Over the last year macOS defences against malware have been changing, with the introduction of a new background scanning service, and the retirement of Apple’s old Malware Removal Tool, MRT. To celebrate the first year of the new service, this article summarises what has happened, and where it leaves those defences.

History

Before March 2022, macOS had two tools to perform malware detection and removal, XProtect and MRT.

XProtect performs on-demand checks as part of Gatekeeper checks, then exclusively performed on the first run of executable code with a quarantine flag set. These include checking for the characteristics of known malicious code using definitions in a Yara file, one of a set of components in XProtect.bundle and periodically updated by Apple. This original form of XProtect can’t attempt to remove any malware it detects, but Gatekeeper instructs the user to do so through an alert.

MRT performed periodic background scans to detect and remove known malware, most obviously performed shortly after login. This was accomplished by an executable binary posing as the MRT app, updated periodically by Apple to address changes in threat. MRT was last updated on 29 April 2022 to version 1.93, and isn’t installed on newer systems.

With the release of macOS Monterey 12.3 on 14 March 2022, a new XProtect.app bundle was added to /Library/Apple/System/Library/CoreServices, initially given as version 1. This passed almost unnoticed until it was updated to version 2 with macOS 12.4 on 16 May 2022. At that stage, the bundle contained eight executables, XProtect itself (which hadn’t previously existed as a discrete app or binary), and seven XProtect Remediator binaries. According to their names, one was effectively MRT version 3, and the others tackle the following known malware:

• Adload, an endemic Trojan known for downloading unwanted adware and PUPs;
• Eicar, a harmless standard test for anti-malware products;
• Genieo, a browser hijacker acting as adware;
• Pirrit, malicious adware;
• SheepSwap, presumably a synonym for Mac malware;
• Trovi, a cross-platform browser hijacker.

On 17 June 2022, Apple released the first standalone update to XProtect.app, now known from its scanning modules as XProtect Remediator (XPR), and delivered as an XProtectPayloads update. Version numbering jumped from 2 to 62, and this added two new scanning modules, named XProtectRemediatorDubRobber and XProtectRemediatorGreenAcre. DubRobber, more widely known as XCSSET, is a particularly versatile and troubling Trojan dropper that has proved tough to detect and remove because it changes so frequently to evade protection.

Updates to XProtect Remediator then followed every fortnight until version 84 on 10 November 2022, since when they have been released at least once a month, reaching version 99 on 8 June 2023.

Following updates in 2022, XPR now runs and is supported on all versions of macOS from 10.15 Catalina onwards.

Scans

XPR runs periodic scans in the background, currently once a day, but it can run individual scanner modules more or less frequently, according to threat. For instance, during the summer of 2022, Apple considered there to be an increased threat from XCSSET, and XPR’s DubRobber binary ran several scans daily.

These scans are scheduled by the system Duet Activity Scheduler (DAS) and Centralized Task Scheduling (CTS) via the XPC service XProtectPluginService, as set up by launchd property lists contained in the bundle’s Resources folder, symlinked from LaunchAgents and LaunchDaemons folders. They’re most likely to occur when the Mac is awake but relatively lightly loaded, and cannot occur during sleep.

Each set of scans consists of two runs, one as root and the other as the current user, to ensure as full coverage as possible. As of XPR version 99, the following scanner modules are run:

• Adload
• BadGacha
• ColdSnap
• DubRobber (XCSSET)
• Eicar (test)
• FloppyFlipper
• Geneio
• GreenAcre
• KeySteal
• MRTv3 (older malware inherited from MRT)
• Pirrit
• RankStank
• RoachFlight
• SheepSwap
• SnowBeagle
• SnowDrift (CloudMensis)
• ToyDrop
• Trovi
• WaterNet.

Many of these cryptic names assigned by Apple haven’t yet been identified by their more usual names. If you’re a malware researcher who is good with crossword clues, your assistance in identification is welcome.

As they’re written in Swift, scanner modules can employ a wide range of techniques to detect malware, including:

• standard signature matching within suspect files, and other features available in Yara definitions,
• discovery of system files in unexpected locations, such as stray WindowServer files,
• mismatches between files found in storage and running processes.

Detection and remediation

Any anomalies found in a scan are normally reported to the Unified log. When sufficient are found to satisfy a scanning module’s detection rules, it will report successful detection and automatically attempt to remove the malware by a process termed remediation, which is explicitly reported. In macOS Ventura and later, detections and remediations are also reported as events in Endpoint Security. Otherwise, they aren’t notified to the user in any way.

In this excerpt from XProCheck, XPR reports that it has detected and successfully removed DubRobber/XCSSET.

Anomalies

When XPR runs next after it has been updated, the first scans performed as root and as user return signature errors because of their updated components. These can be safely ignored.

XPR version 96 was only released briefly, and was apparently removed from Apple’s update servers. Several of those who updated to that version discovered that it tended to report anomalies in perfectly innocent systems. Version 97 continued to do so, but so far its successor 99 appears less sensitive.

Monitoring

Because it’s a faceless background service, XPR has no means of alerting or warning the user if it does detect or remediate malware. Monitoring its reports therefore requires examining its log entries (Catalina and later), or the appropriate Endpoint Security events (Ventura and later). Some third-party security products not only use Endpoint Security, but may be able to report those events.

My free SilentKnight checks whether scans have been taking place, and whether any have resulted in detection or remediation. Fuller information, for Catalina and later, is available in my free XProCheck.

If you know of any other software that monitors XPR reports, please let me know.

More XProtects

As of Ventura, there are now three quite different XProtects: the original on-demand scanner for Gatekeeper checks, XProtect Remediator as described here, and XProtect BehaviorService, part of the new Bastion behavioural-based malware detection system. If you’re writing about any of these, please take care to distinguish which you’re referring to.

Summary

• As of June 2022, Apple retired its old MRT and replaced it with its new XProtect Remediator.
• XProtect Remediator only runs on Catalina and later. Older versions of macOS effectively no longer have built-in protection from malware.
• XProtect Remediator performs periodic background scans for specific malware.
• XProtect Remediator reports to the log, and in Ventura and later in Endpoint Security events.
• You can monitor its reports in products supporting Endpoint Security (Ventura and later), and in SilentKnight and XProCheck (Catalina and later).
• XProtect Remediator is a great improvement in protection from malware.