XProtect: Missing presumed dead?

If you use LockRattler or a similar tool, you’ll be very familiar with the joined-up systems which macOS uses to combat malware. There’s the Gatekeeper mechanism, central to security services, which tries to ensure that any code loaded is ‘safe’. Code signatures are only part of this, as XProtect checks the security and integrity of files in broader ways too. Vulnerable document types, such as JPEG images, are also screened to ensure that they’re not malicious.

Then there is Apple’s Malware Removal Tool (MRT), an app which often complements XProtect’s signature-based screening, and can automatically remove all traces of many different species of malware. Behind these is System Integrity Protection (SIP), which ensures that nothing can tamper with key system files, or even Apple’s bundled apps.

XProtect is at the front end of this protection. Every time that you open an app or a document, the security system considers whether to pass it to XProtect for checking. Although the range of malware which it detects is significantly smaller than most third-party products, it has been well-maintained and is well-integrated with the rest of macOS and its security system.

Each of these components on which the security of our Macs rests relies on data files, which are updated silently when Apple pushes new data for them. At present, Apple is pushing an update to Gatekeeper data pretty well every week, with MRT updates occurring rather less often.

For the first time since its introduction, Apple has left XProtect without any updates for over five months; that’s more than 150 days. The last XProtect update was version 2099 pushed on 13 March 2018, when many of us were struggling through snow and ice instead of the current heat and drought.

Apple, true to form, barely even mentions these crucial systems in its documentation, and has never acknowledged pushing any updates, let alone told us what any of them do. So we are left to speculate as to the meaning of this unprecedented lack of updates to XProtect.

Although these systems seem to integrate well, XProtect and MRT appear to come from separate engineering teams. The terminology which the two apps use for malware is different, and they differ in the species of malware which they can detect. While XProtect has remained without updates, MRT has advanced from version 1.30 to 1.35.

As far as I know, there is no third-party substitute for XProtect, none which can latch into the macOS security system at the same low level. There are some excellent third parties who understand XProtect and its Yara files, like Digita Security, who I’m sure could continue their maintenance. But Apple controls the silent push update mechanism, so for the moment there’s no possibility of anyone else stepping in to fill the gap that Apple has left, even if they found funds to do so.

Maybe Mojave is going to surprise us with a replacement for XProtect, perhaps MRT too, despite the fact that these have not been mentioned by its current beta-testers nor at WWDC. That would still leave those using macOS up to and including High Sierra needing updates to XProtect’s data files – something which Apple already seems to have stopped.

Isn’t it time that we are told what is going on with XProtect, so that we can plan what to do if it is presumed dead?