What to Do When You Get Mac EFI Security Check Warning?
Download and try Outbyte MacAries right now to see what it can do for your Mac.
Developed for macOS
Apple regularly rolls out security updates to make sure your devices are properly protected against online attacks and hardware tampering. With the release of High Sierra in 2017, Apple also launched a new security feature called the Mac EFI security check. This feature scans your Mac’s Extensible Firmware Interface, or EFI firmware, against Apple’s database of good firmware.
The EFIcheck utility usually resides in this directory:/usr/libexec/firmwarecheckers: eficheck. The tool runs once a week to check if your EFI firmware is included in the approved list and if it has been tampered with or corrupted. As long as there’s nothing wrong with your EFI firmware, you’ll probably never even notice that this tool is running in the background.
But if the scan encounters the incorrect firmware for that Mac’s model, then an EFI-check warning message will appear. The error message reads:
Your computer has detected a potential problem.
Click “Send to Apple” to submit a report to Apple.
Pro Tip: Scan your Mac for performance issues, junk files, harmful apps, and security threats
that can cause system issues or slow performance.
Another version of the warning says:
Firmware changes detected
Click Send to report to Apple.
Click Ignore to skip sending the information.
Click Reveal in Finder to see the information that will be sent.
You will be given three choices:
What is an eficheck.dump file? The eficheck.dump file is where all the results of the eficheck are listed for easy checking and sharing. This is useful for those who need help analyzing the results of the eficheck or want to send the results to Apple Support.
When you see this warning message, it means that there is something wrong with your Mac’s EFI firmware. Here are some of the scenarios that often result in an Eficheck error:
How to Fix a Mac EFI Security Check Error?
The EFI security check warning can be caused by something as minor as a glitch or by something as complicated as firmware inconsistencies. Here are the steps you can take when you encounter an error with the Mac EFI security check.
Step #1: Send the Report to Apple.
The first thing you need to do when you get the EFI warning message is to send the report to Apple. This will help Apple’s engineers to understand what is happening to your Mac and offer suggestions on what you need to do. It might take some time, though, before Apple gets back to you regarding your report. For the meantime, you can proceed with the steps below and see if this error goes away.
Step #2: Uninstall Recent Software Changes.
If the warning message popped up after you installed an update or a third-party program, it is possible that the new installation somehow affected your EFI firmware. Try uninstalling the app you just installed by dragging it to the Trash.
If you installed an update, though, you can only restore from a backup since Apple does not offer a way to uninstall system updates.
Step #3: Clean Up Your System.
EFI firmware problems can also arise due to a virus or malware infection. Some malicious software is designed to attack the firmware of the device they infected, causing multiple problems. Run your antivirus software to scan your device for any malicious software and follow the instructions to delete the infected files.
While you’re at it, delete all your junk files as well to give your system some breathing space. You can use an app such as Mac repair app to get rid of all trash files in a single click.
Step #4: Reset EFI Check Preferences.
Step #5: Install all EFI Updates.
If you have outdated EFI firmware, you’ll most probably encounter this warning message. You can update your firmware by clicking Software Update under the Apple menu. A progress bar will appear while your Mac checks for available software updates. Click on the Install button to install them on your Mac, then restart your computer for the changes to apply.
If your Mac failed to find new firmware updates, you can manually check Apple’s website for direct links to new updates. Download the updates available for your Mac model and install them manually on your computer. Reboot your computer for the update to be completed.
Step #6: Run an EFI Check Manually.
EFI checks are scheduled to run once every week. To check if the warning has disappeared, you need to run an EFI check manually using Terminal. To do this, launch Terminal under the Utilities folder and type in the EFI command you want to use.
Here are some of the commands you can choose from and what they mean:
Step #7: Visit an Apple Service Center.
If the warning message doesn’t disappear after following the steps above, you might need to visit the nearest Apple Service Center to have your Mac checked.
Summary
The EFI check utility is one of Apple’s security features designed to protect your Mac’s firmware from unauthorized tampering. The tool runs silently in the background every week, and you’ll only notice it when you get the warning message. When you do, just follow the steps above to get rid of it.
Qué hacer cuando recibe una advertencia de comprobación de seguridad EFI de Mac (12.06.21)
Apple lanza periódicamente actualizaciones de seguridad para asegurarse de que sus dispositivos estén debidamente protegidos contra ataques en línea y manipulación de hardware. Con el lanzamiento de High Sierra en 2017, Apple también lanzó una nueva función de seguridad llamada control de seguridad Mac EFI. Esta función escanea la Interfaz de firmware extensible de su Mac, o firmware EFI, contra la base de datos de Apple de buen firmware.
La utilidad EFIcheck generalmente reside en este directorio: / usr / libexec / firmwarecheckers: eficheck. La herramienta se ejecuta una vez a la semana para comprobar si su firmware EFI está incluido en la lista aprobada y si ha sido manipulado o dañado. Siempre que no haya ningún problema con su firmware EFI, probablemente nunca notará que esta herramienta se está ejecutando en segundo plano.
Pero si el escaneo encuentra el firmware incorrecto para ese modelo de Mac, entonces una advertencia de verificación EFI aparecerá el mensaje. El mensaje de error dice:
Su computadora ha detectado un problema potencial.
Haga clic en «Enviar a Apple» para enviar un informe a Apple.
Otra versión de la advertencia dice:
Se detectaron cambios de firmware
Haga clic en Enviar para informar a Apple.
Haga clic en Ignorar para omitir el envío de la información.
Haga clic en Revelar en Finder para ver la información que se enviará.
¿Qué es un archivo eficheck.dump? El archivo eficheck.dump es donde se enumeran todos los resultados del eficheck para facilitar la comprobación y el intercambio. Esto es útil para aquellos que necesitan ayuda para analizar los resultados del eficheck o quieren enviar los resultados al Soporte de Apple.
