How to Check XProtect Version in Mac OS

May 1, 2017 - 16 Comments

Check XProtect Version on Mac

Need to know what version of Gatekeeper and Xprotect are installed on a Mac? You can find this information through the command line of Mac OS. GateKeeper, MRT (Malware Removal Tool), and XProtect are all built-in features of Mac OS designed to prevent malware threats and other nefarious software from being installed or used on a Mac. These security features exist in the background and are updated with regular system software updates to Mac OS, but Apple will also push quiet updates to xprotect or MRT to add new definitions and block newfound threats.

Advanced users may wish to know what version of Xprotect definitions is installed on a Mac. We’ll show you how you can check which Xprotect version is on a Mac via the command line, this can be particularly useful for remote administration tasks using the ssh client, but it can be just as helpful to check XProtect versions on a local machine as well.

How to Check the XProtect Version on a Mac

The following commands are slightly different depending on the version of MacOS in use, use which is appropriate for your system software release.

  1. Open the Terminal application (found in /Applications/Utilities/) and enter the following command string on a single line to read the contents of the XProtect plist and export the version number:
  2. Check XProtect Version on MacOS Catalina (10.15.x) & MacOS Mojave (10.14.x) and later:

    system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"

    Check XProtect for MacOS High Sierra (10.13.x) and Sierra (10.12.x):

    defaults read /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist Version

  3. Hit return key and you will see something like the following, which indicates the vision number of Xprotect as well as the source and when the install date of that Xprotect version was:
  4. XProtectPlistConfigData:

    Version: 2113
    Source: Apple
    Install Date: 2/11/20, 6:34 PM

  5. Optionally, you can trigger a manual update of the xprotect and Gatekeeper software update mechanism in Mac OS

As mentioned, the method for macOS Catalina and Mojave will also show you the Xprotect update install date and time as well as the Xprotect version, which can be valuable information for sysadmins, IT workers, infosec, and general administrators.

These approaches have been tested on modern versions of Mac OS, though it may not work in earlier versions. Let us know in the comments below what you find with other releases of system software.

You an also use cat to dump the raw plist contents and grep for “Version” to discover the same data:

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist |grep -A1 "Version"

The version number is going to be meaningless to most Mac users, this is really mostly helpful to systems administrations, IT professionals, and those who work in security professions who want to check the exact version of XProtect definitions installed on a Mac, usually to make sure a computer(s) have received an important security update.

Checking When XProtect was Last Updated

Another useful trick is to check when the malware definition list of Xprotect plist file(s) were last modified either with stat or ls:

stat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist

Or you can check with ls -l:

ls -l /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist

Either will show the last modification date of the Xprotect.plist file, which will tell you when it was last updated.

How to Check XProtect for Specific Threat Coverage

If the version is less relevant to you, perhaps you’d rather see if a specific threat or malware is included in the XProtect block list. This can be easily done by dumping the contents of the Xprotect plist file and scanning through the list manually, or again by using grep to look for a specific match.

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist

For example, if you want to see if “OSX.Dok.B” is covered, you can grep the XProtect plist specifically for that match:

cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"

If you see a match to what you searched for, it is included in the protection list.

This is Way Over My Head, How Can I Protect My Mac and Update Xprotect?

The average Mac user can make sure their system software and associated security updates are installed and up to date.

To make sure that Xprotect, MRT, and Gatekeeper are updated by Apple, you can set your Mac OS system software update settings as found in  Apple menu > System Preferences > “App Store” to be like so:

Make sure important security updates install on a Mac

Setting both “Automatically check for updates” and “Install system data files and security updates” and having stable sustained internet access should be sufficient to install critical background updates to Gatekeeper, MTR and XProtect as is, but updating system software to the latest available version of Mac OS and installing any available security updates is generally considered good security practice. You can also check all of the options for auto-updates, or just have Mac OS automatically install updates too, but however you adjust the settings be sure the “security updates” setting is enabled.

Do you have any other tips, tricks, or thoughts about Xprotect, MRT, and Gatekeeper security features, updating, versioning, or general status? Let us know in the comments!

.

Related articles:

Posted by: Paul Horowitz in Command Line, Mac OS, Security, Tips & Tricks

16 Comments

» Comments RSS Feed

  1. Luis says:

    Hi all.
    Is there a way to enable/disable/check status for XProtect via command line?

