Last Week on My Mac: Is your Mac still secure from malware?

Recent versions of macOS have come with two tools designed to detect malware and deal with it, by ‘remediation’: XProtect and MRT. This year they have been joined by a third, or XProtect Remediator, and Apple has dropped all references to MRT in its Platform Security Guide. Although Apple has made no announcement of any change in anti-malware tools in macOS, they’re clearly on the change. This article tries to explain where your Mac now stands.


Although one of XProtect’s original purposes was to block the use of old and vulnerable versions of third-party software such as Java and Adobe’s Flash, more recently it has mainly scanned executable code to detect known malware. This is based on signature recognition, using data updated once or twice each month to keep pace with changing malware threats. Apple last updated those detection signatures in version 2161 on 30 June 2022.

Apple continues to describe XProtect as a key component in two of the three layers of defences against malware, and has augmented its use in macOS.


Prior to May this year, Apple listed its Malware Removal Tool, MRT, as another of the key components in the defence against malware. Unlike XProtect, which relies on signatures for detection and can only alert the user when it detects known malware, MRT consists of executable code capable of automatically removing malware and performing other forms of remediation. The extensive capability of MRT was demonstrated by Apple in July 2019, when it was used in a security crisis to remove a vulnerable web server left behind by the Zoom client.

In May 2022, Apple removed all mention of MRT from its Platform Security Guide, and the last update, to version 1.93, was pushed on 29 April 2022, over three months ago. Previously, like XProtect, it had received updates every 2-4 weeks, and currently consists of 3.5 MB of executable code. Release versions of macOS continue to run MRT’s two processes shortly after starting up.

XProtect Remediator

This was introduced in macOS 12.3 on 14 March 2022, and has since been updated, expanded and added to Catalina and Big Sur in their security updates. It poses as an app named, and isn’t an app at all but a collection of executable code modules stored in that bundle. While XProtect has been updated slightly less often than previously and MRT not at all, XProtect Remediator has undergone rapid if not explosive change. This is best illustrated by increasing number and total size of its executable code modules since version 2.


In the last 2.5 months, XProtect Remediator has grown from 8 to 14 executable code modules, and from a total executable size of 15 MB to 26 MB.

Indications are that XProtect Remediator includes the functionality of MRT, together with rapidly improving and extending support for the detection and remediation of other malware. As with XProtect and MRT, Apple conceals the identity of the malware handled by XProtect Remediator using code names, including GreenAcre, SheepSwap, SnowBeagle, SnowDrift, ToyDrop and WaterNet, although its initial executables remain named after known malware families such as Adload and Geneio. These are now being observed running following startup, confirming that they are part of macOS active defences against malware.

macOS Mojave and earlier

This leaves these older versions of macOS with the following bundled protection against malware:

  • XProtect, with its signature-based detection, updated when appropriate, and
  • MRT, left in abeyance from April 2022.

Apple only seems likely to update MRT in response to a security crisis similar to that in July 2019, leaving Mojave and earlier unable to detect and remove malware detected or changed since April 2022. Although XProtect’s detection signatures will be updated periodically, Apple’s efforts are currently being devoted primarily to further improvement of XProtect Remediator.

macOS Catalina and later

Although Catalina is expected to cease receiving security updates with the release of Ventura, probably in October, it just made the cut for XProtect Remediator, and should continue to benefit from its updates. This leaves Catalina, Big Sur and Monterey with the following bundled protection against malware:

  • XProtect Remediator, featuring Apple’s latest detection and remediation methods,
  • XProtect, with its signature-based detection, updated when appropriate, and
  • MRT, left in abeyance from April 2022.

Although the effectiveness of XProtect Remediator has yet to be tested outside Apple, its capabilities should far exceed those of XProtect’s signature recognition and MRT.

The future of malware protection on macOS

The introduction of XProtect Remediator and apparent cessation of development of MRT open a gulf in malware protection bundled in macOS. Although Mojave and older versions aren’t unsupported, new and changed malware which isn’t reliably detected by XProtect’s updated signatures is likely to pass unnoticed on those older macOS, putting those Macs at increasing risk.

Those still using Mojave and earlier are also unable to assess that developing gap because of Apple’s insistence to obfuscate the identities of malware detected and remediated by MRT and by XProtect Remediator. For example, Apple doesn’t disclose what family of malware is addressed by the SnowDrift executable code in XProtect Remediator, so users can’t know whether Mojave systems might be susceptible to it, nor whether XProtect or MRT can detect it.

This is likely to become even more difficult when Apple completes the transition to Apple silicon and discontinues support for Intel Macs. As all Apple silicon Macs will have switched to relying on XProtect Remediator, it appears unlikely that Apple will provide any further support for MRT, leaving older systems with XProtect alone.

If you still run a Mac with Mojave or earlier, now is the time to reassess its risk from malware, and either upgrade it to Catalina or later, or provide additional protection to compensate for the loss of MRT. If the Mac itself is capable of running more recent macOS, it may be wiser to upgrade it, and retain the older macOS in a virtual machine, which can be isolated from risk and from the rest of that system.


  • Protection from changed and new malware provided by MRT ceased in April 2022.
  • Macs still running Mojave and earlier have been at increasing risk from malware attack since then.
  • Macs capable of running Catalina or later should be upgraded so they benefit from XProtect Remediator.
  • If access to Mojave or earlier is still required, that is best provided in a virtual machine.
  • Macs that can’t be upgraded beyond Mojave (for whatever reason) are likely to benefit from third-party protection.
  • Several tools from Objective-See are suitable, particularly KnockKnock, which supports older macOS.
  • Vendors of anti-malware products should provide information specifically targeted at Mac users still using Mojave and earlier, to help them address this increasing risk. That should include coverage of changed and new threats since April 2022, and support for those older versions of macOS.
  • Apple should fully inform Mac users of its current and future anti-malware support policies. Current information in the macOS User Guide is so vague as to be almost useless.