XProtect (XProtect Antimalware) is a safe macOS security process. XProtect is Apple's built-in antimalware system on macOS that automatically scans downloaded files and applications for known malware signatures. It runs silently in the background and checks files when they are first opened, when apps are launched, and when its signature database is updated by Apple. Starting with macOS Sonoma, XProtect also performs periodic background scans of the entire system for known malware. XProtect using CPU during scans is normal and expected — it is actively protecting your Mac. Be concerned if XProtect appears to be disabled (no recent updates in Software Update history), if it has not updated in more than 2 weeks, or if you see repeated alerts about the same malware being detected without resolution. XProtect should work silently; persistent alerts may indicate an actual infection that requires deeper investigation.
XProtect Antimalware
XProtect is Apple's built-in antimalware system on macOS that automatically scans downloaded files and applications for known malware signatures. It runs silently in the background and checks files when they are first opened, when apps are launched, and when its signature database is updated by Apple. Starting with macOS Sonoma, XProtect also performs periodic background scans of the entire system for known malware.
High CPU usage during a background system scan, especially after an XProtect signature update
XProtectService or syspolicyd consuming resources while scanning large applications
Temporary slowdowns when opening newly downloaded apps for the first time
False positives blocking legitimate software from launching
XProtect background scans are temporary and typically complete within 30-60 minutes. If you notice high CPU from XProtectService, allow it to finish. These scans usually run after Apple pushes a new malware signature update and are checking your existing applications against new definitions.
Run 'system_profiler SPInstallHistoryDataType | grep -A 5 XProtect' in Terminal to see when XProtect was last updated. Apple pushes signature updates automatically, but you can force a check by going to System Settings > General > Software Update.
If XProtect blocks an app you trust, right-click (or Control-click) the app in Finder and select 'Open,' then click 'Open' in the dialog. For apps from identified developers, go to System Settings > Privacy & Security and click 'Open Anyway' next to the blocked app notification.
Run 'xprotect version' in Terminal (macOS Sonoma+) to check the current XProtect version and signature date. On older macOS versions, check '/Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist' to verify the malware definition file exists and is recent.
XProtect using CPU during scans is normal and expected — it is actively protecting your Mac. Be concerned if XProtect appears to be disabled (no recent updates in Software Update history), if it has not updated in more than 2 weeks, or if you see repeated alerts about the same malware being detected without resolution. XProtect should work silently; persistent alerts may indicate an actual infection that requires deeper investigation.
CoreLock works alongside XProtect to provide deeper malware detection and real-time process monitoring that goes beyond signature-based scanning. While XProtect checks files against known malware signatures, CoreLock monitors running process behavior for anomalies, detects zero-day threats through behavioral analysis, and provides alerts that XProtect's silent operation does not surface to users.
Download CoreLock Freesyspolicyd implements macOS Gatekeeper — the security feature that verifies applications are from identified developers ...
MRT (Malware Removal Tool) is Apple's built-in malware cleanup utility on macOS. Unlike XProtect, which prevents malware...
sandboxd enforces the macOS App Sandbox — a security technology that restricts what applications can access. When an app...
XProtect provides a baseline level of protection by detecting known malware signatures, but it is not a complete security solution. It only detects malware that Apple has already identified and added to its signature database. It does not provide real-time behavioral monitoring, network threat detection, or protection against zero-day threats. Additional security tools like CoreLock complement XProtect by covering these gaps.
Apple updates XProtect signatures regularly, typically several times per month, and sometimes urgently in response to new malware threats. These updates are delivered automatically through macOS software update and do not require a system restart. You can check your XProtect version in System Settings > General > Software Update by clicking on the information icon.
Under normal circumstances, XProtect has minimal performance impact. You may notice brief slowdowns when opening a newly downloaded application for the first time, as XProtect scans it before allowing it to run. Background system scans (on macOS Sonoma and later) may temporarily use noticeable CPU, but they run at low priority and complete within an hour.
You cannot and should not disable XProtect. It is integrated into the macOS security framework and protected by System Integrity Protection. It runs automatically with no user configuration required. Disabling it (even if technically possible via SIP bypass) would significantly reduce your Mac's protection against known malware threats.
Download CoreLock to identify suspicious processes, detect threats, and keep your Mac running smoothly.
Download CoreLock FreeAvailable for macOS and Windows