A week ago I lamented how the word extension had come to cover several very different things. Today I look at how recent versions of macOS have got two different XProtects, and what each does.
My starting point is the part of the CoreServices folder located on the Data volume, in the path /Library/Apple/System/Library/CoreServices, containing five items in Ventura, the last two being XProtect.app and XProtect.bundle. They look as if they’re part of the same subsystem named XProtect, but in fact XProtect.app is what calls itself XProtect Remediator, and XProtect.bundle contains data files used in Gatekeeper checks, not by XProtect.app at all. What’s more, if you’re still running Mojave or earlier, your Mac won’t have XProtect.app at all in /System/Library/CoreServices as it’s only installed in Catalina and later, although all versions of macOS going back to around Yosemite should have the XProtect.bundle.
XProtect in Gatekeeper
The original XProtect is a part of Gatekeeper’s services, and isn’t really a discrete app at all. Look inside XProtect.bundle, and in its /Contents/Resources you’ll see a database file, three Property Lists, and a .yara file. These provide security data that allows Gatekeeper to block some software from running, including what it suspects is known malware.
Originally, one of XProtect’s main functions was to check the versions of Java, Flash Player, and other third-party services installed, and determine whether they were safe to use. In those days, Java and Flash Player were known for their serious security vulnerabilities, and XProtect used to protect your Mac from running older versions that were already being exploited by malicious software.
Since then, Adobe finally killed Flash and the threat landscape has changed greatly, so the other main function of XProtect has come to the fore. This provides a set of signatures of known malware; when Gatekeeper checks are run on apps and executable code, a compiled version of those signatures is used to detect known malware. Older macOS only ran those checks when an app with a Quarantine flag set was being run for the first time, but that has been steadily extended so that Ventura runs them every time an app is opened or executable code is run, regardless of Quarantine.
If Gatekeeper, using XProtect’s signatures as a reference, detects malware when checking an app or executable code, you’re informed immediately by an alert, and macOS refuses to run that code.
Neither Gatekeeper nor any XProtect service run background scans to check your Mac for malware: they only do that for apps and code your Mac is about to run. In previous versions of macOS, a different and discrete scanning service, Malware Removal Tool or MRT, was run in the background to look for signs of malware. When it detects any that it recognises, it should attempt to remove it. If your Mac still runs Mojave or earlier, MRT still does this, normally shortly after your Mac starts up, but Apple has now replaced MRT and hasn’t updated it since April last year.
XProtect Remediator scans
The new replacement for MRT was first introduced in Monterey 12.3 last year, but since June has been installed in all versions of Catalina and later. Initially it ran alongside MRT, but by the time that Ventura was released it had replaced it.
Although not normally run as an app, you can run XProtect Remediator yourself, simply by double-clicking XProtect.app in /Library/Apple/System/Library/CoreServices. Look inside that app and you’ll see a folder at /Contents/MacOS containing 14 executables, including XProtect and a series of executables whose names start with XProtectRemediator, its scanning modules. One, named XProtectRemediatorMRTv3, provides checks for legacy malware previously covered by MRT, while the others are specific to more recent malware, such as DubRobber, more widely known as XCSSET, and SnowDrift, known as CloudMensis.
XProtect Remediator runs its scans in the background, according to its internal schedule. At the moment, that’s normally once a day, preferably when your Mac is awake but not otherwise active, perhaps late at night or during lunchtime. When the threat is higher, Apple sets it to run specific scanners more frequently, as it did last summer for XCSSET. It isn’t used to scan on demand in the way that regular XProtect does in Gatekeeper.
XProtect Remediator doesn’t use XProtect’s malware signatures to detect malware, but employs more sophisticated techniques. Neither does it try to scan every file on your Mac, which would be most inefficient. Instead it looks at locations where it might expect to find traces of malware, and that reduces the rate of false positives and false negatives. Should it find a match, then it will attempt to remove that malware.
Because it’s a faceless background service, it has no means of alerting or warning the user if it does detect or remediate malware. Instead, it writes a report in the log and, in Ventura, sends an event in Endpoint Security. Some third-party security products not only use Endpoint Security, but may be able to report those events. Otherwise they’re likely to remain silent. My free SilentKnight checks whether scans have been taking place, and whether any have resulted in detection or remediation. Fuller information, for Catalina and later, is available in my free XProCheck.
This is an excerpt from XProCheck revealing that XProtect Remediator has detected and removed DubRobber/XCSSET.
Indications are that XProtect Remediator is much more than a replacement for MRT, and provides highly effective protection from malicious software, at least when used in combination with XProtect.
- XProtect is an on-demand feature in Gatekeeper that checks apps and executable code for malware just before they’re run. It relies on data and definitions in XProtect.bundle, and works on all versions of macOS going back to El Capitan and earlier.
- XProtect Remediator is a set of scanning modules that periodically run in the background to check for the presence of known malware. It tries to remove, or remediate, any that it detects, but only works on Catalina and later.
- Although XProtect and XProtect Remediator might sound as if they’re part of the same subsystem, they’re quite separate and do different things at different times in different ways.