I’ve been doing some research about XProtect which is a hidden and not much talked about by Apple security feature with Mac OS X. XProtect appears at first glance to be a basic AV engine that scans DMG files & apps through Safari, Chrome and Firefox. However, there appears to be some underlying questions about this technology. What does it actually do? Is it any good? Should Mac users still consider using a security product like Virus Barrier or MacKeeper for antivirus protection?
XProtect isn’t much talked about by Apple and for good reason. They don’t want the black hats to know much about it, otherwise they believe, it will be cracked and be of no security and privacy use to Mac OS X users. There is some point in this, but speculation alone can lead hackers to explore the depths of code, so I just wouldn’t buy this reason. If you use OS X 10.6.7 or above you may have seen a warning prior to installing an app (DMG) – which defaults to “Move to Trash” if XProtect believes the file is suspicious. This is XProtect.
The XProtect system isn’t actually an AV engine as such – it uses the LSQuarantine technology (all applications on the App Store will be using this). It’s behaviours are more consistent with blacklisting, but does look for a pre-defined number of text strings and or signatures in specific types of files. How useful it is depends on your view point. Whitelisting and blacklisting has its place (think Gatekeeper) but so does heuristics, signature and behaviour-based detection. XProtect appears (without peeking at the code) to have basic functionality, whereby it can only remediate files downloaded from certain apps such as Mail, Messages, Safari and third-party apps.
But, and this is a big but, the ability to check apps depends on a setting being enabled in XProtect which would then verify a file as benign or suspicious. XProtect has serious limitations, as it depends on user interaction for protection (this isn’t to dissimilar to the User Account Control you find in Windows 7 and above – refer to: Managing your Windows 7 User Account Control (UAC)). For example, if a file is flagged in a dialog warning as suspicious a user can indeed bypass this, by choosing to ignore the alert. Not good at all.
There are other limitations with XProtect in that it doesn’t protect against BitTorrent downloads (though specific BitTorrent clients could use the feature to scan for suspicious DMG files), and doesn’t protect from files copied from any kind of removable media or files copied over a network. So is it useful? Any level of protection, however effective, is always welcome, so the simple answer is yes it is useful. Just make sure you don’t ignore a dialog warning and use say Virus Barrier or MacKeeper as your primary protection!
Safe surfing folks!