Last Week on My Mac: Is XProtect dead, or about to be replaced?

It has been a great comfort to know that each time you open a document in macOS, the system checks that it doesn’t bear the signature of malware. XProtect’s built-in malware scan was introduced almost nine years ago, in Snow Leopard, and while it does occasionally get bamboozled by new nasties, it must have saved a lot of Mac users from disaster.

Over the last few months, though, Apple has shown signs that it may be abandoning XProtect as we know it.

The original concept of file quarantine is even older, but in August 2009, Apple introduced XProtect, the system tool which scans all files flagged as being downloaded from the internet, looking for tell-tale signs that they might contain known malware. At first it could only detect two Trojans, and seems to have scanned only those files marked with a ‘quarantine’ flag.

But by this year, XProtect could identify at least 50 different species of malware, many in several different variants, and is currently run whenever certain types of file are opened, even if they don’t carry a quarantine flag.

Signature-based malware scanning relies entirely on keeping its detection list up to date. Every month or two, sometimes even more often, Apple has pushed out updates to the ‘Yara’ definitions on which XProtect depends. Although Apple maintains strict secrecy about these updates, they’re easy to detect, and being text files, straightforward to analyse.

On 13 March 2018, Apple silently updated our XProtect definitions to version 2099. Although since then it has pushed 8 updates to Gatekeeper’s lists of revoked signatures, and 3 updates to the Malware Removal Tool (MRT) which tries to strip out Trojans and other nasties, there hasn’t been another XProtect update for more than four months.

Four months is an unconscionable long time in computer security. Any commercial anti-malware product which didn’t update its definitions several times over that period would surely be considered dead in the water, and a waste of time. It’s not completely impossible that there really have been no new or changed definitions to incorporate into XProtect over that time, but it looks exceedingly unlikely.

Since the start of December 2015, Apple has pushed a total of 33 updates to XProtect data, on average one every 26 days. Previously, the longest our Macs have gone without an update was the 70 day period between 9 July 2016 and 17 September 2016, traditionally a quiet period over Northern Hemisphere seasonal vacations. As the chart below shows, updates have come irregularly but seldom longer than two months apart. As of today, the last XProtect data update was 130 days ago.


X axis: day number since 18 December 2015. Y axis: number of days since last XProtect data update in days. Data collected by SystHist.

What has happened on the Mac over that period which might have determined this long absence of updates is the beta-release of macOS 10.14 Mojave. Apple didn’t, as far as I can tell, announce or even hint at WWDC that XProtect might be changing in Mojave, but then as it doesn’t talk about such security features, it wouldn’t have even if they were changing. I have seen some speculation that Mojave beta-releases use a continuously-updated scanning system, but for the moment that all seems very vague.

Even assuming that Mojave is going to replace XProtect completely, this begs more questions than it answers. Will Apple retro-fit its successor to XProtect into older versions of macOS, or will it silently cast them adrift without an up-to-date malware scanner? Whatever might be coming in Mojave, signs are that XProtect has suddenly become unsupported, and of residual value only against historic malware. For the many whose Macs can’t be upgraded to Mojave, that would abandon them in a very vulnerable situation.

Apple can no longer hide behind its claim that discussing security matters in public only compromises that security. XProtect is one of the few security features which Apple has described explicitly in its support notes, even though it couldn’t quite bring itself to name it there.

If XProtect is changing, or has been abandoned, at the very least Apple needs to tell us what is going on. For system administrators, in particular, this is essential to planning. When reports are coming in of increasing risk of targeted attacks, as the US starts the campaign for its mid-term elections, this appears particularly ill-timed.

What is going on with XProtect, or should we already be referring to it as ExProtect?