https://cpus.me/tags/xprotect/ Recent content in Xprotect on cpus.me Hugo en-us Thu, 16 Apr 2026 00:00:00 +0000 https://cpus.me/2026/xprotect-behavior-service/ Thu, 16 Apr 2026 00:00:00 +0000 https://cpus.me/2026/xprotect-behavior-service/ <p>Recently started looking into macOS&rsquo; <code>XProtect</code> and its satellites. There are a few interesting presentations and articles from previous research done in the last years. I mainly want to capture some of the ones that I already went through and found valuable before I publish some of my own findings, learnings and failures.</p> <p>The following two presentations are particularly interesting on what <code>XProtect</code> is and <code>XProtect Remediator</code>:</p> <ul> <li><a href="https://youtu.be/43BIK-e7FBE?si=YWk-pVn_1CZk0kJ2">MDOYVR23 - Stuart Ashenbrenner - (dm)XProtect: Stop, Drop, Shut malware down before it opens up shop </a></li> <li><a href="https://youtu.be/1pJWqtBxb50?si=S6DyzwyJxFvT8SEB">Black Hat USA 2025 | XUnprotect: Reverse Engineering macOS XProtect Remediator </a></li> </ul> <p>I heard about <code>XProtect</code> before, maybe around end of 2024 or so, but never had the interest to research it. But with some of the latest updates related to clipboard pasting and <code>ClickFix</code> campaigns, my interest grew so I started looking into how this works. My own research, so far, for this <code>XProtect</code> feature hasn&rsquo;t uncovered anything new than what is detailed in this high quality research done by <a href="https://objective-see.org/blog/blog_0x87.html">Patrick Wardle</a>.</p>