Apple silently updates malware scanning features in new versions of macOS

There is no visible built-in anti-malware software on Macs, at least not in the way that Microsoft does with its highly visible Windows Defender software. But Apple began to include rudimentary anti-malware protection in the version of macOS with Snow Leopard in 2009. This system service, called “XProtect”, downloaded and installed new malware definitions in the background between major macOS security updates, mainly to protect against the installation of known malware.

Since then, Apple has added several anti-malware features to macOS, although they are not always labeled as such. Gatekeeper, application notarization, system integrity protection, signed system volume, and hardware and software access control are all about proactively protecting system files from unauthorized access and ensuring that installed applications do what they do. They say. do. Another hidden tool, Malware Removal Tool (MRT), acts more like a traditional malware scanner, receiving periodic definition updates from Apple so that it can scan for and remove malware already present on your system.

Howard Oakley of the Eclectic Light Company has a habit of keeping track of XProtect and MRT updates, and he maintains several utilities that check your definition versions (as well as installed firmware and other Mac esoteric information that Apple updates regularly but rarely mentions). And he says that Apple’s anti-malware tools have undergone significant but mostly silent changes over the past few months.

Since the release of the 12.3 update for macOS Monterey, it has tracked the new “XProtect.app”feature that was added to Monterey, Big Sur (11) and Catalina (10.15). As mentioned in the most recent Apple Platform Security documentation, this is a familiar name for a brand new application that replaces the old MRT. XProtect.app scans known malware much more aggressively than MRT.

“Malware protection on macOS has changed more in the last six months than in the previous seven years,” Oakley writes. “Now it’s fully proactive, as proactive as many commercial anti-malware products, as long as your Mac is running Catalina or later.”

After studying XProtect activity on a sleep-disabled Mac, Oakley determined that it scans most known Mac malware at least once a day “during periods of low user activity.”But he can scan much more frequently, and the scan rate seems to be determined on a case-by-case basis. Oakley watched XProtect scan for malware called DubRobber “every hour or two.”In contrast, MRT was launched “infrequently”and “most notably shortly after launch”.

For users of older versions of macOS in particular, Apple sometimes continues to provide updates to these behind-the-scenes tools even after it has stopped releasing security-related fixes. Oakley says old versions of XProtect and MRT have been updated in older versions of macOS like El Capitan (10.11), originally released in 2015.

While this means macOS Catalina users should still be able to use the new XProtect tool even after security updates are complete, unfortunately it appears that the old MRT tool is no longer updated in Mojave (10.14) and older versions of macOS. Oakley dates the latest MRT update to April 2022, shortly after the release of macOS 12.3 and the new XProtect app. These versions of macOS were already more vulnerable than the newer, fully patched versions, but ditching the old MRT tool will make updating even more important for people who want to keep their Macs safe.

CDN CTB