How long has it been since the last security data update to macOS, for XProtect or XProtect Remediator (XPR)?
As of yesterday, 9 July, the last version of XProtect released was 5347 on 2 June, 37 days ago, and for XPR it was version 157 on 17 February 2026, 142 days ago. Given that recent updates to XProtect had been released every week, and those for XPR have been at intervals of 30-126 days, those are long indeed, and make you wonder.
Apple introduced XProtect and its Malware Removal Tool, MRT, precursor to XPR, around Mac OS X 10.6 Snow Leopard in 2009. They were part of the protection package to accompany the introduction of its modern security systems including SIP, code signing, and Gatekeeper, that started two years earlier in 10.5 Leopard.
In those early years, XProtect was more concerned with blocking old exploited versions of Adobe Flash, and Java, and had a short and succinct set of static malware checks as well. Until 2018-19, macOS was believed to store information about certificate revocations locally, in its Gatekeeper database, which Apple updated every couple of weeks. Those ceased after August 2019, when Apple changed to a new system.
MRT was last updated on 14 March 2022, and was replaced by XPR on 17 June 2022, although that final version 1.93 is still routinely installed on new Macs. There followed a period of rapid development of this new malware scanner, with new versions adding scanning modules in updates every fortnight.
At the same time, XProtect also saw frequent updates, as it added more Yara detection rules. macOS Sequoia changed XProtect by adding a second and now preferred location for its bundle containing those rules, and a new command tool to manage it. macOS 15 and 26 have therefore updated two separate bundles from different sources, the old location being maintained via softwareupdate, and the new one using the xprotect tool and its helper downloading the update from iCloud.
In itself, this change in XProtect has appeared mystifying, and only complicated matters with no clear gain in sight. Could this be the first step in delivering something new once macOS can take full advantage of the Apple silicon architecture in Golden Gate?
Although XPR has recently been updated irregularly, it has never gone as long as 142 days, nearly five months, between updates.
For much of the last 18 months, XProtect has been updated every week, although that has been disrupted over holiday periods, most notably Christmas, and the tail end of the last Christmas period brought the longest interval for many months. That has now been equalled in the gap that has grown since just before WWDC.
This year there has been a sea-change in threat with the rise in ClickFix attacks, which exploit user behaviour to bypass protections such as XProtect. Among the latest of their seemingly endless variations, users are coached to use Command-R to run an AppleScript that fetches the malicious payload to surrender your Mac to its attacker.
Apple and third-party security protection have adapted to try to detect user actions that could indicate a ClickFix attack in progress, and stop the user in their tracks. But there are so many tricks that can used to coach the unsuspecting into a trap that this is turning into another cat-and-mouse chase, with the cat always behind the mouse.
Perhaps Apple’s security engineers are going to unveil a better solution and pounce on the mouse at last?


