Security & Privacy
XProtect
Overview
XProtect is macOS's built-in malware detection system. It uses YARA-based signature rules to scan files when they are first opened (if they have a quarantine flag) and a background remediator (XProtect Remediator, formerly MRT) that periodically scans for known malware. XProtect signatures are updated automatically by Apple, independent of macOS system updates.
For forensic investigators, XProtect's configuration reveals the current detection capability of the endpoint and can indicate whether known malware families were potentially detected or missed.
Forensic Significance
| Evidence Type | Forensic Value |
|---|---|
| YARA signature version | Whether the endpoint had up-to-date malware signatures |
| Signature definitions | Which malware families the system can detect |
| Blocklist entries | Specific app versions blocked from execution |
| Remediator scan results | Evidence of malware detection and removal |
| XProtect version vs. known threats | Gap analysis — was the endpoint protected against a specific threat at time of compromise? |
File Locations
| Component | Path | Format |
|---|---|---|
| XProtect bundle | /Library/Apple/System/Library/CoreServices/XProtect.bundle/ | Bundle |
| YARA signatures | .../XProtect.bundle/Contents/Resources/XProtect.yara | YARA rules |
| Signature plist | .../XProtect.bundle/Contents/Resources/XProtect.meta.plist | Plist |
| Blocklist database | .../XProtect.bundle/Contents/Resources/gk.db | SQLite |
| XProtect Remediator | /Library/Apple/System/Library/CoreServices/XProtect.app/ | App bundle |
| MRT Agent (legacy) | /Library/Apple/System/Library/CoreServices/MRTAgent.app/ | App bundle |
| XProtect version plist | /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist | Plist |
Key Data
YARA Signatures
The XProtect.yara file contains YARA rules for detecting known macOS malware families. Each rule targets a specific threat:
rule XProtect_MACOS_2fc5997
{
meta:
description = "OSX.Bundlore"
strings:
$s1 = { 48 89 ... }
condition:
Macho and filesize < 500000 and $s1
}
Blocklist Database (gk.db)
The gk.db SQLite database contains records of specific application bundle IDs and versions that are blocked from execution.
SELECT * FROM conditions;
SELECT * FROM authorities;
Version Information
# Check XProtect version
defaults read /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Info.plist CFBundleShortVersionString
# Check Remediator version
defaults read /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/Info.plist CFBundleShortVersionString
Analysis Notes
- Signature currency: Compare the XProtect version timestamp against the date of a suspected compromise. If XProtect was outdated, it may not have detected the specific malware involved.
- YARA rule analysis: Review the YARA rules to determine which malware families are detectable. This helps scope what the endpoint was and was not protected against.
- Blocklist gaps: The blocklist (
gk.db) only covers known-bad bundle IDs and versions. Novel or repackaged malware will not appear. - Remediator logs: XProtect Remediator runs periodic scans. Check Unified Logs with
subsystem:com.apple.XProtectfor scan results and detections. - Automatic updates: XProtect updates are delivered via Software Update independently of macOS updates. A system with disabled automatic updates may have stale signatures.
- SIP protection: XProtect bundles are protected by SIP. Modifications to these files on a SIP-enabled system indicate sophisticated compromise.
Version Differences
| macOS Version | Changes |
|---|---|
| 10.6 (Snow Leopard) | XProtect introduced (basic signature scanning) |
| 10.15 (Catalina) | Enhanced scanning, YARA-based rules |
| 12 (Monterey) | XProtect Remediator replaces MRT; background scanning |
| 13 (Ventura) | Remediator runs more frequently; expanded detections |
| 14 (Sonoma) | Improved real-time response capabilities |
Tool Support
| Tool | Support |
|---|---|
| macfor | Not yet implemented (planned) |
| defaults (macOS built-in) | Read XProtect version info |
| yara | Parse and test YARA signature rules |
| sqlite3 | Inspect blocklist database |
| log (macOS built-in) | Review XProtect Unified Log entries |