How does XProtect?
As I mentioned yesterday, Apple has released a long-awaited revision to its Platform Security Guide. If you’re having difficulty accessing this latest version, you should be able to access it here, or read it in PDF format. Among its many important topics are malware protection and the multiple variants of XProtect, the subject of this article.
Before this revision, the official account of XProtect had been dated 13 May 2022, when as far as everyone outside Apple knew of only one XProtect, the on-demand malware scanning service based on Yara rules updated periodically in downloads labelled XProtectPlistConfigData. Its description in the guide remains unchanged: “When XProtect detects known malware, the software is blocked and the user is notified and given the option to move the software to the Trash.”
Although none of us realised it at the time, that version also explained a little of the new form of XProtect, describing itself as XProtect Remediator, “technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesnʼt automatically reboot the Mac.”
