Sometimes articles here get a stern ignoring, no matter how important they might seem to me. Then all of a sudden another catches the Internet afire. Last week, this happened with a topic I’ve been writing about here for nearly three months now, since I first reported on the arrival of XProtect Remediator. Now the flames are dying down, it’s time to consider some of the more important questions all that clamour and discussion has raised.
First is the problem of how all this scanning for malware is going to steal CPU cycles and detract from what we do on our Macs. Until we were able to observe these scans, that has been impossible to determine.
I’ve just looked at the continuous period of at least 44 hours covered by records in the Unified log of my production iMac Pro, during typical use. In that time, a total of 73 scans by XProtect Remediator modules completed and reported into the log. The total time taken by them was no more than 1125.9 seconds, that’s less than 19 minutes, or 0.7% of the time that Mac was running.
I also checked the times that those scans were performed: none completed when I was actively using that Mac, and the great majority took place when I was either upstairs in bed, or out of the house altogether. I’ve also looked less formally at log reports on my two M1 Macs, which see more intermittent use and aren’t left on all the time. Scans are dispatched when they are otherwise inactive, and have no impact at all on my use of those Macs.
Those who seem to think that XProtect Remediator scans are responsible for sluggish performance or beachballing can now test that hypothesis using Mints, and I think I may already know the answer, if my results are anything to go by.
What is considerably more concerning, though, is how the user gets to know of what XProtect Remediator is up to. Let’s say one of its scans did detect malware such as XCSSET (DubRobber), and try to remediate it. How would you know?
Here, this new security protection falls foul of Apple’s unwritten update policy. Although now installed and active on Macs running Catalina, Big Sur and Monterey, the only version of macOS that currently receives full maintenance is the one that hasn’t been released yet, Ventura.
XProtect Remediator is designed as a background service without any human interface. Unlike traditional detections by XProtect, using its Yara signatures, or failed Gatekeeper checks on signatures and integrity, there’s no mechanism for detection or remediation activity to be communicated to the ordinary user. Nor will there ever be in Catalina, Big Sur or Monterey now that they’re in security-only maintenance, or, in the case of Catalina, no longer maintained at all.
Ventura is more promising, though: XProtect Remediator detection and remediation events are available in its improved Endpoint Security support.
Endpoint Security was introduced in Catalina, and enables approved third-party developers to create system extensions which tap into macOS monitoring of system events for evidence of potentially malicious activity. Some of the best third-party tools, such as Objective-See’s BlockBlock, already use Endpoint Security to detect potentially malicious activity, and I’m sure are already adding support for XProtect Remediator in Ventura. It’s worth noting that before developers can access Endpoint Security, Apple has to grant them the entitlement of com.apple.developer.endpoint-security.client, which can take time. Any app without that entitlement can’t install or use the required system extension. Beware of any making false claims, too.
That leaves the three most recent versions of macOS, which for many Macs are the last they can run, without any visible means of access to the results of these scans. I’ve already added this feature to my free utility Mints, and tomorrow (Monday) will be releasing the first version of a more convenient tool to help you keep an eye on this. I’m sure there will also be others along shortly.