How does anti-malware work on your Mac? What threats are you protected against and what aren’t you? In this guide, we’ll take a look at the built-in antivirus software in macOS.
If you’re switching from a Windows laptop to a Mac, you might be tempted to install an antivirus program. Many users don’t realize that macOS comes with a built-in security program that works in the background without you having to do anything.
This guide will tell you all about the built-in antivirus and malware tools that have been present in macOS since 2009.
- Antivirus software on Mac
- Do I have to do anything myself?
- XProtect
- GateKeeper
- File Quarantine
- Do I need antivirus software?
Antivirus software on Mac
On PCs, you will find Windows Defender, which is prominently visible in Windows. On Macs, there are also similar programs that protect you from malicious software on the internet.
However, this software is somewhat less visible, so you may not even know that it is active in the background.
Nevertheless, it is important to know exactly what your Mac does against viruses and other malware so that you do not accidentally disable it, for example.
When we talk about malware in this article, we mean viruses, worms, trojans, phishing, and other threats that you encounter on the internet.
Malware is the general name for all these dangers. Many people still use the term virus, which is why we use the term regularly in this article.
Antivirus: Do I need to do anything myself?
Malware protection is present on every Mac and is enabled by default. So you don’t have to do anything. New malware definitions are retrieved automatically.
So you don’t have to take any steps as a user. All you have to do is deal sensibly with the warnings you receive.
If you only download software from the App Store and from reputable developers, the chances are slim that you will ever notice the antivirus and malware tools on your Mac.
They do their work behind the scenes. Do you need additional virus scanners for your Mac? That largely depends on your own behavior. In a separate article, we discuss the usefulness and necessity of antivirus on your Mac.
How does antivirus work on Mac?
Below, we’ll discuss the standard tools that are already present in macOS. For example, there’s XProtect, which is essentially a list of malware definitions.
XProtect is part of File Quarantine, which we’ll also discuss below. If you’ve ever downloaded software from the Internet, you’ve seen File Quarantine and its associated GateKeeper in action.
File Quarantine checks if the software is listed in the XProtect malware definitions list. If it is, you will see a warning that the software can potentially harm your computer. It also tells you what malware it is, so you can see if the virus has been in the news recently.
Another security technique on the Mac is the Gatekeeper. This has been present on the Mac since OS X 10.8 (Mountain Lion) and prevents you from simply installing software from unknown parties.
XProtect: The List of Malware Definitions
XProtect is a list of malware definitions that is regularly updated by Apple. You can think of it as a blacklist of malicious software. It is possible to see which version of XProtect is installed on your Mac:
- Open the Terminal app.
- Enter the command below.
system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"
You can also check when the XProtect virus definition list was last updated:
ls -l /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist
Get new malware definitions
XProtect is a so-called .plist file. This is a plain text file that you can view with a regular text editor. Previously, you could manually update the list by navigating to: > System Preferences > Security > Automatically update safe downloads list. Now this is done via the App Store settings:
- Go to > System Settings > App Store.
- Make sure this box is checked: Install system files and security updates.
You can disable this. Your Mac will then no longer download the XProtect file with the latest malware definitions from Apple. We recommend keeping the box checked.
Tip: You can check this page at Apple to see if there are security updates for macOS and other Apple products.
How good is XProtect?
Regular anti-malware software often works in two ways: they use a list of malware definitions and they look for suspicious behavior based on previous experiences (so-called heuristics).
XProtect initially only did the first: when an app was opened, it checked for malware. This usually worked well, but it did not provide any protection against unwanted actions in the background.
As of macOS 12.3, this has been improved: XProtect has become a separate app that is much more active in the background.
Technically, this XProtect app is the successor to Apple’s Malware Removal Tool, which was responsible for removing found malware.
XProtect now also scans your entire system in the background. This happens at least once a day when your Mac is not under heavy load. If necessary, your Mac can even scan once an hour for the most common viruses and malware.
GateKeeper
GateKeeper has been present on the Mac since 2012 (OS X 10.7. 5 Lion) and ensures that you can only install certain apps. In the Security settings of your Mac, you can choose how strict you want this so-called Gatekeeper filter to be.
Here’s how you do it:
- Click on the Apple logo at the top left of your screen.
- Select System Settings and then select Privacy and Security.
- Under Security, find the option Allow apps downloaded from and choose the option App Store and known developers.
Here you can choose to only allow apps that come directly from Apple’s Mac App Store. You can also allow apps from reputable developers.
These are developers that have been approved by Apple. You can read much more about using GateKeeper in the article below.
Difference between GateKeeper and File Quarantine
GateKeeper builds on File Quarantine, which has been on the Mac since 2009 (OS X Snow Leopard). Both GateKeeper and File Quarantine check whether you can install certain software, but they do so in different ways.
GateKeeper uses a whitelist to determine which software from approved developers is allowed. File Quarantine uses a blacklist to keep malicious software out.
File Quarantine
File Quarantine is an umbrella security program that XProtect is part of. Whenever you download something from the Internet, File Quarantine compares the program to the blacklist in XProtect, to see if it contains potentially harmful software. A potentially dangerous program is quarantined and can only be removed with your permission.
This list should of course be updated regularly so that your Mac is also aware of the latest threats. This is automatically enabled, but you can also disable it manually. You can check if these updates are enabled with the steps below:
It is important that programs support File Quarantine. For example, Safari , Mail and Google Chrome do support File Quarantine.
Do you need antivirus software on Mac?
A recurring question is whether you need special antivirus software on your Mac. Apple’s tools offer sufficient protection, but there are still potential dangers.
A reckless or gullible user who downloads all kinds of files from the internet and clicks on links without thinking is still at risk. But with normal use, you don’t have to worry about it much.
Traditionally, macOS has little trouble with malware. New malware appears every now and then, but then gets so much publicity that you can protect yourself against it.
So regularly read the news about new malware, don’t install software from malicious parties, and don’t just click away security warnings.
As macOS becomes more popular, it also becomes a more attractive target for hackers. As such, it may be advisable to be a little more cautious over time.
You can read more about this in our guide to the necessity of antivirus on Mac. We also have a list of the best virus scanners for Macs.
