Vulnarex | Elite Cybersecurity Learning Platform

#XProtect and MRT: macOS's Built-in Antivirus You Didn't Know You Had#link

macOS includes XProtect (a YARA-based signature scanner) and Malware Removal Tool (MRT) that silently detect and remove known malware. Notarization ensures apps are scanned by Apple before distribution. Together they form a layered defense against commodity malware. This lesson explains how they work, their limitations, and how to verify they're active and updated—because Apple's silent security shouldn't be your only line of defense.

XProtect: Signature-Based Malware Detection

XProtect checks files upon first execution against a set of YARA rules (stored in /System/Library/CoreServices/XProtect.bundle). When a match is found, the file is blocked and the user is notified. XProtect signatures are updated daily via Apple's software update mechanism. You can check the version with 'xprotect version'. It's not a full AV; it focuses on known macOS malware families and some adware.

Check XProtect version and last update

root@vulnarex:~#xprotect version && ls -l /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara

The version number increments with each update. If your version is far behind, your Mac may not be receiving updates—check softwareupdate.

MRT: Active Removal of Known Threats

MRT is a tool that Apple pushes to remove specific malware infections. It runs periodically and on boot, checking for known malicious files and processes. Unlike XProtect, MRT actively removes threats, not just blocks them. It's less configurable—you can't add custom rules—but it's a helpful layer. You can trigger it manually with 'sudo /System/Library/CoreServices/MRT.app/Contents/MacOS/MRT'.

bash

# Force a check for software update which includes XProtect/MRT updates
sudo softwareupdate --background-critical
# Read XProtect's blacklist plist
plutil -p /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist | head -20

info

💡 XProtect and MRT are good for baseline protection but are not enterprise EDR. They don't provide detailed threat telemetry or behavioral analysis. For high-value systems, supplement with a third-party EDR.

Security Feature	Function	Management
XProtect	File signature check at first launch	Automatic, updates via softwareupdate
MRT	Periodic malware scan & removal	Automatic, runs at boot and periodically
Notarization	Apple scans app for malware before allowing Gatekeeper pass	Developer submits app to Apple

Notarization: The Supply Chain Shield

Notarization requires developers to submit their apps to Apple for automated malware scanning. A successful notarization staples a ticket to the app. Gatekeeper checks this ticket. It's not a perfect solution but raises the bar for malware distribution. Enterprise-signed apps can be distributed without notarization if using a Developer ID with the 'Disable Library Validation' entitlement. Restrict this via MDM.

▪Verify XProtect and MRT are up to date via softwareupdate.
▪Use 'spctl --assess --verbose /path/to/app' to check notarization status.
▪Don't rely solely on XProtect; deploy an EDR for advanced threat detection.
▪Monitor for unauthorized disabling of automated updates.

STRICT SECURE AUDIT RULE

⚠️ XProtect can be bypassed by malware that doesn't match known YARA rules. It also does not inspect files that are already on the system unless re-downloaded with quarantine.

quiz BLOCK (★ 50 XP)

An attacker distributes a new Mac trojan via a phishing email. The victim downloads and double-clicks it. Which security control is most likely to block it first?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

XProtect Investigation