Under Construction

Apple has added an anti-malware function to Mac OS X 10.6, Snow Leopard.

Apple has not given this function any "official" name.
A number of web sites have called this function "XProtect", based on the name of a file that contains information necessary to this function's operation.
The Xprotect file, called Xprotect.plist, is found in


  • This function only scans for malware in files downloaded with certain applications
  • Apple's anti-malware function doesn't scan for malware when files are copied in the Finder, from CDs, DVDs, USB thumb drives or network volumes
  • Apple does not detect all variants of the most common Trojan horse
  • Apple's anti-malware function doesn't scan meta-package (.mpkg) installer packages
  • Apple's anti-malware function does not repair infected files or infected Macs
  • Apple's anti-malware function in Snow Leopard does not offer Mac users serious protection from viruses and malware.
Apple Quarantine function:
Apple has been using a "quarantine" function for quite some time in browsers, Mail and iChat. This function spots when files are downloaded, received as attachments to e-mail messages, or received during chats, and sets an extended attribute (data not visible to users) on such files containing information about when a file was downloaded and with which application.

After mounting the disk image, if you double-click an executable file or installer package inside the disk image, the quarantine function spots the extended attribute and the system pops up a warning:

This will also occur if you download an executable or installer package in an archive. After extracting the executable, and double-clicking it, you'll see the above warning.

With malware, Apple's new function piggy-backs on this quarantine system to scan the file for malware, and, if it finds anything, the following is displayed:

How the Anti-Malware Function in Apple's Snow Leopard Works |
The Mac Security Blog (www.intego.com/mac-security-blog)

Return to Mac

last updated 18 Mar 2006