Apple has updated to its Xprotect anti-virus tool that is part of macOS with a new barrier against EvilQuest (also known as ThiefQuest).
We discuss the ThiefQuest/EvilQuest ransomware/malware in more detail here. It is malicious code that is spreading in pirated Mac software, most notably in an infected copy of Little Snitch. The malware seems to be able to copy files to a central server before encrypting the Mac and demanding a ransom to return it to normal - although actually paying the bitcoin requested would not mean that files were unencrypted.
Xprotect and MRT (Malware Removal Tool) are two security precautions that feature in macOS that work in the background to keep your Mac secure and virus free.
On 13 July Apple shipped a new version of XProtect, now version 2126. This version came just a week after version in 2125, which is unusual for Xprotect. Normally updates are released every other week, or least that has been the case through the past six months.
Apple doesn’t make it easy to see what has changed but Electric Light notes a new entry named MACOS.2070d41 among XProtect’s Yara definitions as well as some modifications to MACOS.6cb9746, which apparently detects ThiefQuest/EvilQuest and prevents installation.
Xprotect and MRT will be automatically downloaded if you have the "Install system data files and security updates" option activated in the system settings on your Mac. If that is the case your Mac will periodically check the Apple server for new versions and install them in the background.
How to check if Xprotect is up to date
You can check whether the security updates have already been installed by following these steps:
- Click on the Apple logo in the top left.
- Click on About This Mac.
- System Report.
- Find Software in the column on the left.
- Click on Installations in that list.
- Sort by Install Date.
You should see XProtectPlistConfigData version 2126.
Part of this article appeared on Macwelt.