Jamf Blog
Top page tear revealing the word
August 18, 2022 by Stuart Ashenbrenner

Apple updates XProtect and MRT

Apple updates XProtect, bringing XProtect to version 2162.

August 18, 2022

Changes to this version of XProtect include the addition of a single new rule:

  • XProtect_snowdrift: Prevents samples of the CloudMensis backdoor, but what Apple is calling “Snowdrift”.

June 30, 2022

Apple has pushed a new update to XProtect, bringing the version to number 2161. This update is dated June 30, 2022. The last update for XProtect was on June 9, 2022.

Changes to this version of XProtect include the addition of two new rules:

  • MACOS.644e18d: Prevents samples of Proxit/TrojanProxy.
  • MACOS.cbb1424: Prevents a variant of WizardUpdate/AdAgent.

June 9, 2022

Apple has pushed a new update to XProtect, bringing the version to number 2160. This update is dated June 9, 2022. The last update for XProtect was on May 12, 2022.

Changes to this version of XProtect include the addition of two new rules:

  • MACOS.6e6bed7: Prevents samples of WizardUpdate/UpdateAgent.
  • MACOS.1afcb8b: Not yet publicly identified.

May 12, 2022

Apple has pushed a new update to XProtect, bringing the version to number 2159. This update is dated May 12, 2022. The last update for XProtect was on March 17, 2022.

Changes to this version of XProtect include the addition of three new rules:

  • MACOS.e71e847: Prevents generic adware known by a few names - SearchProxy, Multiverze (Adload), Synataeb.
  • MACOS.1940318: Has not been publicly identified as of yet.
  • MACOS.275ff12: Prevents a variant of the adware dubbed Adload.

March 17, 2022

Apple has pushed new updates to both XProtect and the Malware Removal Tool, bringing the former to version number 2158; and the latter to version 1.91. Both updates are dated March 17, 2021.

Changes to this version of XProtect include the addition of two new rules:

  • MACOS.22f03bb: Detects a new variant of the Zuru malware.
  • MACOS.efb903b: Detects the Gimmick malware.

No additional data about the update to MRT is available at this time.

March 3, 2022

Today, Apple has pushed a new update to XProtect, bringing the version number to 2157. The update is dated March 3, 2022. Apple appears to have not released a version 20156, as the previous release was version 2155.

Apple introduced rule MACOS.e150543, which prevents variants of the adware FPlayer. The other updates to XProtect come to rule MACOS.1db9cfa and MACOS.6eaea4b. Both rules prevent the XCSSET malware, introduced in version 2142 and 2144 respectively. Both were last updated in version 2149 from June 28, 2021.

February 3, 2022

Apple updates both XProtect and MRT, bringing XProtect to version 2155 and MRT to version 1.88, respectively.

Apple has pushed new updates to both XProtect and Malware Removal Tool, bringing the former to version number 2155; and the latter to version 1.88. Both updates are dated August 23, 2021. Apple appears to have skipped MRT version 1.87.

The only new change to this version of XProtect is an update to rule MACOS.8032420, which prevents Genieo/MaxOfferDeal. The last update made to this rule was in version 2151 from September.

No additional data about the update to MRT is available at this time.

January 26, 2022

Today, Apple has pushed a new update to XProtect, bringing the version number to 2153; the update is dated January 26, 2021.

Apple expanded rule MACOS.9a3e9ed, which was initially introduced in version 2153 on December 16, 2021, to look for variants of the MacUpdater adware, also referred to as FireSearch.

December 16, 2021

Today, Apple has pushed a new update to XProtect, bringing the version number to 2153; the update is dated December 16, 2021.

Apple expanded rule MACOS.1db9cfa, which was initially introduced in version 2144 on April 15, 2021, to look for variants of the Bundlore adware. The other change to XProtect is the addition of a new rule, MACOS_9a3e9ed. This new addition prevents a type of adware known as MacUpdater, or its other name, FireSearch. Both of these have been known to be associated with the Genieo malware.

This is the first update to XProtect since September 24, 2021, when Apple released version 2151. There was never a public release of version 2152, and no update was made to Apple’s Malware Removal Tool (MRT) at this time.

September 24, 2021

Apple has pushed new updates to XProtect, bringing the version to number 2151. This update is dated for September 24, 2021.

Apple updated rule MACOS_8032420, which prevents variants of the adware dubbed Genieo (MaxOfferDeal). Apple improved coverage for this rule by adding a single line to the signature for MACOS_8032420. This rule was originally introduced in XProtect version 2123 and was last updated in version 2136.

These are the first updates made to XProtect since August 23, 2021.

August 23, 2021

Apple has pushed new updates to both XProtect and Malware Removal Tool, bringing the former to version number 2150; and the latter to version 1.82. Both updates are dated August 23, 2021.

Apple introduced rule MACOS.7c241b4, which prevents variants of the common adware dubbed Climpli (Adload). A related rule, MACOS.2afe6bd (Climpli/Adload), which was added in v2141, was also updated. Other updates to XProtect come to rule MACOS.f5d33c9 and MACOS.8a20735 (both Bundlore), which were previously named MACOS.ef3df25 and MACOS.a9ea9b4, respectively.

These are the first updates made to either XProtect or MRT since June 28, 2021.

No additional data about the update to MRT is available at this time.

June 28, 2021

Apple has pushed new updates to both XProtect and the Malware Removal Tool, bringing the former to version number 2149; and the latter to version 1.81. Both updates are dated June 28, 2021.

Apple introduced rule MACOS.54d6414, which prevents a variant of the Shlayer malware that is a dropper for the Bundlore adware. The other updates to XProtect come to rule MACOS.11eaac1 (VindInstaller.B) and the expansion of two rules that target the XCSSET malware - MACOS.1db9cfa and MACOS.6eaea4.

This is a continuation of Apple’s commitment to preventing XCSSET malware, which has continued to gain attention as it quickly adapts and changes.

Apple appeared to skip MRT 1.80, going straight to version 1.81. No additional data about the update to MRT is available at this time.

Jamf Protect is purpose-built to work with Apple’s native security tools, while also adding the capability of detecting and mitigating a wider range of known malware. Additionally, it provides alerting and reporting capabilities – including the identification of potential new threats — before new updates to XProtect and/or MRT may be available.

Secure your endpoints today against the latest threats affecting macOS

while also adding the capability of detecting and mitigating a wider range of known malware.

Stuart Ashenbrenner
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.