Protecting against malware in macOS
Apple operates a threat intelligence process to quickly identify and block malware.
Three layers of defense
Malware defenses are structured in three layers:
1. Prevent launch or execution of malware: App Store, or Gatekeeper combined with Notarization
2. Block malware from running on customer systems: Gatekeeper, Notarization, and XProtect
3. Remediate malware that has executed: XProtect
The first layer of defense is designed to inhibit the distribution of malware, and prevent it from launching even once—this is the goal of the App Store, and Gatekeeper combined with Notarization.
The next layer of defense is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt spread and to remediate the Mac systems it’s already gained a foothold on. XProtect adds to this defense, along with Gatekeeper and Notarization.
Finally, XProtect acts to remediate malware that has managed to successfully execute.
These protections, further described below, combine to support best-practice protection from viruses and malware. There are additional protections, particularly on a Mac with Apple silicon, to limit the potential damage of malware that does manage to execute. See Protecting app access to user data for ways that macOS can help protect user data from malware, and Operating system integrity for ways macOS can limit the actions malware can take on the system.
Notarization
Notarization is a malware scanning service provided by Apple. Developers who want to distribute apps for macOS outside the App Store submit their apps for scanning as part of the distribution process. Apple scans this software for known malware and, if none is found, issues a Notarization ticket. Typically, developers staple this ticket to their app so Gatekeeper can verify and launch the app, even offline.
Apple can also issue a revocation ticket for apps known to be malicious—even if they’ve been previously notarized. macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. In addition, this protection can be applied to both apps that have been previously and those that haven’t.
XProtect
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically—independent from system updates—to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:
An app is first launched
An app has been changed (in the file system)
XProtect signatures are updated
When XProtect detects known malware, it blocks it and moves it to the Trash. Then it alerts the user in the Finder. Users might be asked to share malware samples with Apple to improve macOS security. If they agree, XProtect uploads only the malware executable or, if it’s in an app bundle, the entire bundle. Nothing else is shared.
Note: Notarization is effective against known files (or file hashes) and can be used on apps that have been previously launched. The signature-based rules of XProtect are more generic than a specific file hash, so it can find variants that Apple hasn’t seen. XProtect scans only apps that have been changed or apps at first launch.
Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). This system removes malware upon receiving updated information, and it continues to periodically check for infections; however, XProtect doesn’t automatically restart the Mac. In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.
Automatic XProtect security updates
Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarization updates, which are distributed using CloudKit sync are much more frequent.
How Apple responds when new malware is discovered
When new malware is discovered, a number of steps may be performed:
Any associated Developer ID certificates are revoked.
Notarization revocation tickets are issued for all files (apps and associated files).
XProtect signatures are developed and released.
These signatures are also applied retroactively to previously notarized software, and any new detections can result in one or more of the previous actions occurring.
Ultimately, a malware detection launches a series of steps over the next seconds, hours, and days that follow to propagate the best protections possible to Mac users.
Gatekeeper bypass and XProtect events
macOS offers a secure API—the Endpoint Security API—for developers to create security software. For a Mac with macOS 15 or later, third-party developers can now receive events when a user bypasses Gatekeeper to run a program. This helps developers log these events centrally. It’s especially useful for security software and administrators, because it signals when untrusted software is running on endpoints. Moreover, users can view this event in the eslogger utility. which is built into macOS.
The Endpoint Security API also provides insights into XProtect malware detections. Developers can see:
Specific files that XProtect detected
The XProtect signature associated with the detection event
This additional information can be collected by third-party developers and stored for later incident response and central logging.