    I know we can achieve this for Gatekeeper by using sudo spctl –master-disable/enable and spctl –status?

    Is there a way to achieve this for XProtect?
    Thanks!

  2. Malcolm MacINTYRE-READ says:

    Hi Frank,

    I was just going to ask the exact same question, as I have used, and relied on Intego apps for many years and, as a non-Techie, have been very happy with the security they provide as far as I have, and do see.
    I look forward to the thoughts of they-who-know!

  3. Frank says:

    How do these Apple security apps integrate with Intego apps?

    • Omega says:

      The Apple security updates will update automatically if the Mac is allowed to and online, and any additional app or service is a secondary software layer atop the underlying OS-level security layers built into Mac OS. I have no experience with Intego and not sure what they claim to offer or provide so I can not give an opinion of them. I will say this though, the Mac is pretty secure if you treat it well.

      Personally I have found no need for third party cleaner or security software on a Mac, but this is because I do the following:

      – always install software updates and security updates

      – only download and install trusted software from trusted sources (major companies and the App Store, or open source if you are savvy enough to verify it yourself)

      – I do not use browser plug-ins

      – do not ever install or download sketchy content apps websites files or anything else.

      A little common sense goes a long way.

  4. Pete492 says:

    WallsOfTroy, a 99¢ download from the App Store, will display the contents of XProtect.

  5. AndyE says:

    I am still running 10.10.5. These commands yield “file not found”, although I do have the option to update security and system files automatically set.

    • SimpleSimon says:

      For 10.10.5 use: defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist Version

  6. MikeB says:

    ….or you can use a neat little app called “Critical Updates”

    https://sqwarq.com/critical-updates/

    • Omega says:

      That is an interesting app, how can you trigger the updates process through Critical Updates tool? I wish it were open source so one could verify what it is doing, I do not like apps which hide their code in this era of nefarious software… thankfully it does not ask for any admin login or trying to install any daemons, just a simple reader of security update versions.

      One things for sure I would never give an admin authentication to apps like that without knowing exactly what they are doing and why… in the app and software world of today the mantra is don’t trust and verify!

  7. David says:

    Hi,

    Thank you for the article.

    Well, i have a question about enabling the = System Pref’ / App Store = ” Install System data file and security updates”.

    in my case i am again on El Capitan 10.11.6 and don’t want to install that “security update = https://osxdaily.com/2016/09/01/security-update-2016-001-for-os-x-el-capitan-and-yosemite-available/

    I check the XProtect file and for sure is outdated ( because the auto update is not setting on)

    If i setting on, may i receive all the “security update” like the link i past uper ? OR, only GateKeeper, MRT, and XProtect ?

    THank you in advance,

  8. Gio says:

    the line commands suggested here work at least as far back as my OS X 10.11.6 (el capitan).

  9. Dick says:

    Where can I download the CU’s that are not being auto installed?

    • lktn says:

      Unfortunately you can’t get them on their own standalone, you can trigger the update mechanism and that is it. Unlike Combo Updates etc you can’t get these separately but presumably they are bundled in major releases (10.12.5 etc) of Mac software, so they’d be in those combo updates like any other security update patch would.

  10. Hot Palms says:

    For checking versions and last updated, I believe this is the complete list the Mac security suite bundle

    XProtect:

    /System/Library/CoreServices/XProtect.bundle

    /System/Library/CoreServices/XProtect.plist

    GateKeeper:

    /private/var/db/gkopaque.bundle

    /private/var/db/gke.bundle

    MRT:

    /System/Library/CoreServices/MRT.app

    KEXT exclusion:

    /System/Library/Extensions/AppleKextExcludeList.kext

  11. Kellen says:

    You can use this command to force check the critical updates:

    sudo softwareupdate --background-critical

    Now what I find interesting with macOS is that when you run that command string while using tail on the install log

    tail -f /var/log/install.log

    You will sometimes see it time out and it does not always actually update.

    I have found that leaving a Mac turned on, connected to the internet, will receive a critical update from Apple within about 48 hours. So perhaps they push the updates and you can not direclty retrieve them at will. Anyone have their own experience?

  12. Todd McDaniel says:

    Here’s a script that reports the dates and versions of a number of critical updates.

    https://gist.github.com/lazymutt/5a3e7b3631b073db5529722f857f54aa

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site