Recently started looking into macOS’ XProtect and its satellites. There are a few interesting presentations and articles from previous research done in the last years. I mainly want to capture some of the ones that I already went through and found valuable before I publish some of my own findings, learnings and failures.

The following two presentations are particularly interesting on what XProtect is and XProtect Remediator:

• MDOYVR23 - Stuart Ashenbrenner - (dm)XProtect: Stop, Drop, Shut malware down before it opens up shop
• Black Hat USA 2025 | XUnprotect: Reverse Engineering macOS XProtect Remediator

I heard about XProtect before, maybe around end of 2024 or so, but never had the interest to research it. But with some of the latest updates related to clipboard pasting and ClickFix campaigns, my interest grew so I started looking into how this works. My own research, so far, for this XProtect feature hasn’t uncovered anything new than what is detailed in this high quality research done by Patrick Wardle.

That research also led me to XProtect BehaviorService, one of the less-discussed components in the XProtect ecosystem. I had the time to read two publications about this and found it particularly interesting and useful for detection and response work. The publications are:

• What do XProtect BehaviorService and Bastion rules do?
• Leveraging osquery to examine the XProtect Behavioral Service DB

Just as a note, on macOS 26.4 (not sure when this changed) the XPdb is in /private/var/protected/xprotect/db. In order to access the DB you’d need to disable SIP (in recovery mode, run csrutil disable).