Security & Privacy

XProtect

Overview

XProtect is macOS's built-in malware detection system. It uses YARA-based signature rules to scan files when they are first opened (if they have a quarantine flag) and a background remediator (XProtect Remediator, formerly MRT) that periodically scans for known malware. XProtect signatures are updated automatically by Apple, independent of macOS system updates.

For forensic investigators, XProtect's configuration reveals the current detection capability of the endpoint and can indicate whether known malware families were potentially detected or missed.

Forensic Significance

Evidence TypeForensic Value
YARA signature versionWhether the endpoint had up-to-date malware signatures
Signature definitionsWhich malware families the system can detect
Blocklist entriesSpecific app versions blocked from execution
Remediator scan resultsEvidence of malware detection and removal
XProtect version vs. known threatsGap analysis — was the endpoint protected against a specific threat at time of compromise?

File Locations

ComponentPathFormat
XProtect bundle/Library/Apple/System/Library/CoreServices/XProtect.bundle/Bundle
YARA signatures.../XProtect.bundle/Contents/Resources/XProtect.yaraYARA rules
Signature plist.../XProtect.bundle/Contents/Resources/XProtect.meta.plistPlist
Blocklist database.../XProtect.bundle/Contents/Resources/gk.dbSQLite
XProtect Remediator/Library/Apple/System/Library/CoreServices/XProtect.app/App bundle
MRT Agent (legacy)/Library/Apple/System/Library/CoreServices/MRTAgent.app/App bundle
XProtect version plist/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plistPlist

Key Data

YARA Signatures

The XProtect.yara file contains YARA rules for detecting known macOS malware families. Each rule targets a specific threat:

rule XProtect_MACOS_2fc5997
{
    meta:
        description = "OSX.Bundlore"
    strings:
        $s1 = { 48 89 ... }
    condition:
        Macho and filesize < 500000 and $s1
}

Blocklist Database (gk.db)

The gk.db SQLite database contains records of specific application bundle IDs and versions that are blocked from execution.

SELECT * FROM conditions;
SELECT * FROM authorities;

Version Information

# Check XProtect version
defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString

# Check Remediator version
defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString

Analysis Notes

  • Signature currency: Compare the XProtect version timestamp against the date of a suspected compromise. If XProtect was outdated, it may not have detected the specific malware involved.
  • YARA rule analysis: Review the YARA rules to determine which malware families are detectable. This helps scope what the endpoint was and was not protected against.
  • Blocklist gaps: The blocklist (gk.db) only covers known-bad bundle IDs and versions. Novel or repackaged malware will not appear.
  • Remediator logs: XProtect Remediator runs periodic scans. Check Unified Logs with subsystem:com.apple.XProtect for scan results and detections.
  • Automatic updates: XProtect updates are delivered via Software Update independently of macOS updates. A system with disabled automatic updates may have stale signatures.
  • SIP protection: XProtect bundles are protected by SIP. Modifications to these files on a SIP-enabled system indicate sophisticated compromise.

Version Differences

macOS VersionChanges
10.6 (Snow Leopard)XProtect introduced (basic signature scanning)
10.15 (Catalina)Enhanced scanning, YARA-based rules
12 (Monterey)XProtect Remediator replaces MRT; background scanning
13 (Ventura)Remediator runs more frequently; expanded detections
14 (Sonoma)Improved real-time response capabilities

Tool Support

ToolSupport
macforNot yet implemented (planned)
defaults (macOS built-in)Read XProtect version info
yaraParse and test YARA signature rules
sqlite3Inspect blocklist database
log (macOS built-in)Review XProtect Unified Log entries

References

Previous
Gatekeeper