Apple quietly updates malware scanning capabilities in more recent versions of macOS

Macs do not include prominent anti-malware software like Windows’ Defender. However, starting with 2009’s Snow Leopard, Apple began including basic anti-malware safeguards into macOS releases. Between major macOS security updates, a service called XProtect would automatically download and install updated malware definitions, primarily to prevent the installation of known, in-the-wild malware.

Apple has since introduced a number of what may be considered anti-malware tools to macOS, but they aren’t necessarily labelled as such. Access restrictions for hardware and software, as well as features like Gatekeeper and app notarization, System Integrity Protection and the Signed System Volume, are all designed to prevent unauthorised changes to critical system files and verify that installed applications perform as advertised. The Malware Removal Tool (MRT) is another hidden utility that works like a standard anti-malware scanner by checking for and eliminating any malware existing on your system. It receives regular definitions updates from Apple.

Eclectic Light Company’s Howard Oakley keeps tabs on when XProtect and the MRT are updated and maintains many utilities to verify the definitions you’re using (as well as your installed firmware and other Mac esoterica that Apple regularly updates but rarely mentions). And he claims that over the past few months, Apple’s anti-malware technologies have undergone a significant but mostly unnoticed shift.

Since the 12.3 update for macOS Monterey, he has been keeping tabs on a new “XProtect.app” functionality that has been rolled out to Monterey, Big Sur (11), and Catalina (10.15). This is the new programme that has replaced the MRT, and its familiar name appears in the latest version of Apple’s Platform Security documentation. A more thorough search for known malware seems to be performed by XProtect.app than by the MRT.

“In the last six months macOS malware protection has changed more than it did over the previous seven years,” Oakley writes. “It has now gone fully preemptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later.”

Based on research conducted by Oakley using a Mac with sleep disabled, it was discovered that the XProtect programme performs virus scans at least once daily “during periods of minimal user activity,” meaning when the computer is idle. The scanning frequency appears to be chosen on a case-by-case basis, but it may scan considerably more frequently than that. According to what Oakley has seen, “every hour or two,” XProtect does a scan for DubRobber malware. However, MRT was only activated “rarely,” and “most obviously” just after the computer booted up.

It’s important to note that Apple occasionally continues to release updates for these auxiliary tools long after it has stopped releasing security-related fixes, even for users of earlier macOS versions. Oakley claims that updates were made to XProtect and the MRT on macOS versions as far back as El Capitan (10.11), which was launched in 2015.

This implies that the new XProtect utility will continue to be useful for users of macOS Catalina even after security updates expire, but it appears that the older MRT programme is no longer receiving updates for Mojave (14.1) and previous macOS versions. This was shortly after the introduction of macOS 12.3 and the new XProtect software in April 2022, according to Oakley’s estimation. Already less secure than up-to-date macOS, users who wish to keep their machines safe should consider updating before the old MRT utility is abandoned.