Why macOS anti-malware scans can behave oddly

macOS Catalina and later include an anti-malware scanning service, XProtect Remediator (XPR), that periodically checks your Mac for known malware. If it detects anything untoward, it tries to remove it in a process Apple terms remediation. Because this is all performed as a background service, XPR doesn’t inform you when it scans, or when it detects and remediates malware. Instead it records those events in the log, and in Ventura and later makes them available to third-party software through Endpoint Security events.

To help you keep track of this, three of my utilities report on XPR: SilentKnight runs a quick check on the last 24 hours, as can Mints, and XProCheck provides detailed reports for periods of up to 30 days.

Every few weeks I get a flurry of comments here, and emails, when those using XProCheck, or browsing the log, notice warnings and strange behaviour by XPR. This article explains what’s happening, and why it’s perfectly healthy.

It seems absolutely bizarre to me that such malware scans just happen in the background without informing the user when it finds anything. That feels a lot like treating the symptoms while the patient’s sleeping, without informing them they’re sick.


  1. 2023-08-13 4:11 pm
    • 2023-08-13 5:48 pm
      • 2023-08-13 6:03 pm
    • 2023-08-14 9:49 am
      • 2023-08-14 11:51 am
  2. 2023-08-14 5:27 am
    • 2023-08-14 12:22 pm
  3. 2023-08-14 6:01 pm
    • 2023-08-14 9:09 pm