection and remediation tools, in the app XProtect.app on the Data volume at /Library/Apple/System/Library/CoreServices. This is linked to from the System volume via a symbolic link at /System/Library/CoreServices, and normally updated every 2 weeks. New with Catalina was the SQLite database file named gk.db in its resources, whose purpose is unknown, and a large list of cdhashes in ist, which presumably allows code with those cdhashes to use legacy entitlements. They go into the bundle on the Data volume at Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/, Contents/Resources/ist and Contents/Resources/XProtect.yara. These are the whitelists and blacklists used by XProtect, as detailed here. This is a bundle on the Data volume at Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains ist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up.
This is normally updated every 2-6 weeks. It doesn’t use a separate data file, instead embedding its details with the executable code. This is Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it can remove any malware which macOS detects. This is a very long list of kernel extensions which are to be treated as exceptions to Big Sur’s security rules, and is stored on the Data volume in Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ist. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.
This article details each of the main security data files found in macOS 11 Big Sur, together with others involved in related system functions.
Currently, those most frequently updated are XProtect data files and MRT, which are generally pushed out on a 2 week cycle, although MRT isn’t always updated alongside XProtect. MacOS Big Sur brings only small changes from those in Catalina, which saw a major reorganisation to cater for the new Volume Group. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated. Each of the main security services in macOS, like XProtect and MRT, relies on data which is commonly stored in separate files on the Data volume so that it can be updated easily outside of full macOS system updates.
0 kommentar(er)
