SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Is XProtect enough to keep you safe?

Posted on May 18, 2020

Mac malware threats are now increasing more rapidly than their Windows counterparts. With threats to macOS growing more prevalent and sophisticated, many users are starting to wonder if Apple’s native security features are enough to keep them safe.

In this article, we’ll examine one of these built-in Mac protections: XProtect. We’ll take a look at what XProtect is, how it works, and how it stacks up against third-party anti-malware solutions.

What is XProtect? 

XProtect is Apple’s basic malware detection service for macOS, part of the Gatekeeper security feature. XProtect scans downloaded files for signs of malware. If it discovers anything suspicious, it will alert the user so that they don’t accidentally launch a malicious program.

How does XProtect work?

XProtect works by comparing the downloaded file to its database of malware definitions. XProtect attempts to match the contents of the file to the “signatures” of known malware. Malware signatures are algorithmically generated strings created from samples of malicious code; they serve as a kind of “digital fingerprint” that can be used to identify malware. XProtect also makes use of YARA rules, which describe malware families according to shared code or text patterns.

Older versions of XProtect only checked files downloaded by specific applications frequently used for this purpose (Mail, Safari, etc.), but would ignore files downloaded by other means. However, as of macOS 10.15 (Catalina), all executable files are scanned by default.

Is XProtect good enough?

Apple has made significant improvements to the security and privacy features in macOS, most recently with a series of enhancements that were rolled out in Catalina. But while some people will tell you Apple’s tools are enough to keep you safe, things aren’t quite that simple.

It’s pretty clear that XProtect is only intended for basic protection against well-known threats. In the past, XProtect was notorious for going long stretches without any significant updates to its malware definitions — and even now, it still isn’t updated with the regularity of third-party malware detection tools. On the one hand, that makes perfect sense, especially when you consider that these third-party tools are backed by dedicated malware research teams whose job is to study the state of Mac malware in real time. But it also means that XProtect may fail to detect new malware families, or variants of older malware that have been altered just enough to fool its detection rules.

In addition, many Mac threats inhabit something of a “gray area” in terms of whether or not they’re actually considered malicious by Apple; and also in terms of how seriously they’re taken as threats. This can include things like Potentially Unwanted Programs (PUPs), adware, and cryptocurrency mining software. While these may not be considered “top priority” threats for the Apple security teams that update XProtect, they’re definitely not anything you want running on your system. They can be annoying and resource-intensive, for one thing. But beyond that, there is evidence that they can also lead to more serious issues that impact user privacy and security.

Lastly, XProtect is designed to be a fairly simple, single-use tool. Third-party malware detection apps, on the other hand, provide additional functionality and features that many users find helpful. Some examples include full-scale malware removal (not offered by XProtect, although macOS does come with a basic malware removal tool called MRT); the ability to schedule and conduct regular system scans (as opposed to only scanning files at download time); as well as privacy and performance features like tracking cookie blacklists and cache cleanup.

What about third-party tools?

There are several robust anti-malware apps built specifically for macOS. Using our own MacScan 3 as an example, it’s clear that while XProtect provides some basic protection, it doesn’t have quite as much to offer as a full-featured malware detection and removal tool:

 
XProtect
MacScan 3
Malware detection
  Yes
  Yes
Fast and lightweight
  Yes
  Yes
Definition updates
  Less Frequent
  Regular
Definition database
  Limited
  Comprehensive
Adware detection
  Limited
  Yes
Cryptominer detection
  Limited
  Yes
Malware removal
  No
  Yes
Tracking cookie blacklist
  No
  Yes
Internet clutter cleanup
  No
  Yes
Online support
  No
  Yes

Of course, we’re not exactly objective observers here, and we’re not pretending to be — nor do we want to imply that our malware removal tool is the only option available (there are several other excellent anti-malware tools for Mac).  

However, it’s worth noting that many of the malware detection and removal apps for macOS (ours included) were developed in response to the demands of Mac users themselves. These were Apple “fans” through and through — but they still found the Mac’s default security features lacking. And if anything, there’s arguably more of a need for dedicated third-party tools today than ever before, considering the dramatic rise in threats targeting Apple platforms. 

Does your Mac need antivirus protection?

XProtect is definitely better than nothing at all, and it has received some improvements and updates over the past year. But most people should still be using full-featured malware detection tools on their Macs.

This is true even if you’re a relatively “low-risk” user. If you don’t get online much, and then only to visit a handful of safe, well-known websites; if you never download apps from outside of the Mac App Store; if you have complete confidence in your ability to spot every single malicious link, phishing scam, or social engineering tactic … things can still slip through the cracks. The most secure of websites can be compromised and used to attack visitors. Bad things have made it into the App Store before, and malicious actors sometimes use stolen or fraudulent Apple Developer credentials, meaning that even the “walled garden” isn’t guaranteed to be safe. Plus, new malware variants crop up all the time, often before XProtect has time to update its malware definitions. 

And when we’re talking about users who are just a little bit higher risk, all bets are off. This includes people who frequent the kinds of forums, cryptocurrency exchanges, and torrent sites that often harbor malware; folks who may not be technically savvy enough to spot all of the different tricks and scams that hackers use; people who enjoy trying out third-party Mac apps which can only be downloaded from indie developers; or those who simply spend lots of time online, increasing the likelihood that they’ll eventually bump into something nasty.

In all of these cases, a reputable, regularly-updated malware detection and removal tool will provide much better protection than XProtect alone.

Of course, there are no “magic bullets” in cybersecurity. The best antivirus product in the world won’t keep you safe if you give someone your online banking password over the phone; or if you take random commands you found on the Internet and type them into Terminal without knowing what they do. But when used in combination with other fundamental best practices — strong passwords, cautious web browsing, two-factor authentication, regular updates, and so on — a robust malware detection tool can greatly improve a Mac user’s personal security posture.  

Join our mailing list for the latest security news and deals