Yesterday out of the blue I got a pop-up dialog: “System Extension Updated”, “An Apple system extension has been updated. To finish the update, you must approve it in the Security & Privacy System Preferences”. This is on Monterey 12.6.7, and I’m running Sophos Home anti-virus.
Sure enough, the Security preference pane says 'System software from developer “Apple Inc.” has been updated.", with the Allow button.
This is strange; I’ve never seen an Apple extension updated this way.
My question is, how can you find out exactly which extension is trying to load? There’s nothing in the interface to open its location, display details, or verify its signing certificate.
I hunted around and did see that three kexts in \Library\Staged Extensions\Library\Extensions had files with modification dates around the time of the message: HighPointOP.kext, HighPointRR.kext, SoftRAID.kext. System Information > Software > Extensions says all three are third-party. But, this may be a coincidence, because now I see that the same 3 kexts have files with mod dates of this morning.
I did some log searches. (I hate the “unified log”).
It kind of looks like something triggered an kext upgrade process, perhaps related to the Safari upgrade that was also pushed around that time. Note that I have Software Update set to download but not install updates except for “system data files and security updates”.
The kext it wanted to upgrade may have been com.apple.nke.rvi v2.1.0 in executable kext bundle com.apple.nke.rvi at /Library/Apple/System/Library/Extensions/RemoteVirtualInterface.kext.
It looks like when it is upgrading a kext, kernelmanagerd collects and analyzes the kexts from a long list of additional paths, one of which is the stagedextensions folder. And in that folder, the kext that it may be asking for approval is com.prolific.driver.PL2303G v2.0.1 in executable kext bundle com.prolific.driver.PL2303G at /Library/StagedExtensions/Library/Extensions/Plser.kext, which has a bad signature.
I don’t know if it makes any difference, but I had the Prolific USB PL2303HXD driver installed in 2020, but it became obsolete when macOS included the driver, I think in Catalina.