Apple XProtect

In the past couple of months Apple has blocked unsafe versions of Java and Flash for OS X systems. Because of this, older Java and Flash versions are suddenly not working anymore. Sometimes the software developer needs to develop a bugfix or the user needs to update to the latest version of the used software.

So how can Apple remotely block software on your system? The answer is: XProtect. I will give you a short overview of this protection mechanism in this blogpost.

Since OS X v10.6 the XProtect framework checks every download for malicious code. The XProtect definitions where updated with the normal OS X software update. Recently Apple released an update for the XProtect framework so it can check for updates on itself. This way Apple can react faster on potential threads.

This mechanism is controlled with the XProtect.plist file. This file can be found in the following location:

System -> Library -> CoreServices -> CoreType.bundle -> Contents -> Resources

Here you can also see the XProtect.meta.plist file. In this file you can find the version number, this is used to check if an update is needed. Here you can also find software that is blocked.

Code

When you open the XProtect.meta.plist file with an texteditor it is possible to change the string value of blocked software so that older versions of the software are usable. Keep in mind that it is blocked with a reason.

It is possible to turn the automatic update feature of XProtect off. You can do this by going to the following location:

Preferences -> Security -> General -> Advanced

Here you can choose to turn the automatic update feature off. If you want to force a manual update of the definitions you can run the following command in a terminal.

sudo launchctl start com.apple.xprotectupdater

It is nice to have a build in solution to protect users. But you always need to remember the fact that XProtect is not a antivirus replacement. The on-access scanning from known antivirus products reacts a lot faster than the XProtect mechanism. To be as safe as possible I would suggest using XProtect in combination with a known antivirus product.