Information
XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware and is completely integrated into the OS. No matter what other tools are being used, XProtect should have the latest signatures available.
Apple creates signatures for known malware that actually affects Macs and that knowledge should be leveraged.
Solution
Run the following command to enable and update XProtect:
% /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist
% /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist
% /usr/bin/sudo /usr/sbin/softwareupdate -l --background-critical
softwareupdate[97180]: Triggering a background check with forced scan (critical and config-data updates only) ...
Note: Xprotect can only be enabled/disabled if SIP (System Integrity Protection) is disabled. If Xprotect is disabled, the system might be compromised and needs to be investigated.
Impact:
Some organizations may have effective Mac OS anti-malware tools that XProtect conflicts with.