Tuesday, August 30, 2022

Active Mac Malware Scans

Howard Oakley:

In the last six months macOS malware protection has changed more than it did over the previous seven years. It has now gone fully pre-emptive, as active as many commercial anti-malware products[…]


These are orchestrated by XProtectPluginService, an XPC service which is scheduled and dispatched using the DAS-CTS system that does the same for most periodic background tasks.


The DubRobber (XCSSET) scanner is by far the most frequently run, performing scans lasting 15-35 seconds every hour or two during periods of low user activity.


Update (2022-09-03): See also: MacRumors, Hacker News.

Update (2022-09-14): Josh Avraham:

Users on macOS Catalina and onwards can manually trigger an XProtect scan any time they want to by running /Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtect

1 Comment RSS · Twitter

This makes the warning that appears for unnotarized apps that says something to the effect of "macOS cannot verify that this app is free from malware" all the more insulting. They obviously can. But instead they chose to put this onerous burden on developers for essentially no benefit to anyone, especially because malware regularly gets notarized anyway.

On top of that, what about users that don't need regular malware scans? I turn that off on my Windows systems because active scanning is a huge drain on resources, and I don't need it because I run a clean ship. I want to ask whether Apple is going to give the user any controls over these services, but I'm pretty sure I already know the answer: they won't.

Leave a Comment