Checking macOS malware scans: Endpoint Security or the log?

The biggest change in Mac security last year (2022) was the introduction of a new suite of malware detection and removal tools to replace MRT, in the XProtect app located in /Library/Apple/System/Library/CoreServices, which distinguishes itself as XProtect Remediator. Like most of Apple’s security tools, it works in silence, and doesn’t directly inform the user of its periodic scans or their outcome.

If you’re running Ventura, you have two ways to check on XProtect Remediator’s scans: its entries in the Unified log, also available in Catalina to Monterey, and using Endpoint Security, an API introduced in macOS 10.15 that lets apps monitor system events for potentially malicious activity. Previous versions of macOS have rich support for events that could be malicious, and several third-party security products already monitor these, including Objective-See’s BlockBlock and various commercial products.

Among the additions to Endpoint Security brought in Ventura are two structures, es_event_xp_malware_detected_t and es_event_xp_malware_remediated_t, containing information from XProtect Remediator about its detection and remediation of known malware. Although these don’t appear to be used by security products yet, Apple’s documentation implies they are generated only when a scan detects or remediates malware, unlike entries in the log.

While Apple doesn’t provide its own Endpoint Security utility for users, it does provide a command tool to log events to standard output or the Unified log in eslogger. Although this isn’t intended to be used by applications, nor does it provide the functionality of a proper Endpoint Security app, it does give the user access to events in the API.

eslogger currently supports 82 different events, listed using the command
eslogger --list-events
Among them are two, xp_malware_detected and xp_malware_remediated, corresponding to XProtect Remediator events in the API. These can be captured to a text file using a command such as
sudo eslogger xp_malware_detected xp_malware_remediated >>eslogout.txt
man eslogger helpfully points out that its parent process requires Full Disk Access to be granted in System Settings > Privacy & Security.

As a means of monitoring XProtect Remediator scans this has limited usefulness: scans tend to be run during periods of user inactivity, often in the middle of the night. Currently, daily scans here occur in the hour after midnight, a time when reports are more usefully saved to the log rather than anywhere else.

I therefore tried eslogger out with a manual XProtect Remediator scan, initiated using XProCheck. As expected, with no detections or remediations, eslogger recorded no events in its text output. The only way of fully checking these scans is thus by capturing entries in the Unified log, where the subsystem and category XPEvent.structured can be used in a filter predicate to identify scan reports.

I have three utilities to check XProtect Remediator activity, each accessing its reports in the Unified log:

  • SilentKnight routinely checks scan reports over the last 24 hours, showing how many scans were reported, and whether any are potentially suspicious (not negative);
  • Mints offers a one-button check to list scan reports from the last 24 hours;
  • XProCheck inspects log records up to 30 days ago (as and when available), and provides a full list of all reports found. It can also run a set of manual scans, as the user not as root.


For the moment at least, XProtect Remediator’s log entries are considerably more informative than its events reported through Endpoint Security. It will be interesting to see if that changes in the coming year.