Meet Apple updates to XProtect and MRT

Apple just pushed updates to both XProtect and the Malware Removal Tool, MRT.

March 5 2021 by

Stuart Ashenbrenner

Bringing the XProtect version to 2141 and MRT to version 1.75, the new version of XProtect included the creation of new detections in rules MACOS_b5bd028, MACOS_2afe6bd, and MACOS_d98ded3, along with the removal of MACOS_7ef4bab and MACOS_44db411.

The two rules removed by Apple in this most recent update detected variants of Adload, one of which was only added in February during the last update of XProtect.

According to our research, with the new rules added in this update, Apple has expanded their detections of an adware called MaxOfferDeal. It also expanded detections for a variant of the adware Climpli, called Macnist and a shell script containing Bundlore, an installer which will bundle legitimate software with advertisements of third-party products that may be unwanted by the end-user. These detections are automatically pushed to the end-user.

No additional data about the update to MRT is available at this time.

Apple obfuscates the names of their rules, making them only readable internally, which can hinder analysis. However, Jamf Protect detects an even wider range of adware and malware and frequently alerts on them before a new update to XProtect or MRT is available.

Get endpoint protection for Apple.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.