How the Hidden Antivirus Tools Already Built Into Your Mac Work

How the Hidden Antivirus Tools Already Built Into Your Mac Work

While macOS has a strong reputation for keeping your computer and your data safe from harm, it doesn’t have a visible antivirus tool like the Windows Security suite that comes as part of Microsoft’s desktop operating system. In fact, there are antivirus and security tools built into the software on your Mac — they’re just not as noticeable.

Take XProtect, for example. It won’t appear in the dock, or in the launcher, or if you search for it through Spotlight, but it’s there nonetheless. It functions much as you would expect an antivirus tool to function, looking for software patterns that are usually made by malware, via a tool called YARA, and using updates coded by Apple engineers.

Importantly, these patterns or signatures that can be used to spot malware are refreshed on a regular basis, separately from the main macOS software updates. If a new virus is found in the wild, Apple can patch macOS against it very quickly — and if that virus is then spotted, the Mac will swiftly block it and prevent it from running.

XProtect swings into action at three different points: Whenever an app is launched for the first time, whenever an app has been changed in some way in the file system, and whenever a new signature update is delivered by Apple. With those precautions in place, it’s very difficult for an unwelcome bit of code to get past a Mac’s defences.

If something sinister should get through, then XProtect can help here as well: Apple is also able to issue updates to the tool that remove infections from known malware. Based on some clever user analysis (via Ars Technica), it looks as though XProtect has been getting more and more aggressive in its malware hunting in recent months — it can run virus scans once a day or even more often, if the system isn’t too busy doing something else.

Incoming apps are checked for malicious code. (Screenshot: macOS)
Incoming apps are checked for malicious code. (Screenshot: macOS)

XProtect isn’t the only security service keeping macOS protected, either. Notarization is the vetting system that Apple uses to whitelist software for use on Macs: Software submitted to Apple is scanned for malware, and given a safety badge if it passes the test. It’s a little bit like the app review process for iOS, except it’s quicker and fully automated.

Software developers can also go through the Mac App Store route if they want to. Everything in the store gets vetted by Apple and cleared as being free of malware — and if malware is subsequently detected, then the offending software can be quickly removed so that it’s no longer available.

Notarization actually works in combination with another tool called Gatekeeper, which is effectively the digital bouncer utility checking for passes issued by Notarization. When you see a warning on screen saying that you’re about to install an app that Apple doesn’t know about, that’s Gatekeeper swinging into action. That’s not to say the offending program is definitely malware — but it means macOS can’t guarantee that it isn’t.

If you want to bypass the Notarization and Gatekeeper security checks, you do so at your own risk. You can still run apps that haven’t been given the security seal of approval by locating them in Finder, holding down Ctrl and clicking on them, then choosing Open and then Open again on the dialog boxes that pop up.

macOS has continued to tighten up its software rules. (Screenshot: macOS)
macOS has continued to tighten up its software rules. (Screenshot: macOS)

Like XProtect, the Notarization and Gatekeeper tools don’t have any user interface or settings to speak of. You can, if you want to, only allow apps to run if they’re from the official Mac App Store: Open the Apple menu, then System Preferences and Security & Privacy, and under General you can choose either App Store or App Store and identified developers to set which software packages are permitted.

Note that in earlier versions of macOS, there was a third option — Anywhere — but that’s now been removed. On the same screen, you’ll see an Open Anyway button if you’ve recently tried to launch an application that Gatekeeper blocked (you can use this method for opening unknown apps as an alternative to the process we described above). This can be especially useful if you’re testing a self-developed app.

The usual Apple privacy protections are built right into the system: These malware scans and safety checks are carried out without any reference to your Apple ID or other personal details, and Apple isn’t keeping a log of all the software you’re trying to run on your Mac computer. Expect more improvements, too, in future macOS updates.

These malware scanners and antivirus tools work in combination with the other security features that macOS offers. Technologies like System Integrity Protection limit what third-party applications can do, so even if malware does find its way on to a macOS machine, it can’t actually do a whole lot of serious damage when it comes to affecting key system files or the integrity of the operating system.

We wouldn’t say there’s absolutely no need to install a separate antivirus tool on your Mac — it can help to have more eyes looking out for your computer’s safety — but bear in mind that macOS already comes with an impressive array of security protections, including a malware scanner that you might not have ever realised was there.

The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.