Everything you need to know about XProtect’s malware protection

macOS has extensive security protection built into it. This article describes how it protects against malware using two related tools known together as XProtect, and how they differ in macOS Catalina and later.

Older versions of macOS have two separate defences against malware: XProtect and Apple’s Malware Removal Tool, MRT. When you open apps or run other executable code subject to Gatekeeper’s checks, it’s checked for matches against the signatures of known malware contained in XProtect’s data file. MRT scans storage looking for the tell-tale signs of the malware it knows; should it find any, it attempts to remove or ‘remediate’ it. Periodically, Apple distributes updates to XProtect’s data bundle, and the MRT app.

This year, this has changed for Macs running macOS Catalina and later. For those, Apple has replaced MRT with a completely different form of XProtect, commonly known as XProtect Remediator. MRT hasn’t been updated since April 2022, while XProtect Remediator is currently updated every two weeks. MRT still works on older Macs, but as time passes its protection will wane, and older versions of macOS may benefit from additional protection to compensate.

XProtect

Although in the past XProtect has had other functions, such as blocking the use of vulnerable versions of Java and Flash Player, its main purpose now is to provide the macOS security system with a dictionary of signatures for known malware. This is delivered in a ‘Yara’ file within XProtect.bundle in the CoreServices folder, and stored on the Data volume for ease of updating. Updates are titled XProtectPlistConfigData, and are pushed at irregular intervals, every few weeks, when Apple’s security team needs to update them for changing malware threats. It’s essential for all Macs to keep this data up to date, to ensure that malware can be detected effectively.

This form of XProtect runs on demand: when the macOS security system’s rules call for an app or other code to be checked, current signatures are used in a scan of that app or code. If malware is detected, you’re informed, and the app or code is blocked from being run, so you can remove it before it does any damage.

XProtect Remediator

This was introduced in Monterey 12.3, and has progressively taken over from MRT in scanning for signs of known malware, and removing it. It can only run on macOS Catalina and later, and isn’t available for earlier versions of macOS. Although called XProtect, it’s separate from the regular XProtect system and operates quite differently. When your Mac is awake (not asleep), but you’re not using it actively, XProtect Remediator (XPR) runs its scanning modules to look for signs of known malware. If it finds any, it then attempts to remove or ‘remediate’ it. This is similar to the way that some of the better third-party anti-malware products work, only this is integrated into macOS and designed to be completely unobtrusive to the user.

XPR is found alongside the XProtect.bundle in the CoreServices folder on the Data volume, where it’s named XProtect.app. It’s currently updated every two weeks on a regular cycle, those updates being titled XProtectPayloads, so they can be easily distinguished from updates to regular XProtect detection signatures.

Regular updates let Apple’s security engineers tune XPR’s settings, change the frequency of its scans, as well as update individual scanning modules. If you’ve been watching XPR’s scans over the last few months, you’ll have noticed that those for DubRobber are less frequent now than they were in the summer, because Apple’s assessment of its threat has changed over that period.

Normally, at present, XPR scans run roughly every 24 hours, each consisting of two separate series, one run as the current user, and the other as root. Both are important because of their differing privileges, so allowing XPR to examine different files and folders.

XPR writes the results of its scans to the Unified log, where most users won’t find them. In Ventura, though, they are part of the package of data made available through Endpoint Security. If you have third-party software using that in Ventura, then it will now be able to report the results of XPR scans. The current snag with this is that there are bugs affecting Endpoint Security software, which may make it unusable for the moment. Apple is working on an early fix for those.

Are they up to date?

To get maximum benefit from XProtect and XPR, your Mac needs to have the current version installed. You can check the version of XProtect.bundle and XProtect.app in the Finder, but Apple doesn’t publish their current versions. You’ll find them listed on this page for Ventura, and explained in full detail here. It’s simpler still to check using SilentKnight or LockRattler, either of which can also find and install pending updates. SilentKnight checks the current version automatically, offers more, and is my first choice.

sk221

You can’t rely on just having installed a macOS update to ensure these are up to date: Apple frequently delivers much older versions, and expects your Mac to catch up later. For example, the Ventura upgrade brought version 62 of XPR, which dates from June, and it’s essential that the current version is installed immediately after upgrading.

SilentKnight also goes a bit further and tells you whether XPR has been scanning in the last 24 hours, and whether it reported anything out of the ordinary in that time. This is just a quick check: there are lots of innocent reasons why there may be no scans in that period, and this lets you follow them up when you want to.

Checking XPR reports

If your Mac is running Ventura and you have security software using Endpoint Security, that’s the best way to check the results of scans made by XPR.

For Catalina to Monterey, and those not using suitable third-party security software, XProCheck provides a basic set of tools you can use to check the results of XPR scans, and any issues with XPR itself.

xprocheck122

XProCheck provides two main features: it checks your Mac’s logs for reports entered there by XPR’s scanning modules, and it lets you run a set of checks manually. Set the time period to a few days and click on the Check XProtect button. After a pause of a few seconds, all scans completed and reported into the log over that period will be listed in that window.

Normally, when running recent versions of XPR and in the absence of any malware, you should just see a list of each of the scans completed and reported. Those that don’t return a ‘normal’ result are marked with a yellow triangle ⚠️ so you can inspect them more carefully. This doesn’t mean that something is wrong, just that entry needs inspection.

