It seems only a week ago that I was assuring you that Apple’s Malware Removal Tool wasn’t going away. While I wasn’t entirely wrong, Apple had already changed this back in Monterey 12.3, released on 14 March. MRT’s successor is now installed on every Mac running macOS 12.3 or later: it’s XProtect, or to be more specific XProtect Remediator.
I happened to be looking for something in the CoreServices folder, which is firmlinked between System and Data volumes, and noticed an app there named XProtect.app which looked unfamiliar despite its name. After a quick look through my Time Machine backups, I discovered that it had been installed with the 12.3 update, so looked a bit deeper.
I’m not the first to notice something odd about this new app. The day after 12.3 was released, some of those using Webroot Business Endpoint security protection reported that one of its components was triggering a false positive report as malware. No one thought anything more about the sudden appearance of its executables, and the offending component was duly added to the Webroot exclusions definitions. If only they had realised.
This new XProtect.app is on the Data volume in the folder /Library/Apple/System/Library/CoreServices, which is firmlinked to merge with the matching folder on the System volume at /System/Library/CoreServices. When first installed in 12.3, it reported that it was version 1, and has already become version 2, upgraded as part of macOS rather than as a separate security data update.
What’s unusual about this app is that it contains eight executables, XProtect itself (which hadn’t previously existed as a discrete app or binary), and seven XProtect Remediator executables. According to their names, one is effectively MRT version 3, and the others tackle the following known malware:
- Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
- Eicar, a harmless standard test for anti-malware products;
- Genieo, a browser hijacker acting as adware, summarised here;
- Pirrit, malicious adware explained in detail here;
- SheepSwap, presumably a synonym for Mac malware;
- Trovi, a cross-platform browser hijacker.
Each of these executables appears to have been written using Swift.
A look through the strings in XProtectRemediatorMRTv3 suggests that it does indeed replicate much or all of the current functionality in the MRT executable, strongly suggesting that will be a replacement for MRT in due course.
At least in Monterey 12.4, these new XProtect Remediator executables don’t appear to have replaced MRT yet. The existing tool is still run shortly following user login, and its LaunchAgent and LaunchDaemon property lists are still installed. There’s no sign of any routine scan by any of these new XProtect Remediator executables after user login either. However, as MRT’s LaunchAgent and LaunchDaemon property lists are stored on the Data volume and firmlinked into the System, it wouldn’t be difficult for a security data update to disable MRT and substitute XProtect Remediator code, which is perhaps what Apple intends in the future.
Apart from its heavy hints in the latest revision of the Platform Security Guide, Apple hasn’t provided any information about this new expanded version of XProtect. Among the important questions I have are:
- Is XProtect Remediator being installed with current or future Big Sur security updates?
- As XProtect Remediator doesn’t appear to have been included in Catalina Security Updates, will it be included before support is discontinued shortly?
- Will Apple continue to maintain MRT in the future, for those still using versions of macOS which don’t feature XProtect Remediator?
Depending on the answers, those intending to continue using macOS Big Sur or earlier versions of macOS may wish to reconsider the security of their Macs. While this is excellent news for those running Monterey or intending to upgrade to Ventura, it could leave all older versions of macOS with ageing and increasingly ineffective protection against malware.