Apple has quietly added a feature to macOS that scans for malware whenever a Mac is idle. The Cupertino firm’s XProtect Remediator, first added to macOS Monterey in March 2021, had previously only scanned for malware when a Mac was started up or when an app was launched.
While Mac computers have always been famously less prone to viruses and malware, they are still vulnerable to such risks. Apple’s step will provide additional protection against the bad actors of the world.
Howard Oakley, on his The Eclectic Light Company blog, says it’s an update to the long-standing XProtect system tool, which Oakley says “was mainly used to check apps… against a list of signatures of known malware.”
Now XProtect Remediator “consists of executable code modules which both scan for and remediate detected malware,” it is apparently a replacement for Apple’s previous Malware Removal Tool (MRT).
Until XProtect Remediator arrived in macOS 12.3 last March, system tools for tackling malware were essentially limited to XProtect and MRT. XProtect was mainly used to check apps and other code which had a quarantine flag set, against a list of signatures of known malware, and can only detect. While Apple has broadened its scope to check more frequently, and continues to update those signatures every couple of weeks, they have their limits. MRT ran scans to both detect and remove (‘remediate’) known malware, most noticeably shortly after startup, but infrequently.
XProtect Remediator consists of executable code modules which both scan for and remediate detected malware. At present, these include the following:
- Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
- DubRobber, a troubling and versatile Trojan dropper also known as XCSSET;
- Eicar, a harmless standard test for anti-malware products;
- Genieo, a browser hijacker acting as adware, summarised here;
- GreenAcre, an Apple internal name;
- MRTv3, referring to Apple’s original malware remediator;
- Pirrit, malicious adware explained in detail here;
- SheepSwap, an Apple internal name;
- SnowBeagle, an Apple internal name;
- SnowDrift, identified by Stuart Ashenbrenner of Jamf as CloudMensis, spyware first identified by ESET;
- ToyDrop, an Apple internal name;
- Trovi, a cross-platform browser hijacker.
- WaterNet, an Apple internal name.
“These scans should now be taking place on all Macs running macOS Catalina and later, with the current XProtect Remediator installed,” says Oakley. “They’re most likely to take place when your Mac is awake but doing little other than background tasks, such as routine backups, and receiving incoming email as it arrives.”
(Via AppleInsider)