Three and a half years ago, when Apple’s new XProtect Remediator (XPR) started scanning our Macs for malware, I was amazed to discover it made no attempt to inform us of its results. Shortly after that I added a feature to Mints to read those scan reports in the log, and in September 2022 released the first version of XProCheck, a simple little utility dedicated to the task. Since then, XProCheck has become one of my most popular free apps, even outselling SilentKnight. Last week I came to realise why: because it’s all too easy for laptop Macs to skip their daily scans for many days or even weeks.

I have two Apple silicon Macs running Tahoe 26.2. My Mac mini M4 Pro is my main development system, where I do much of my research and testing, so it’s normally started up daily by lunchtime, and shut down late in the evening. My MacBook Pro M3 Pro sees only intermittent use, except during the annual beta-testing season from early June to September, when it’s dedicated to testing of and development for that year’s new version of macOS.

As I take a keen interest in the processes that run during startup, I often watch their succession in Activity Monitor’s CPU History window. I know from observation that 5-10 minutes after startup, at about the same time that Time Machine makes its initial backup of my Mac mini, XPR will cycle through its scanning modules for a period of about 15 minutes, every day. But that doesn’t happen on my MacBook Pro.

XProtect Remediator scans are scheduled on three timetables:

• a fast scan takes place every 21,600 seconds, or 6 hours
• a regular scan is run every 86,400 seconds, or 24 hours
• a slow scan is scheduled every 604,800 seconds, or 7 days.

Those are set in com.apple.XProtect.agent.scan.plist and com.apple.XProtect.daemon.scan.plist, and have remained the same since the first active version of XProtect Remediator on 17 June 2022.

From long-term observation, the fast scan seldom runs any of the scanning modules. It was used by Apple for a period back in August 2022, when XCSSET (DubRobber in XPR) was on the rampage, and that scanning module was run every few hours when possible. Since that threat has subsided, the fast scan doesn’t appear to have included any other scanning modules.

The slow scan has only become significant over the last year, as a result of the increasing size of Yara rules in the traditional XProtect. Although those Yara rules are primarily used to check apps being launched for the first time, in the original form of XProtect run during Gatekeeper checks, they’re also used by XPR. Over the last couple of years, XProtect’s rules have grown greatly in number and size, and have extended the time required for XPR to complete some of its scans that use those rules.

During regular scans, at least since version 151, XPR sets itself a timer for a period of about 15 minutes. When that expires, usually when it’s running the longest of its scans, for Adload, it cancels that and further scans. I believe the slow scan is run either with a longer timer setting, or without a time limit being imposed, to allow the whole set of scans to be completed. However, as that’s only once a week it’s not easy to capture confirming information.

As those property lists state, XPR scans are CPU-intensive and involve heavy disk use as well. They’re normally dispatched when a Mac is lightly loaded and awake, and neither regular nor slow scans are run on a laptop Mac that’s running on battery power. So my MacBook Pro will only consider dispatching a set of XPR scans when it’s:

• awake, and
• lightly loaded, and
• running on mains, not battery, power.

But even when all those conditions are satisfied, the scans still have to be dispatched by the DAS-CTS system, over which the user has no control.

Of course, XProCheck does provide the user with a button to Run XProtect, but that only runs the set of scans in user mode, not as root.

Running XPR is more pernickety than updating macOS, a task that can be performed when a laptop is running on its battery alone. The difference here is that I can choose when to install that update, but I’m not supposed to know anything about XPR. The main obstacle to getting XPR to scan your laptop for malware is this false secrecy, the pretence that XPR isn’t really there, and the user shouldn’t have any knowledge of it, what it has found, or even whether it has run in the last month.

That must be as frustrating to the engineers who develop and maintain XPR, as much as it is to those of us who want to benefit from its protection. I still dream that one day the features in XProCheck will be built into Privacy & Security settings where they belong.