Security and privacy have been a key focus of macOS updates for the last decade or so, and with each new version, there are changes to the way macOS protects your Mac from malware. As malware and the way it is distributed have become more sophisticated, the methods used to detect it must be equally sophisticated. XProtect is one of the tools that acts as a defense against malicious software and has been around for several years now. But what is it and what does it do? And do you need it, or can you turn it off? We’ll answer those questions.

What is XProtect on my Mac?

XProtect is part of what Apple calls its three layers of defense. Those three layers are:

  1. Preventing the launch or execution of malware.
  2. Blocking malware from running.
  3. Providing a remedy for malware that has been executed.

The first of those three layers is managed by a combination of the App Store — where all apps are scanned for malware before being made available for download — Gatekeeper, which controls what can be installed on your Mac, and notarization.

Notarization is a process by which developers submit software to Apple, which then scans the code for malicious content and code-signing issues. It generates a ticket that the developer can staple to the software and publishes the ticket online where Gatekeeper can find it. Gatekeeper checks app downloads to confirm they comply with the policy you have set — either to allow downloads from the App Store or from the App Store and ‘known’ developers. As part of the process of identifying ‘known’ developers, GateKeeper checks the notarization ticket.

The second and third layers are where XProtect comes in. It uses signature-based detection to identify and remove malware from your Mac. Apple uses a tool called YARA to carry out signature-based detection. YARA is updated regularly, and Apple monitors your Mac for new malware infections and strains, updating signatures regularly. XProtect automatically detects known malware and blocks its execution. In macOS Catalina and later, XProtect checks for malware at three points:

  • When an app is launched for the first time
  • When an app has been changed in the file system
  • When XProtect signatures are updated

How to use XProtect on Mac

You may never see XProtect running unless it finds something suspicious. If it does, it will move the file to the Trash and alert you. It may also ask you to share malware samples with Apple to improve security. It’s up to you whether you agree to share those samples. If you agree, only the malware executable — or if it’s in an app bundle, the bundle — is uploaded. Nothing else is shared with Apple. XProtect also remedies infections by including patches in future system or security updates.

Behavior analysis is another tool in XProtect’s arsenal. This allows it to detect unknown malware. Information about the malware, including the software responsible for downloading it, is then used to improve XProtect signatures.

XProtect is updated regularly based on the latest threat intelligence and macOS checks for these updates daily.

Where is XProtect on my Mac?

XProtect runs in the background, but you can find it by following these steps:

  1. Open a new Find window.
  2. Press Command + Shift + G and paste this path followed by Return: /Library/Apple/System/Library/CoreServices/XProtect.app
  3. Right-click it and choose Show Package Contents.
  4. In Contents > Resources, you can find XProtect .plist files showing what it checks for.

Now you know how to access XProtect on Mac, but we do not recommend changing anything in these files to avoid glitches.

How to turn off XProtect on Mac

XProtect is turned on by default; everything it does is automatic, so you don’t need to worry about turning it on or making sure it’s still running. However, you can turn it off.

Before we show you how to do that, a warning: turning off XProtect will leave your Mac more vulnerable to malware. It will mean that unless you use a third-party antivirus tool, there is nothing on your Mac scanning for the latest malware and protecting you from malicious software. Think very carefully before turning it off.

There have been some reports of XProtect using lots of CPU cycles, but there is no evidence that this is widespread or that it impacts performance. If you have noticed in Activity Monitor that XProtect is using lots of resources and want to try disabling it, the one thing you can do is stop it from downloading updates automatically. Here’s how to do that – though we don’t recommend it:

  1. Click the Apple menu and choose System Settings.
  2. Choose General > Software Update.
  3. Click the ‘i’ next to Automatic Update.
  4. Turn off ‘Install Security Responses and system files’.

How to keep my Mac safe?

There are a number of ways you can keep your Mac safe, over and above what XProtect does:

  • Use a third-party tool to detect malware, which may find malicious software that’s missed by XProtect.
  • Review app permissions regularly. These permissions include access to your Mac’s camera and microphone, as well as screen recording, folders, and the system.
  • Check for files downloaded by websites onto your Mac, such as cache and cookies, can also be a source of privacy or security issues, so you should monitor those too.
  • Clear out your Recent Items list because it could compromise your privacy.

The easiest way to keep on top of all that is to use the Protection feature in CleanMyMac. It scans your Mac looking for potential vulnerabilities and allows you to deal with them easily.

Get your free CleanMyMac trial.

XProtect is an antivirus technology that is built into macOS. It uses signature-based detection to identify malware and remove it. XProtect checks your Mac automatically when specific events occur and is regularly updated so it can spot the latest threats. It is possible to stop it from updating automatically, and you can follow the steps above to do that, but it’s not a good idea: it will result in your Mac being less safe from malware.