Inside the OS X blacklist: XProtect

XProtect is part of OS X’s file quarantine system, which aims to prevent you from opening or running malware which might have found its way onto your Mac.

All files which are downloaded from the Internet, received in email messages, etc., using ‘standard’ applications are marked by OS X as being in quarantine. When you first try to open them, OS X alerts you to their origin, and checks that you want to open the file. As part of that process, XProtect checks whether they might contain known malware from its current blacklist. If it finds such malware, it tells you what it is, and advises you to trash it immediately; it also gives you the option of reporting it to Apple. It prevents you from opening or running the file.

XProtect will also block listed vulnerable versions of web and similar plugins, such as older versions of Adobe Flash, Java, and Microsoft Silverlight, from running. If you discover that one of those plugins has become disabled, chances are that you had an old and vulnerable version installed, and XProtect is now blocking it. The only way to unblock a plugin is to update to the latest version, which should normally be acceptable to XProtect. You cannot turn XProtect off now, to let you work around an old and vulnerable plugin.

For applications, the quarantine system additionally engages Gatekeeper, which checks its code signature before allowing you to run an app for the first time after download.


XProtect currently only has one option: whether its updates are installed automatically or not. Oddly this is controlled by the App Store pane: by default that should be set to Install system data files and security updates, in which case when Apple pushes out an update to XProtect’s blacklist, it will be automatically installed and come into force. If you turn that off (which is not recommended), you will have to check for such updates and install them manually.

You cannot tamper with the XProtect part of the quarantine system, as it is stored in folders which are protected by El Capitan’s SIP. However its blacklists are available for you to inspect, and located in /System/Library/CoreServices/XProtect.bundle. Select that file, and use the Finder’s contextual menu to Show Package Contents.

Within the path Contents/Resources, you will see two files, XProtect.meta.plist, and XProtect.plist, containing the blacklists. The current versions, as of 16 January 2016, include:

  • JavaWebComponent minimum 1.6.0_45-b06-451
  • Microsoft Silverlight minimum 5.1.41212.0
  • Adobe Flash Player minimum
  • Oracle Java Applet minimum
  • Apple Java Applet minimum 14.8.0
  • a long list of blacklisted extensions, including some adware, Flash, and search
  • known malware such as InstallImitator, XcodeGhost, Genieo, Vindinstaller, OpinionSpy, VSearch, Machook, iWorm, NetWeird, MacDefender, FlashBack, SMSSend, AdPlugin, and more.

Note that XProtect operates using blacklists – items which are deemed dangerous – rather than whitelists – items which are deemed safe.

The end result is not as effective as a better third-party anti-virus product, but it is free, and built into OS X.

Some methods of getting files onto your Mac can bypass the whole quarantine system, and as a result their downloads will not be checked by XProtect: the most common means of such bypass is using the command shell tool curl (cURL). Be very careful when handling files downloaded using that.