How does XProtect?
As I mentioned yesterday, Apple has released a long-awaited revision to its Platform Security Guide. If you’re having difficulty accessing this latest version, you should be able to access it here, or read it in PDF format. Among its many important topics are malware protection and the multiple variants of XProtect, the subject of this article.
XProtect 2022
Before this revision, the official account of XProtect had been dated 13 May 2022, when as far as everyone outside Apple knew of only one XProtect, the on-demand malware scanning service based on Yara rules updated periodically in downloads labelled XProtectPlistConfigData. Its description in the guide remains unchanged: “When XProtect detects known malware, the software is blocked and the user is notified and given the option to move the software to the Trash.”
Although none of us realised it at the time, that version also explained a little of the new form of XProtect, describing itself as XProtect Remediator, “technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesnʼt automatically reboot the Mac.”
XProtects 2024
Over the summer of that year, XProtect Remediator matured rapidly and both detected and remediated malicious software. Then macOS Ventura brought provenance tracking and a third incarnation of XProtect, this time XProtectBehaviourService with its Bastion rules. As Apple’s account in this Guide wasn’t updated last year, this revision now contains their brief description: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
What are we to make of these three XProtects?
Even from Apple’s brief descriptions, these are three different services under one branding. Elsewhere, Apple establishes that XProtectRemediator is updated separately using XProtectPayloadsConfigData files rather than the XProtectPlistConfigData containing classic XProtect’s Yara rules. The latter are used in Gatekeeper checks made on code before it’s loaded and run, as I explained yesterday, and when that detects malware in code, the user is notified in an alert and invited to move the software to the Trash.
Remediator
On the other hand, XProtectRemediator “continues to periodically check for infections” in background scans run every 24 hours or so. When it detects what it considers to be malicious software, it automatically tries to remove or ‘remediate’ it without informing the user, and “doesnʼt automatically reboot the Mac.”
This was made clearer with the recent release of XProtect Remediator version 132, which took a dislike to some of the optional components in Xcode. A recent amendment to Apple’s release notes for Xcode 15.3 makes it clear that XProtect Remediator’s false positive did change Xcode without informing the user in any way. The only indication that a remediation was taking place was an authentication dialog for the change to be made to the Xcode app, and there was no indication given to the user that this was part of any malware remediation.
Behaviour
With no previous information provided by Apple the newest of the XProtects, XProtectBehaviourService, has remained the most mysterious. Since it appeared just over a year ago, its Bastion rules have steadily grown, as they’ve been updated within XProtectPayloadsConfigData updates to XProtect Remediator, but all researchers have been able to discover is that breaches of those rules are recorded in its database, with no sign of any local action in response, and no alerts to the user.
Although Apple’s language is perhaps intentionally obtuse, it has admitted that it gathers that data and uses it “to improve XProtect signatures and macOS security.” For the moment at least, software that breaks any of the Bastion rules is part of Apple’s intelligence gathering rather than being a part of your Mac’s defences. Maybe in the future our Macs will be able to use Machine Learning for their direct benefit.
The next time that some AI or other tries to tell you otherwise, you can point them at this revised Platform Security Guide and the insights it provides into the protection afforded by each of the three XProtects.
