How Your Mac’s Built-in Anti-malware Software Works

Your Mac has built-in anti-malware (or antivirus) functionality. It works an awful lot like antivirus software on Windows, examining applications you run and ensuring they don’t match a list of known-bad applications.

Unlike Windows Defender, which is included in Windows 8 and Windows 10 and has a visible interface, a Mac’s built-in antivirus functionality is much more hidden.

How XProtect Works

The built-in anti-malware protection on Mac OS X is known as “XProtect,” which is technically a feature built into “File Quarantine.” This feature was added  back in 2009 with Mac OS X 10.6 Snow Leopard.

When you open an application downloaded from the Internet using a “File Quarantine-aware” application like Safari, Chrome, Mail, or iChat, you’ll see a warning message informing you the application was downloaded from the web along with the specific website it was downloaded from and when.

It’s a bit like the “This application was downloaded from the Internet!” warning dialogs you’ll see after downloading and trying to run an application on Windows.

Back in 2009, Apple made File Quarantine also check downloaded application files against a list stored in the System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist file on your Mac. You can even open this file and see the list of malicious applications Mac OS X is checking for when you open downloaded application files.

When you open a downloaded application, File Quarantine checks if it matches any of the malware definitions in the XProtect file. If it does, you’ll see a nastier warning message that says running the file will damage your computer and informing you which malware definition it matches.

Getting Definition Updates

Malware definition updates arrive through Apple’s normal software update process. Like other software updates on Mac OS X, these are enabled by default, but can be disabled.

To view this setting, click the Apple menu, select System Preferences, and click the App Store icon. Ensure the “Install system data files and security updates” option is enabled. If you disable it, your Mac won’t update its XProtect file with the latest definitions from Apple.

So, How Useful Is It?

XProtect is useful, but not perfect. It’s a fairly rudimentary antivirus. It only checks downloaded files run through File Quarantine, which makes it similar to the SmartScreen feature on Windows. It’s designed to sit between your Mac and the web, preventing you from running a few known-malicious applications. That’s it.

Unlike other antivirus applications, XProtect doesn’t use any sort of advanced heuristics. It’s just looking for a handful of bad files Apple has specifically listed. This allows Apple to put the brakes on any bit of Mac malware before it gets too out of control and ensures your Mac is protected from downloading any old pieces of malware out there.

XProtect is just a convenient way for Apple to blacklist individual pieces of malware. But it doesn’t take care of cleaning up any existing infections and doesn’t check to make sure your Mac is clean in the background. The list of malware is also very limited, with the XProtect file containing 49 definitions at the moment. Apple has added some adware to the XProtect list, but adware is mostly not blocked. Unfortunately, bundled adware is becoming as bad on Mac OS X as it is on Windows.

Other technologies do help keep your Mac safe. In particular, Gatekeeper’s default setting prevents applications from running on your Mac unless they’re from the Mac App Store or signed by approved developers.

The real question is whether you need a third-party antivirus on your Mac. That’s a tough one. In the past, we (and others) have recommended against antivirus programs for Mac OS X.

But crapware on Mac OS X is becoming worse and worse. On the other hand, most antimalware programs don’t block this horrific adware anyway. We still don’t recommend antivirus software for Macs, and we’re not sure which application we’d recommend if we needed to pick one. Still, anti-malware software for Mac OS X is looking more and more useful with each passing day.