Home > Mac administration, Mac OS X, XProtect > Forcing XProtect blacklist updates on Mavericks and Yosemite

Forcing XProtect blacklist updates on Mavericks and Yosemite

One of the changes Apple made between Mountain Lion and Mavericks was how XProtect was updated. On 10.6.x – 10.8.x, Apple used /usr/libexec/XProtectUpdater to update XProtect’s blacklist. If you needed to force XProtect to update, you could run the following command with root privileges:

/usr/libexec/XProtectUpdater

Running that command with root privileges would force a check-in with Apple’s XProtect feed. If XProtect needed an update, running this command would check the current XProtect blacklist, detect that the online version was newer and pull down the new version. Once the new version had downloaded, XProtectUpdater would then exit.

Screen Shot 2014-12-17 at 10.40.35 AM

If XProtect was up to date, running this command would check the current XProtect blacklist and detect that the online version was the same as what was currently loaded on the system. XProtect would then produce a notification that it was ignoring the update because the online version was not newer than the one already on the system. XProtectUpdater would then exit.

Screen Shot 2014-12-17 at 10.39.36 AM

In 10.9.x and continuing on in 10.10.x, Apple moved the XProtect updates into Apple’s software update feed. As part of this change, the previous way of forcing XProtect by running /usr/libexec/XProtectUpdater no longer worked because /usr/libexec/XProtectUpdater did not exist on 10.9.x and higher.

Screen Shot 2014-12-17 at 10.27.07 AM

Instead, you now need to use the softwareupdate command to force the update process. For more details, see below the jump.

If you need to force XProtect to update on Mavericks or Yosemite, run the following command with root privileges:

softwareupdate --background-critical

Screen Shot 2014-12-17 at 10.30.43 AM

The –background-critical function is actually an undocumented softwareupdate function, so it’s not listed when you run either softwareupdate –help or when you check the softwareupdate man page. In the case of XProtect, softwareupdate –background-critical performs the same function that /usr/libexec/XProtectUpdater did for Macs running 10.6.x – 10.8.x:

  1. Checking to see if the Mac has the current XProtect blacklist
  2. Updating the system’s XProtect blacklist if needed

One important thing to know about forcing XProtect updates on Mavericks and Yosemite is that the Software Update function on the system in question must be set to automatically check for updates. Based on my testing, if the automatic check for updates is disabled, XProtect will no longer receive updates. This applies even if you run the softwareupdate –background-critical command to force an update to XProtect’s blacklist.

To control the automatic update check from the command line, run the following commands with root privileges:

To enable the automatic update check:

softwareupdate --schedule on

To disable the automatic update check:

softwareupdate --schedule off

You can also manage this on Mavericks and Yosemite from System Preferences using the following procedure:

1. Open System Preferences

2. Select the App Store preferences

Screen Shot 2014-12-17 at 11.07.31 AM

3. Check or uncheck Automatically check for updates (should be checked by default.)

Screen Shot 2014-12-17 at 10.31.31 AM



Update 12-18-2014: For more information on this issue, please see Tim Sutton‘s complementary post: http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/


  1. Jorge
    December 17, 2014 at 6:24 pm

    In my experience “Install system data files and security updates” also must be checked in System Preferences -> App Store to get “softwareupdate –background-critical” to work.

  2. December 18, 2014 at 10:22 am

    This is indeed an irritating thing, especially if you don’t want the users to get the reminders that there’s a newer OS available and such. Our users are not admins, and even if they were, we’d prefer they not update to Yosemite.
    The only method I found is to download XProtect from the sus (kinda cumbersome) and push the updates through Casper.

  3. December 23, 2014 at 6:12 pm

    This worked very nicely for the NTP patch. I ran softwareupdate –background-critical in a policy and it only installed the NTP patch ignoring other updates.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: