XProtect is a malware scanning tool for macOS.
1 Facebook x.com Reddit
XProtect is Apple's Mac virus detection system that keeps your Mac safe. Here's how macOS's security feature works.
Viruses and other malware are a constant threat to computers that web surfers must deal with every time they go online.
A computer virus is a small piece of code that installs itself silently on your computer. It runs or injects itself into other software and causes havoc.
Malware is written by malicious people who intend to damage computers, systems, or other electronic devices. Once a virus is released into the wild, it can quickly spread to millions of computers – often undetected until it is too late.
In response to viruses and other malware, many software and operating system vendors have developed antivirus or antimalware software. These can scan and “clean” your computer of malicious code.
One way antivirus software does this is by scanning for known application signatures, sizes, and code. These are then compared to downloaded databases of known malware.
If a match is found, the malware can be removed from the computer.
Two early antivirus software packages that appeared on the Mac decades ago were Norton Anti-virus and Virex. McAfee is another antivirus application that has been on the Mac for many years and is still available today.
XProtect
Starting with Mac OS X 10.6 Snow Leopard in 2009, Apple added its own antivirus protection called XProtect.
XProtect runs in the background, analyzing each time an application is first launched, when an application changes in the file system, or when a new XProtect signature database is available to download.
These are the security responses you'll often see in the System Settings->General->Software Updates list
Some users have reported high CPU usage by XProtect’s background service (XProtectService), as seen in Activity Monitor, but we haven’t personally seen this yet.
Because XProtect runs in the background, it monitors your file system and applications as they launch, checking your Mac for malware listed in XProtect’s signature database. If a match is found, XProtect prompts you to remove the malware from your computer.
By using a silent background monitor to monitor for malware, XProtect protects your Mac and keeps it free of potentially dangerous applications.
Because XProtect is part of macOS and its signature files are hosted and installed by Apple, you don’t have to worry about a thing — your Mac will take care of everything for you.
The X(Protect) Files
You can view which XProtect signature files have been downloaded to your Mac by holding down the Option and selecting System Information from the Apple menu in the menu bar.
This will launch the System Information application in /Utilities. Scroll to Software->Installations on the left to see XProtectPayloads and XProtectPlistConfigData, which show the version and date/time each XProtect signature database was downloaded from Apple.
Launch System Information to see the latest XProtect downloads.
Notarization and Gatekeeper
When third-party developers create a Mac app, they can submit it to Apple for notarization. Apps submitted to Apple in this way are scanned for malware, and Apple creates a signature of known versions of the app for inclusion in the XProtect signature file.
Apple provides two command-line tools for notarization for developers: altool (deprecated) and the newer notarytool, which was released after Xcode 13. altool no longer ships with macOS 15 Sequoia, and Apple has a tech note (TN3147) about migrating from the old tool to the new one.
You can get help using notarytool in the Terminal app on macOS by typing:
man notarytool and pressing Return.
Press Control-Z on your keyboard to exit the man page.
Apple also has a page about setting up a notarization workflow in its developer documentation.
Notarization works in conjunction with Gatekeeper and Apple's Developer ID to ensure that Mac apps distributed outside the Mac App Store are genuine and free of malware, including viruses.
Once Apple has notarized a third-party app, developers can release it outside the Mac App Store.
Notarization and Gatekeeper, as well as XProtect, are the reason why the “Verifying…” dialog appears in Finder the first time you launch an app that is not released through the Mac App Store.
The application scanning process scans the application package (folder) for malicious components and prevents it from running if any are found. It also compares the application's contents to known malware signatures contained in XProtect's signature database.
This is one of the reasons why the “Verifying” process can take so long for large apps the first time they are launched.
When you double-click a notarized Mac app in macOS Finder, you will see the “This app was downloaded from the Internet. Are you sure you want to open it?” dialog. This gives you the option to decline to run the app if you want to.
If you click OK, Finder will launch the app, and if it has been notarized, XProtect will begin scanning it for malicious components.
Image source: avagustafson
It used to be possible to disable Gatekeeper entirely, but Apple removed that option in 2016. Third-party Mac software that isn't Gatekeeper won't run on current versions of macOS unless it has been notarized or built using a Developer ID without prior warning.
If you see “Move to Trash” or “Not Verified” warnings when you launch a Mac app in Finder, you'll need to go to System Preferences->Privacy & Security. Click Open Anyway and enter the administrator password for your Mac.
Apple also now requires third-party developers to add the LSQuarantine (com.apple.quarantine) extended file system attribute to their app downloads before distributing them online. This attribute forces Gatekeeper to scan the app before it runs.
However, developers can still release Mac software online without adding this attribute.
Taken together, these security features mean it is much more difficult for attackers to infect your Mac with malware.
According to Apple, XProtect runs at least once a day and when there is little user activity on the Mac.
YARA Rules
XProtect uses a set of rules from Yara International ASA to compare its database with the applications on your Mac. YARA uses signature-based detection to detect malware embedded in code.
When XProtect scans apps on your Mac for malware, it uses YARA rules to check each app against a set of comparisons. This can provide clues that point to malicious code embedded in apps or app bundles.
CISA has a slightly outdated document on using YARA to detect malware. You don't really need to know the internal details for YARA to be useful, as Apple governs its use in macOS.
XProtect downloads and updates its own signature files.
XProtect Malware Alerts
If you try to launch an app that contains known malware, XProtect will launch XProtect Remediator and alert you in Finder that it thinks the app may contain malware. Finder will ask you if you want to move it to the Trash.
If you click Move to Trash, Finder will move the app to the macOS Trash but won't delete it. You need to use the Finder->Empty Trash menu item to actually remove the app from your Mac.
XProtect Remediator will tell you in Finder what malware XProtect has detected in a particular application when you try to launch it. You can then decide whether to move it to the Trash or not.
Howard Oakley of Eclectic Light Company has a good page about what happens when you launch XProtect Remediator.
Oakley also has a post from 2022 about the changes Apple has made to XProtect and what malware it scans for, though the list is by no means exhaustive.
For a summary of how XProtect and other macOS security software works, see Apple's Platform Security Guide and Gatekeeper and Runtime Protection on macOS.
xprotect command line tool
macOS also includes a command-line interface (CLI) for XProtect called xprotect. You can launch this tool in Terminal with the command to get information about XProtect running on your Mac.
To get a list of xprotect commands in Terminal, type:
man xprotect and press Return on your keyboard.
In brief, the commands are:
- update – force download of new XProtect files
- check – print current online update version
- version – print currently installed version of XProtect files
- logs – display XProtect logs
- status – print current XProtect status
- help – print help for a subcommand
Please note that all xprotect commands must be run using sudo and the administrator password in Terminal for them to work.
For example, running sudo xprotect update outputs:
Starting update.
No updates applied, already updated
when there are no new parts of XProtect to download.
How Apple Reacts
As Apple notes, when XProtect detects malware, Apple can respond in several ways, including but not limited to:
- All associated Developer ID certificates are revoked
- Notarization revocation tickets are issued for all files
- XProtect signatures are developed and released
spctl Command Line Tool
In general, you can also check your Mac's system security policies in Terminal using the spctl command line tool:
spctl –status (manage system policy).
If security scanning is enabled, you will see the following response:
assessments enabled
spctl has a huge range of options and tools, so you will need to check the man page in Terminal for more information.
Is it possible to disable XProtect?
Answer: Mostly. But don’t.
Unless your Mac is always offline, you rarely install software, or you’re seeing specific performance issues, there’s no real reason to disable XProtect. By doing so, you’re opening your Mac up to a flood of known and unknown malware on the Internet, and you’re just asking for trouble if you do so.
That being said, if you absolutely must disable XProtect, you can do so in Terminal with the following command:
sudo spctl –master-disable
To re-enable XProtect, use:
sudo spctl –master-enable
and press Return.
Even if you disable XProtect, you should do so for as short a period as possible – always re-enable it as soon as you’ve finished the task that requires it to be disabled.
Third-Party Scanners
While XProtect is operated by Apple and is part of macOS, there may still be times when you want to run a third-party malware scanner on your Mac to scan for malware.
Trusted scanners like Norton and McAfee have been around for decades, so they are always a solid choice. There are also smaller third-party scanners that are good, like PrivacyScan ($15) from SecureMac.com.
If you use a third-party scanner, try to use one sold in the Mac App Store, as Apple reviews all App Store apps to make sure they are free of malware.
Apple has done a good job of XProtect, and for the most part, it is quiet and reliable. You may want to turn on automatic security updates in System Preferences to ensure your Mac receives all new vulnerability files and updates as soon as they are released by Apple.
Follow AppleInsider on Google News
