Forcing XProtect blacklist updates on Mavericks and Yosemite
One of the changes Apple made between Mountain Lion and Mavericks was how XProtect was updated. On 10.6.x – 10.8.x, Apple used /usr/libexec/XProtectUpdater to update XProtect’s blacklist. If you needed to force XProtect to update, you could run the following command with root privileges:
Running that command with root privileges would force a check-in with Apple’s XProtect feed. If XProtect needed an update, running this command would check the current XProtect blacklist, detect that the online version was newer and pull down the new version. Once the new version had downloaded, XProtectUpdater would then exit.
If XProtect was up to date, running this command would check the current XProtect blacklist and detect that the online version was the same as what was currently loaded on the system. XProtect would then produce a notification that it was ignoring the update because the online version was not newer than the one already on the system. XProtectUpdater would then exit.
In 10.9.x and continuing on in 10.10.x, Apple moved the XProtect updates into Apple’s software update feed. As part of this change, the previous way of forcing XProtect by running /usr/libexec/XProtectUpdater no longer worked because /usr/libexec/XProtectUpdater did not exist on 10.9.x and higher.
Instead, you now need to use the softwareupdate command to force the update process. For more details, see below the jump.
If you need to force XProtect to update on Mavericks or Yosemite, run the following command with root privileges:
The –background-critical function is actually an undocumented softwareupdate function, so it’s not listed when you run either softwareupdate –help or when you check the softwareupdate man page. In the case of XProtect, softwareupdate –background-critical performs the same function that /usr/libexec/XProtectUpdater did for Macs running 10.6.x – 10.8.x:
- Checking to see if the Mac has the current XProtect blacklist
- Updating the system’s XProtect blacklist if needed
One important thing to know about forcing XProtect updates on Mavericks and Yosemite is that the Software Update function on the system in question must be set to automatically check for updates. Based on my testing, if the automatic check for updates is disabled, XProtect will no longer receive updates. This applies even if you run the softwareupdate –background-critical command to force an update to XProtect’s blacklist.
To control the automatic update check from the command line, run the following commands with root privileges:
To enable the automatic update check:
softwareupdate --schedule on
To disable the automatic update check:
softwareupdate --schedule off
You can also manage this on Mavericks and Yosemite from System Preferences using the following procedure:
1. Open System Preferences
2. Select the App Store preferences
3. Check or uncheck Automatically check for updates (should be checked by default.)
Update 12-18-2014: For more information on this issue, please see Tim Sutton‘s complementary post: http://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/