How the Hidden Antivirus Tools Built Into Your Mac Work

Render of a Mac

macOS comes with malware scanning built in.
Image: Apple

While macOS has a strong reputation for keeping your computer and your data safe from harm, it doesn’t have a visible antivirus tool like the Windows Security suite that comes as part of Microsoft’s desktop operating system. In fact, there are antivirus and security tools built into the software on your Mac—they’re just not as noticeable.

Take XProtect, for example. It won’t appear in the dock, or in the launcher, or if you search for it through Spotlight, but it’s there nonetheless. It functions much as you would expect an antivirus tool to function, looking for software patterns that are usually made by malware, via a tool called YARA, and using updates coded by Apple engineers.

Importantly, these patterns or signatures that can be used to spot malware are refreshed on a regular basis, separately from the main macOS software updates. If a new virus is found in the wild, Apple can patch macOS against it very quickly—and if that virus is then spotted, the Mac will swiftly block it and prevent it from running.

XProtect swings into action at three different points: Whenever an app is launched for the first time, whenever an app has been changed in some way in the file system, and whenever a new signature update is delivered by Apple. With those precautions in place, it’s very difficult for an unwelcome bit of code to get past a Mac’s defenses.

If something sinister should get through, then XProtect can help here as well: Apple is also able to issue updates to the tool that remove infections from known malware. Based on some clever user analysis (via Ars Technica), it looks as though XProtect has been getting more and more aggressive in its malware hunting in recent months—it can run virus scans once a day or even more often, if the system isn’t too busy doing something else.

A screenshot of a macOS pop-up

Incoming apps are checked for malicious code.
Screenshot: macOS

XProtect isn’t the only security service keeping macOS protected, either. Notarization is the vetting system that Apple uses to whitelist software for use on Macs: Software submitted to Apple is scanned for malware, and given a safety badge if it passes the test. It’s a…