macOS 15.2 Changes XProtect Update Mechanism
In the latest release of Sequoia, the traditional method of updating XProtect is no longer used. If
softwareupdate
were to download and install an update, then it will only end up in the traditional location, andxprotect update
can’t use that to update the new location.In normal use, this means that the user can’t update XProtect until that new version is made available from iCloud. This ensures that the only versions provided to Macs running 15.2 and later are those intended to be used in Sequoia, but it also means that any delay in providing those via iCloud will leave Macs without the latest update.
Apple has modified the
xprotect
command to provide one let-out, though: usesudo xprotect update --prerelease
and it “will attempt to use a prerelease update, if available.”
Also confusing is that Apple never shows these updates in System Preferences > Software Update nor on the Apple Security Releases webpage (although they should be listed after installation in System Report > Software > Installations if you can locate that report on your Mac).
Apple provides so many services for different parts of macOS that it’s hard to keep track of them. If you want to see a short summary, this article lists all service connections for enterprise network administrators, although it doesn’t detail which services use which servers, for example referring to “macOS updates” in many entries.
Many of you seem surprised to learn that Sequoia’s new XProtect updates come from iCloud, although Apple has been using iCloud for similar purposes for at least the last five years.
Previously:
- macOS 15.2
- Mac App Impersonation
- How Ventura Checks the Security of Apps and Tools
- Secret Mac Security
- Active Mac Malware Scans
- XProtect Remediator
Update (2025-02-07): Howard Oakley:
In the early hours (GMT) of 29 January, XProtect 5286 was released for download to macOS Sequoia via its iCloud connection. As this doesn’t use the servers responsible for macOS and other OS updates, that took advantage of this new feature in Sequoia. Most of the Macs running 15.0 or later were most probably updated to 5286 by the end of that day.
Twenty-four hours later, in the early hours (GMT) of 30 January, the same updated version of XProtect was released for download from Apple’s Software Update servers, enabling those still running older versions of macOS to install the update, as the load must have been reducing on those servers.
Although that seems clear and straightforward, what users saw often appeared puzzling if not incorrect. If you were running Sequoia, your XProtect data bundle with its Yara rules was probably updated silently during 29 January, but the following day (when your Mac was already enjoying the protection of the update) you were offered the 5286 update by Software Update, softwareupdate or SilentKnight, as if your Mac still had’t been updated. Some of you thought that was the real update, but it wasn’t, as that only updated the bundle stored at the old location, which isn’t used by XProtect in Sequoia.
Previously:
3 Comments RSS · Twitter · Mastodon
What does “comes from icloud” mean? If i don’t enable icloud i don’t get xprotect updates??
I wonder *why*.
Is it that too many admins block SU, and Apple wants to aggressively ensure people still get malware definitions?
@bob My understanding is that it works even if you haven’t enabled iCloud services for any apps, so long as you aren’t blocking the network connections.
@Sören My guess would be that they just want to consolidate their internal services on the CloudKit API, but perhaps you’re right.