Protecting against malware in macOS
Apple operates a threat intelligence process to quickly identify and block malware.
Three layers of defence
Malware defences are structured in three layers:
1. Prevent launch or execution of malware: App Store, or Gatekeeper combined with Notarisation
2. Block malware from running on customer systems: Gatekeeper, Notarisation and XProtect
3. Remediate malware that has executed: XProtect
The first layer of defence is designed to inhibit the distribution of malware, and prevent it from launching even once — this is the goal of the App Store, and Gatekeeper combined with Notarisation.
The next layer of defence is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt spread and to remediate the Mac systems it’s already gained a foothold on. XProtect adds to this defence, along with Gatekeeper and Notarisation.
Finally, XProtect acts to remediate malware that has managed to successfully execute.
These protections, further described below, combine to support best-practice protection from viruses and malware. There are additional protections, particularly on a Mac with Apple silicon, to limit the potential damage of malware that does manage to execute. See Protecting app access to user data for ways that macOS can help protect user data from malware, and Operating system integrity for ways macOS can limit the actions malware can take on the system.
Notarisation is a malware scanning service provided by Apple. Developers who want to distribute apps for macOS outside the App Store submit their apps for scanning as part of the distribution process. Apple scans this software for known malware and, if none is found, issues a Notarisation ticket. Typically, developers staple this ticket to their app so Gatekeeper can verify and launch the app, even offline.
Apple can also issue a revocation ticket for apps known to be malicious — even if they’ve been previously notarised. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block the launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. In addition, this protection can be applied to both apps that have been previously and those that haven’t.
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:
An app is first launched
An app has been changed (in the file system)
XProtect signatures are updated
When XProtect detects known malware, the software is blocked and the user is notified and given the option to move the software to the Bin.
Note: Notarisation is effective against known files (or file hashes) and can be used on apps that have been previously launched. The signature-based rules of XProtect are more generic than a specific file hash, so it can find variants that Apple has not seen. XProtect scans only apps that have been changed or apps at first launch.
Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesn’t automatically reboot the Mac.
Automatic XProtect security updates
Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarisation updates, which are distributed using CloudKit sync, are much more frequent.
How Apple responds when new malware is discovered
When new malware is discovered, a number of steps may be performed:
Any associated Developer ID certificates are revoked.
Notarisation revocation tickets are issued for all files (apps and associated files).
XProtect signatures are developed and released.
These signatures are also applied retroactively to previously notarised software, and any new detections can result in one or more of the previous actions occurring.
Ultimately, a malware detection launches a series of steps over the next seconds, hours and days that follow to propagate the best protections possible to Mac users.