macOS Catalina and later include an anti-malware scanning service, XProtect Remediator (XPR), that periodically checks your Mac for known malware. If it detects anything untoward, it tries to remove it in a process Apple terms remediation. Because this is all performed as a background service, XPR doesn’t inform you when it scans, or when it detects and remediates malware. Instead it records those events in the log, and in Ventura and later makes them available to third-party software through Endpoint Security events.
To help you keep track of this, three of my utilities report on XPR: SilentKnight runs a quick check on the last 24 hours, as can Mints, and XProCheck provides detailed reports for periods of up to 30 days.
Every few weeks I get a flurry of comments here, and emails, when those using XProCheck, or browsing the log, notice warnings and strange behaviour by XPR. This article explains what’s happening, and why it’s perfectly healthy.
It seems absolutely bizarre to me that such malware scans just happen in the background without informing the user when it finds anything. That feels a lot like treating the symptoms while the patient’s sleeping, without informing them they’re sick.
Thom Holwerda,
I’m not familiar with macos internals and this is all news to me, but the tin foil hat explanation is that if owners don’t know they were inflected, then this will let them continue to believe they weren’t infected and defending the false narrative that macos cannot be infected.
Alfman,
This is just another Mac OS internal thing I have no idea that existed in the background. But my understanding so far is that very few things become high level user interfaces.
Because Apple does not want to introduce an app (or an API) just to deprecate it in the next version.
If I were to guess, the OS team needed this feature to keep the system secure. But there was not enough traction to surface this as a long term UI to the users.
(If I were to personally put companies on a scale, IBM would be the one that almost never deprecates anything, Apple does, but rarely and slowly, Microsoft is in the middle, and some things like Windows 1.0 back compat on Windows 10 30+ years later is impressive, last but not least Google would be the most trigger happy among these big ones).
sukru,
I don’t find it plausible. Apple are a trillion dollar company and the dev resources would have been modest, literally an intern could have done it. If an interface isn’t there, it’s because apple didn’t want there to be an interface.
If it’s an internal interface, apple can change it as needed with no long term requirement.
Exactly, Justin Long told MacOS users that MacOS doesn’t get viruses (not directly but clearly implied) so Apple has to maintain the illusion this is true. “It’s not an antivirus, it’s a remeditator. Also, it’s not a malware quarantine, it’s remediation”.
Thing is, malware quarantine warnings serve as an indication you are doing risky things with your computer, and Mac users won’t get any of that feedback.
kurkosdr
Some of apple’s ads implied it as well.
“I run macos 10 so I don’t have to worry about your spyware and viruses”
I find the use of “your” to be very coy because it gives customers the impression that macos has no spyware or viruses while plausibly letting apple’s legal department semantically argue that they never claimed that there are no macos viruses.
https://www.youtube.com/watch?v=qfv6Ah_MVJU
Indeed, informing users is objectively the responsible thing to do,. but user education conflicts with Apple PR, and apple chose PR over education. Still the truth is macos binaries can contain malware just like windows (or linux) and users who are careless are taking risks regardless of platform.
https://www.macworld.com/article/672879/list-of-mac-viruses-malware-and-security-flaws.html
“It seems absolutely bizarre to me that such malware scans just happen in the background without informing the user when it finds anything”
Microsoft does the same thing with its MRT.exe malware removal tool that runs during Windows Update. It automatically removes the malware and simply logs it to a file (and possibly informs Microsoft).
sloth,
Are you absolutely positive there is no feedback? I cannot test it now, but this is what microsoft docs say about it running in quiet mode…
https://support.microsoft.com/en-gb/topic/remove-specific-prevalent-malware-with-windows-malicious-software-removal-tool-kb890830-ba51b71f-39cd-cdec-73eb-61979b0661e0
https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web#:~:text=When%20XProtect%20detects%20known%20malware,the%20software%20to%20the%20Trash.
XProtect
macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains, and updates signatures automatically—independent from system updates—to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:
An app is first launched
An app has been changed (in the file system)
XProtect signatures are updated
When XProtect detects known malware, the software is blocked and the user is notified and given the option to move the software to the Trash.
Same as what Microsoft does. ♂️
Windows Sucks,
One difference is that windows notifies the users of malware whereas this article claims that xprotect does it’s job without notifying the owner that the system was compromised. Your link doesn’t contradict this claim. Do you think the article is wrong? Do you agree that the owner should be kept in the loop when xprotect detects the system was breached?