Preliminary notes on Apple malware protection in an enterprise context

(As a lot of the search traffic coming here seems to be trying to find out what XProtectUpdater is, let me answer that: it is the agent installed by Apple as part of the 2011-003 security update. It handles downloading new “signatures” for apps which should be regarded as malware)

For the first time ever, we have an official Apple malware protection mechanism (and also some actual malware, although it is totally human engineering and requires gullible admin users and it only tries to get their credit card number, so the actual infrastructure damage is nil).

But the threat’s there, and so is the fix, and a responsible admin user should look at deploying it. See: (which links to several more pages which contain actual info)

In short, we now have a new mode for the “you’ve never run this file before” warning (aka File Quarantine) where known malware elicits a “don’t run this, trash it!” warning.

Malware dialog (deep-linked from

To go with that we have a malware definitions file and a means of updating them (at some unspecified interval).

But of course, as-is it’s all single-usery and it runs an auto update which may not be appropriate in, e.g., some critical on-air or video editing contexts. And it talks to the outside world via some protocol. So, wanting to deploy it in a managed way, I dug around and found out the following:

Auto updates do not work via a preference plist, the security update installs a launchd item and enables/disables this (via the overrides db à la launchctl unload -w) as you toggle the preference.

The launchd job is called and itself calls /usr/libexec/XProtectUpdater . The interval is every 24 hours (every 24 hours after it’s run, not at any particular time).

XProtectUpdater appears to talk on port 80 and know about system proxy settings (including .pac files). It talks to the proxy and returns 0 if run when I’m on the corporate LAN and 255 (with an error message) if I have the ethernet unplugged. At the Apple end, the definitions file lives here:

There are defs for quite a few nasties already!

Looks like the defs are locally stored in /private/var/root/Library/Caches/XProtectUpdater/Cache.db, an sqlite3 database. So you could simply push that file out, though that seems more likely to break in the future – but it may be your only choice.

So, it appears in an enterprise situation you can:

  • install the pkg in the background via ARD (or shell)
  • enable or disable the auto update by calling sudo launchctl unload -w /System/Library/LaunchDaemons/ (or launchctl load etc. to enable)
  • Manually trigger an update of definitions by calling /usr/libexec/XProtectUpdater (probably with sudo).
  • You could also manually update by enabling the launchd job (it runs immediately) and then switching it off a few minutes later. This might be less likely to break in the future
  • Presume if you have ports open to (or * already, this will just work.
  • Or, you could manually push out a new Cache.db file (permissioned correctly) as and when you saw fit.

I’ve yet to do any of this and you should, of course, only try it yourself if you understand what it means and are ready for anything unexpected.


After getting the more-than-unusually cryptic error: “An operation failed in launchdadd for reasons that you probably can’t do anything about. Maybe you should reboot.” I’ve found that: if you try to change the “auto-update” setting more than 30 seconds after you open the prefpane, it will fail to actually take effect .

Hope that helps someone!

    • Emery
    • June 21st, 2011

    Thanks. I didn’t know what it was but it showed for the first time a few weeks ago. I let Little Snitch block it even though it looked legit. I know there is some malware out there and I wasn’t sure what it was. I guess Apple is being low key because they want for commercial reasons to maintain the myth that OS X is not vulnerable.

  1. Although blogging for fun can be relatively easy, blogging for profit is not. Consider these advantages and disadvantages before you decide to start your business blog:.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: