macOS’s New XProtect Now Regularly Scans for Malware

Originally published at: macOS’s New XProtect Now Regularly Scans for Malware - TidBITS

A few months ago, Apple quietly updated Monterey, Big Sur, and Catalina with XProtect Remediator, a new malware scanner built into XProtect, so your Mac is now regularly checking for malware in the background. Howard Oakley uncovered it and offers some technical details.

1 Like

Does this mean that MalWare Bytes isn’t needed?

Perhaps, but way too soon to know and since I don’t know your safe-computing habits, I wouldn’t be so bold as to tell you that.

Apple’s past history with keeping up with malware is relatively bad. They have been slow to push out updates and for years did not consider adware to be an issue. Since the introduction of XProtect Remediator, updates appear to be occurring faster, but we will need to hear from some Malwarebytes users as to how effective this Apple solution is.

If Malwarebytes continues to find infections for macOS Catalina+ users, then it’s probably worth keeping it.


I can’t speak for Malwarebytes but I have never used a third-party malware scanner on a Mac and it’s never been an issue.


I would say that it means a scanner running in the background all the time isn’t necessary. But I don’t think it’s ever been necessary on the Mac platform.

Having Malwarebytes or some other similar scanner installed so you can perform manual scans on from time to time might give you some added peace of mind, but even that shouldn’t matter as long as you take reasonable precautions. For example:

  • Only download software directly from the publisher (e.g. Microsoft, FileMaker, Bombich Software, etc.) or from a trusted third-party app store (e.g. Apple’s app store). Don’t download/purchase from third-party app stores that don’t have a solid good reputation, including random “marketplace” sellers on sites like eBay and Amazon.

  • Only download via a secure connection (e.g. HTTPS) and check the security credentials to make sure the content is really coming from where you think it is coming from.

  • Don’t accept documents from untrusted sources if possible. If not possible, configure your apps (e.g. your office suite) to be as secure as possible (e.g. don’t run any macros/scripts, don’t use untrusted plugins, etc.)

1 Like

Thanks for the responses. I’ll continue with good practices


This! I run a few different types of malware-detection tools on demand. None run continuously in the background.

In all the years of using a Mac (1989-present) the only malware I have ever received was the WDEF virus back in the days of System 7 (or was it 6?). Ironically, WDEF had already infected the floppy disk that was used to install anti-virus software on all the office Macs.

Looks like my Malwarebytes subscription is not going to be renewed in 4 weeks time.

Howard Oakley now has a new tool for indicating whether XProtect “found” something. You can read about it here: XProCheck: a new utility to inspect anti-malware scans – The Eclectic Light Company

1 Like

Followup on this: usually when Mac and Linux users run virus scanners, it’s less to protect their machines and more to prevent passing viruses to Windows users.

1 Like

Exactly the same for me.

1 Like

I would keep the app on my computer if I were you (actually, I’ve done just that) since you will still be able to run manual scans for free either periodically or to rule out malware when your Mac is acting strangely. That way you can help judge how well Apple is doing with it’s new effort.

10 posts were split to a new topic: Using a non-admin account for security purposes

I wonder if the recent (Sep 7) update to XProtect referenced at Eclectic Light’s website is the reason for my MacBook 2015’s hesitation (for what feels like at least 45 seconds) at the 50% mark on boot? Maybe it’s doing a full scan of my computer? And I already know that the poor laptop has a terribly underpowered CPU.

It was listed as a patch of Safari, but ever since, I’ve had really slow restarts and reboots.

The XProtect Remediator was introduced way before the Safari security patch, so I doubt that a simple update to it would be the cause. In fact it fixes a bug that was responsible for several error messages being written to the System log, so it should have slightly improved boot time, though I doubt it would even be perceptible.

Howard gave us a new XProCheck app last week that makes it easy to see what XProtect Remediator is doing, so you can see for yourself how much time is being consumed by it during boot up.