La advertencia de verificación de seguridad EFI puede deberse a algo tan pequeño como un complicado como inconsistencias de firmware. Estos son los pasos que puede seguir cuando encuentre un error con la verificación de seguridad EFI de Mac.
Paso # 1: Envíe el informe a Apple.
Lo primero que debe hacer cuando recibe el mensaje de advertencia de EFI es enviar el informe a Apple. Esto ayudará a los ingenieros de Apple a comprender lo que le está sucediendo a tu Mac y ofrecerá sugerencias sobre lo que debes hacer. Sin embargo, puede pasar algún tiempo antes de que Apple se comunique con usted con respecto a su informe. Mientras tanto, puede continuar con los pasos a continuación y ver si este error desaparece.
Paso # 2: Desinstale los cambios de software recientes.
Si el mensaje de advertencia apareció después de instalar una actualización o una tercera- party, es posible que la nueva instalación haya afectado de alguna manera su firmware EFI. Intente desinstalar la aplicación que acaba de instalar arrastrándola al Trash
Video de Youtube: Qué hacer cuando recibe una advertencia de comprobación de seguridad EFI de Mac
Question: Q: What is an eficheck.dump file, and what «problem» is it describing?
Bought a used early 2011 MacBook Pro (17″) Model8,3 which seems to be running fine, but very recently, I’ve seen a few error dialogs stating that «Your computer has detected a problem.»
I’m offered 3 options: a) view the file (which is an eficheck.dump file and all indecipherable code), b) Don’t send to Apple, and c) Send the file to Apple.
Before I send it, I’d like to know what it signifies.
Anyone know what this is about?
MacBook Pro 17″, 10.13
Posted on Apr 16, 2019 1:03 PM
Helpful answers
Bought a used early 2011 MacBook Pro (17″) Model8,3 which seems to be running fine, but very recently, I’ve seen a few error dialogs stating that «Your computer has detected a problem.»
I’m offered 3 options: a) view the file (which is an eficheck.dump file and all indecipherable code), b) Don’t send to Apple, and c) Send the file to Apple.
Before I send it, I’d like to know what it signifies.
Anyone know what this is about?
Are you having other issues?
The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac’s firmware against Apple’s database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.
Is your Software up to date?
Have you installed any third party software in the last week, esp. from a nefarious aggregator site?
Pike’s Universum
Great people share their wisdom without asking for anything in return…
Apple’s eficheck…
Ok. So you use Clover with an AMI or Phoenix BIOS. Well. In that case you may be interested in this: 
This is part of routines that wipe data in the generated dump, but why would Apple do this for AMI/Phoenix BIOS? That is PC only ROM.
Edit: Privacy matters, and that is why Apple clears certain sensible areas.
Oh yeah. I should add that this can be found in this binary: /usr/libexec/firmwarecheckers/eficheck
Data is downloaded from: https://validation.isu.apple.com and the initial package (EFIAllowListAll.pkg) can be downloaded here. Which was later replaced with a new update, available here. You can find the local allow list at:
There is also EFIAllowListInternal.pkg for Apple engineers, but that is not a public download.
_IsInternalOsBuild calls csr_check(CSR_ALLOW_APPLE_INTERNAL) to differentiate between public and internal OS builds.
It works with /System/Library/Extensions/eficheck.kext which matches via PCI device-id’s with one of the Intel LPC Controller/eSPI Controllers in this list:
So what is this? What does it mean?
Well. Apple is likely using eficheck as an extra layer of security. To verify your EFI ROM (checksum) against the original one in their EFI ROM database, with the checksum of files that were produced by Apple. Or that you are using some modified copy of their EFI ROM firmware. This may mean that your EFI ROM has been tampered with, or that it somehow got damaged. Which is when your broken EFI ROM is invalidated and then you will see this dialog:
Honestly. I personally had never seen it, but there you have it. Thanks to @stroughtonsmith. Anyway. Just don’t click “Send to Apple” on a hack. Or wait. Let’s just click that button and wait and see if the ROM’s checksum shows up in a next update – this may as well be a fully automated process, like Apple used to add unsigned kexts to OSKextExcludeList (think AppleKextExcludeList.kext).
There is one other thing that I’d like to figure out, and that is why Apple reads the PlatformUUID. That should not be required. Not ever.
Edit: I changed the title after I figured out what this binary does, and it is good, be it a start only.
The Eclectic Light Company
Upgrading to High Sierra brings a new and significant security feature: your Mac will automatically check its EFI firmware. In a series of tweets, Xeno Kovah, one of the three engineers responsible for the new tool, has outlined how this works.
If you are running a real Mac, rather than a ‘Hackintosh’, Kovah asks that you agree to send the report. This will allow eficheck to send the binary data from the EFI firmware, preserving your privacy by excluding data which is stored in NVRAM. Apple will then be able to analyse the data to determine whether it has been altered by malware or anything else.
The great majority of users should, of course, never see that dialog. If you do, your decision will be remembered; if you agreed to send the data to Apple, then in a week’s time when eficheck runs again, it will automatically adhere to your original choice.
eficheck depends on a small local library of ‘known good’ data, which will be automatically and silently updated if you have security updates turned on in the App Store pane.
This has been developed by Xeno Kovah, Nikolaj Schlej, and Corey Kallenberg, and is believed to be the first attempt at large-scale privacy-preserving checking of firmware integrity of this type. Hopefully, it will bring a significant improvement in security to all Macs which are upgraded to High Sierra.
(The screenshot above is taken from Xeno Kovah’s tweets, as is the information. Thanks, Xeno, for your work and this knowledge.)
