Understand how XProtect works
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly.
Apple monitors for new malware infections and strains and updates signatures automatically—independent from system updates—to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. XProtect checks for known malicious content whenever the following happens:
An app is first launched
An app is changed in the file system
XProtect signatures are updated
When XProtect detects known malware, it blocks it and moves it to the Trash. Then it alerts the user in the Finder. Users might be asked to share malware samples with Apple to improve macOS security. If they agree, XProtect uploads only the malware executable or, if it’s in an app bundle, the entire bundle. Nothing else is shared.
Note: Notarization is effective against known files (or file hashes) and can be used on previously launched apps. The signature-based rules of XProtect are more generic than a specific file hash, so it can find variants that Apple hasn’t seen. XProtect scans only apps that have been changed or apps at first launch.
Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). This system removes malware upon receiving updated information, and it continues to periodically check for infections; however, XProtect doesn’t automatically restart the Mac. In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.
Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarization updates, which are distributed using CloudKit sync, are much more frequent.
Check for installed versions of XProtect content
Press and hold the Option key while choosing Apple menu > System Information.
From the Software section of the sidebar, select Installations.
Scroll towards the bottom of the list to see install dates for the following:
XProtectCloudKitUpdate (If the user is signed in with their Apple Account.
XProtectPayloads
XProtectPlistConfigData
Force an update of XProtect content
You can update XProtect if it appears out of date. Because this task involves the sudo command, the user must be an administrator on their Mac.
In the Finder, choose Go > Utilities, then open the Terminal app.
Enter the following, followed by the user’s password:
sudo xprotect updatePress Return, then wait for any updates to occur.