Apple
Macs don’t have visible anti-malware software built-in, at least not in the same way that Microsoft does with Windows’ highly visible Defender software. But Apple started including rudimentary anti-malware protections in versions of macOS with Snow Leopard in 2009. This system service, called “XProtect”, downloaded and installed new malware definitions in the background between major macOS security updates, usually to protect against the installation of known, in-the-wild malware.
Since then, Apple has added multiple anti-malware features to macOS, although they aren’t always branded that way. Gatekeeper, app notarization, system integrity protection, the signed system volume, and access control for hardware and software all relate, in one way or another, to proactively protecting system files from tampering and making sure installed apps do what they say they’re supposed to. doing it. Another under-the-hood tool, the Malware Removal Tool (MRT), works more like a traditional anti-malware scanner and receives periodic definition updates from Apple so it can scan and remove malware already on your system.
Howard Oakley of the Eclectic Light Company makes a habit of tracking updates to XProtect and the MRT, and he maintains several utilities that check the versions of your definitions (as well as your installed firmware and other Mac esoterics that Apple updates regularly but rarely mentioned). And he says Apple’s anti-malware tools have undergone a dramatic but largely silent change in recent months.
Since the release of the 12.3 update for macOS Monterey, it follows a new “XProtect.app” feature added to Monterey, Big Sur (11) and Catalina (10.15). As mentioned in Apple’s most recent Platform Security documentation, this is a familiar name for a brand new app that replaces the old MRT. XProtect.app seems to scan for known malware much more aggressively than the MRT did.
βIn the past six months, macOS’s protection against malware has changed more than it has in the past seven years,β Oakley writes. “It’s now fully preventative, as active as many commercial anti-malware products, provided you’re running Mac Catalina or higher.”
When examining the XProtect app’s activity on a sleep-enabled Mac, Oakley found that it scans for most known Mac malware at least once a day “during periods of low user activity.” But it can scan much more often than that, and the scan frequency seems to be determined on a case-by-case basis. Oakley saw XProtect scan for malware called DubRobber “every hour or two”. In contrast, MRT was run “rarely” and “most noticeably shortly after boot.”
Particularly for users of older macOS versions, Apple sometimes continues to provide behind-the-scenes updates to these tools long after it has stopped providing security patches for macOS itself. Oakley says old versions of XProtect and the MRT were updated in macOS versions as old as El Capitan (10.11), originally released in 2015.
While this means that macOS Catalina users should take advantage of the new XProtect tool even after the security updates have ended, it unfortunately appears that the older MRT tool will no longer be updated on Mojave (10.14) and older macOS versions. Oakley dates MRT’s last update to April 2022, shortly after macOS 12.3 and the new XProtect app were released. These versions of macOS were already more vulnerable than newer, fully patched versions, but as Apple moves away from the old MRT tool, upgrading becomes even more important for people who want to keep their Mac safe.
