Home > Wiki Tips

What is XProtect on Mac and How Does It Work?

Updated on Tuesday, December 3, 2024

Written by

Jenny Zeng

Approved by

Jessica Shee

English Deutsch

Summary: This post explains everything you need to know about Apple's built-in anti-virus feature - XProtect. It details what XProtect is, steps to enable/disable it, and how to check XProtect versions on Mac.

Viruses and malware bring all sorts of problems to your Mac, including performance slowdowns, external hard drive not showing up, inability to visit websites, etc. If you are careful with what you install, you won't need third-party anti-malware software to protect your Mac. 

Your Mac has all the malware defenses you need running in the background of macOS. Besides Gatekeeper, Apple has also integrated XProtect to prevent your Mac from malware infection. Even when malware sneaks into your Mac, it will be wiped out by Malware Removal Tool (MRT).

Now, let's take a closer look at XProtect and learn how it blocks malware from running on your Mac.

What is XProtect on Mac?

XProtect, known as part of File Quarantine, is a built-in anti-malware technology on macOS that use YARA signatures to detect malware. It was released in 2009 along with Mac OS X 10.6 Snow Leopard. Unlike other anti-malware programs that are constantly checking for threats, XProtect only executes when:

  • A downloaded app is launched for the first time
  • An app has been changed in the file system
  • its signatures are updated

When you open a file downloaded by a File Quarantine-aware application app (one that can download files such as Safari, Mail), XProtect will be automatically activated to check whether the file's contents match any known virus definition it holds. (XprotectService is the backgroud process working for it.)

If it recognizes anything suspicious, it will block the file and suggest you move it to the Trash. If it detects no malware, it will still pop up a message informing you where and when the application is downloaded.

Share this post if you find it helpful!

 

How to enable XProtect on Mac?

 XProtect is enabled on Mac by default to detect and block the execution of known malware. Like most antivirus software, XProtect also needs its definition to be updated regularly to recognize new malware on Mac. Your Mac will automatically update XProtect in the background without the need for human interaction.

To ensure that your Mac is XProtect-enabled and gets the background updates properly, go to the Apple logo > System Preferences > Software Update > Advanced, and ensure that the box next to "Install system data files and security updates" is checked.

 

How to check the XProtect version on your Mac?

If you are interested in what XProtect version your Mac has and when it was last updated, follow these steps:

  1. Click the Apple menu > About This Mac.
  2. Tap on System Report > Software > Installation.
  3. Click the Software Name to sort it by name.
  4. Look for XProtectPlistConfigData.

The latest version of XProtect on my Mac is currently 2158, updated on March 22 2022.

 

How to access XProtect on Mac?

 If you want to view the list of malicious applications macOS checks when opening a downloaded file, you can access it by following these steps on OS X El Capitan or later:

  1. Navigate to Macintosh HD/Library/Apple/System/Library/CoreServices/XProtect.bundle.
  2. Control-click on XProtect.bundle and select Show Package Contents.
  3. Click Contents/Resources, then press the Space bar to open the XProtect.plist file.

How to disable XProtect on Mac?

We don't recommend you disable XProtect on Mac as you may install malware if XProtect isn't there to block threats. However, if Xprotect keeps an app you want to use from running on Mac, you can temporarily turn it off. To do it, uncheck the "Install system data files and security updates" option in System Preferences > Software Update > Advanced.  

It's advisable to avoid downloading and opening executable files on Mac when XProtect is disabled. Don't forget to turn XProtect on after completing whatever it is stopping you from doing.

 

XprotectService high CPU usage on Mac Monterey

Sometimes,  you may notice a process called XprotectService taking up an extremely high CPU usage in Activity Monitor, especially after a recent macOS update. Attempts to kill the process will fail because it keeps reappearing when you re-open Activity Monitor. In that case, try to restart your Mac or reboot in Mac Safe Mode to clear caches.