If your Mac is running an old version of XPR, such as 62 distributed with Ventura, expect to see many of those warning triangles, as XPR didn’t write ‘normal’ log entries in that version. If it’s running a more recent version and there are any warning triangles, then you’ll need to read them carefully, as they could report the presence and remediation of malware.

If there are no scan reports found, that doesn’t necessarily mean there’s a problem. Try increasing the period to a few days, and check again. If your Mac has spent those days working hard or shut down (or asleep), then it’s possible that XPR hasn’t run any checks in that time. Try leaving your Mac idling awake for an hour or so to give XPR a chance to run automatically, then check again.

Running a manual XPR scan in XProCheck is most useful as a test of its reporting. Once it has completed, if you click on the Check XProtect button, you should see its reports from the log. If no reports appear, it suggests that your Mac may have problems with its log, which are examined here. Because those checks are run only in user mode, they are no substitute for its automatic scans, but are better than nothing, and helpful in diagnosing problems.

Recommendations

Ensure your Mac’s security systems are kept fully up to date.
If your Mac is running an older version of macOS before Catalina, consider using third-party security protection to make up for the effective loss of MRT.
Check XProtect and XPR regularly, perhaps using SilentKnight or an equivalent, to ensure they’re current.
If your Mac is running Ventura, consider running third-party software using Endpoint Security to keep an eye on XPR.
If your Mac is running Catalina, Big Sur or Monterey, or Ventura without an Endpoint Security product, use XProCheck regularly to keep an eye on XPR.
If your Mac has problems with XProtect or XPR, take them seriously and get them fixed. Your Mac’s security depends on them.

Further reading

SilentKnight’s Help Reference (via its Help menu) has extensive details.
XProCheck’s Help (via its Help menu) has additional information

macOS now scans for malware whenever it gets a chance
SilentKnight 2.2 helps you avoid unintended updates, and copes with failed installs
What does SilentKnight check and why?
XProCheck 1.2 checks macOS malware scans better

10Comments

Add yours

1

piattj on November 1, 2022 at 10:29 am

Howard, thanks as ever for the flow of valuable info. A quick question – how to identify if 3rd party antimalware software includes an Endpoint Security product? Or is that a component of most mainstream AV vendor software (eg Bitdefender)? Cheers.

LikeLiked by 1 person
- 2
  
  hoakley on November 1, 2022 at 10:38 am
  
  I’m sorry, I don’t know. Presumably the vendor tells you?
  Howard
  
  LikeLike
3

Marcos on November 1, 2022 at 1:11 pm

Apple commits to fully patching only the latest version of its software:

https://support.apple.com/en-ca/guide/deployment/depc4c80847a/web

and

https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/

LikeLiked by 1 person
- 4
  
  hoakley on November 1, 2022 at 1:19 pm
  
  Thank you.
  I’m puzzled why everyone is treating this as news, when we’ve known this all the way along, and numerical analysis demonstrated it earlier this year. What would have been an advance was for Apple to officially acknowledge its macOS support policy, although again we all know that too.
  It’s also important to point out that reduced support doesn’t apply to security tools like XPR or XProtect: Catalina, which now gets no security updates at all, still gets the same level of protection as Ventura from both of those. But macOS before Catalina doesn’t get the benefit of XPR at all.
  Howard.
  
  LikeLiked by 2 people
5

Tommmr on November 2, 2022 at 3:16 am

Thanks, for the enlightening post, as ever so often!

But please say—is there an “Endpoint Security product” that you’d recommend?

LikeLiked by 1 person
- 6
  
  hoakley on November 2, 2022 at 5:06 pm
  
  I try to avoid recommending security products other than those from Objective-See, not because they aren’t as good, but there are just so many out there. Every time I get a torrent of comments recommending other products! BlockBlock uses Endpoint Security very effectively, and I unhesitatingly recommend it.
  Howard.
  
  LikeLiked by 1 person
  - 7
    
    Tommmr on November 2, 2022 at 7:34 pm
    
    Haha, thanks, I can understand that 😀
    
    And yes, I do use BlockBlock, and also quite a few others of Patrick Wardle’s/Objective-See’s AWESOME security apps (LuLu, KnockKnock, ReiKey, OverSight, RansomWhere?).
    
    Good to know that I don’t need anything else than those—and my brains (and your helpful and muchly appreciated apps ofc!), thank you!
    
    LikeLiked by 1 person
    - 8
      
      hoakley on November 2, 2022 at 7:41 pm
      
      Thank you.
      Howard.
      
      LikeLiked by 1 person
9

Raving Logic on November 2, 2022 at 5:14 pm

Do I need to run XProCheck in any particular way to see the log output? My output is showing all scans as ‘private’ in angle brackets after I trigger a manual run of XProtect.

LikeLiked by 1 person
- 10
  
  hoakley on November 2, 2022 at 5:24 pm
  
  Which version of XProtect Remediator is installed? I suspect 62, which is an old version that behaves like that. Time for it to be updated – you can do that using SilentKnight if you like. There’s an awful lot about that here just recently.
  Howard.
  
  LikeLike

Share this:

Related