MRT and XProtect Remediator: an update

Three current release versions of macOS, Catalina, Big Sur and Monterey, have both Apple’s old Malware Removal Tool (MRT) and its new XProtect Remediator installed and active at present. Although MRT hasn’t been updated since 29 April 2022, it still appears to be active on Macs running those versions of macOS. This article looks a bit deeper at the state of play during this transition period prior to the release of Ventura.

To assess this, I used a Monterey 12.5 virtual machine, examining its Unified log for the first minute after the initial entry marking the start of kernel boot. Virtual machines are ideal for this, as their boot phases contain far fewer entries than real boots, as there’s almost no hardware to initialise, and many verbose services like Wi-Fi aren’t supported, so make almost no entries. However, to ease the handling of such long log extracts, collections were made in 5 second chunks. Rather than risk missing entries using predicate filtering, this enabled the entire log to be searched for the terms MRT and XProtect.

MRT

MRT consists of two executable components, a daemon labelled as MRTd, and an agent MRTa. If you’ve watched Activity Monitor shortly after startup, you’ll surely have noticed sustained periods of activity from them both, and in many Intel Macs these are sufficient for the fans to run up.

The daemon was the first to start scanning, at 10.2 seconds after the first kernel entry in the log, and completed at 14.0 seconds, giving a run time of 3.8 seconds. At 19.4 seconds, the agent started its scan, completing at 26.4 seconds, for a run time of 7.0 seconds. Those are on a 50 GB disk image which is largely empty, although significantly slower to access than an SSD.

There’s no suggestion that either scan was abbreviated in any way, and both resulted in log entries confirming that scanning did take place.

XProtect

The first entry concerning XProtect in the log related to its more traditional functions, in scanning for malware signatures. Around 6.4 seconds after kernel boot, XProtect’s yara rules from XProtect.bundle were added to system security policy.

The next entries concerned XProtect Remediator’s PluginServices, contained in the XPCServices folder in the new XProtect app. Three separate XPC events were added in accordance with the LaunchAgents and LaunchDaemons property lists for com.apple.XprotectFramework.PluginServices. These events are set as repeating, both CPU and disk intensive, allowed on battery, and are run at the Utility Quality of Service level, which on Apple silicon normally allows the use of both P and E cores, although it’s the lowest which isn’t constrained to E cores alone.

The three are:

  • ‘fast’ scan every 6 hours,
  • ‘slow’ scan every 7 days,
  • regular scan every 24 hours.

These XPC events were added at around 6.8 seconds after the start of kernel boot, and were later added to the DAS schedule for timed dispatch. Although each scan appears to consist of running a series of Remediator code modules from inside the XProtect app bundle, it isn’t clear which of those scanners is used for each of the three scan types, nor how extensive their coverage is.

Current status

At present, in the current fully patched versions of Catalina, Big Sur and Monterey, the following malware detection and remediation remains active:

  • XProtect signature-based detection (traditional) using version 2161 of the yara definitions from 30 June 2022;
  • MRT agent and daemon detection and removal scans shortly after startup, using MRT version 1.93 from 29 April 2022;
  • XProtect Remediator scans, fast every 6 hours, regular every 24 hours, and slow every 7 days, using the 13 scanners in XProtect.app, version 68 from 4 August 2022.

macOS Mojave and earlier only have the benefit of the first two of those, and don’t have XProtect Remediator installed.