5.11 Ensure XProtect Is Running and Updated

Information

XProtect is Apple's native signature-based antivirus technology. XProtect both finds and blocks the execution of known malware. There are many AV and Endpoint Threat Detection and Response (ETDR) tools available for Mac OS. The native Apple provisioned tool looks for specific known malware and is completely integrated into the OS. No matter what other tools are being used, XProtect should have the latest signatures available.

Apple creates signatures for known malware that actually affects Macs and that knowledge should be leveraged.

Solution

Terminal Method:

Run the following command to enable and update XProtect:

% /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XProtect.daemon.scan.plist

% /usr/bin/sudo /bin/launchctl load -w /Library/Apple/System/Library/LaunchDaemons/com.apple.XprotectFramework.PluginService.plist

% /usr/bin/sudo /usr/sbin/softwareupdate -l --background-critical

softwareupdate[97180]: Triggering a background check with forced scan (critical and config-data updates only) ...

Note: Xprotect can only be enabled/disabled if SIP (System Integrity Protection) is disabled. If Xprotect is disabled, the system might be compromised and needs to be investigated.

Impact:

Some organizations may have effective Mac OS anti-malware tools that XProtect conflicts with.

See Also

https://workbench.cisecurity.org/benchmarks/18634

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-16, CSCv7|8.2, CSCv7|8.4

Plugin: Unix

Control ID: dedc3ba7e4384549b06d101dcba5fe3816d0b491bc8a4f2cb4eb6d45598b7dbc