XProtect is the behind-the-scenes, developer opted-in version of Windows Defender from what I can tell. Wouldn't it be nice if it was as well throught out and integrated as Defender?
This is kind of a brain and internet dump of random XProtect facts that could be helpful in building a bit of control, UI, definition updates and regular scans that leverage XProtect as it's core.
- A nice overview of XProtect: https://github.com/drduh/macOS-Security-and-Privacy-Guide#gatekeeper-and-xprotect
- How the quarantine mechanism works, anbd how details logs are kept: https://ilostmynotes.blogspot.com/2012/06/gatekeeper-xprotect-and-quarantine.html
- Snippets to quickly see what files have been scanned and quarantined: https://www.zoharbabin.com/hey-mac-i-dont-appreciate-you-spying-on-me-hidden-downloads-log-in-os-x/
- How to op-in your own apps for quarantine: https://eclecticlight.co/2020/07/10/how-macos-overrides-app-behaviour-including-quarantine/
- How to download definitions and trigger scans: https://macops.ca/os-x-admins-your-clients-are-not-getting-background-security-updates/
- XProtect definition syntax: https://eclecticlight.co/2020/10/27/xprotect-what-do-we-know-about-it/
- ObjectiveSee discussion on XProtect: https://objective-see.com/blog/blog_0x64.html
- XProtect update cycle issues: https://twitter.com/IntegoSecurity/status/1125910524519018497
It seems that following file is where you can opt-in your own apps: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/Exceptions.plist
The Additions item will contain entries that look like this for opt-ins:
<key>org.m0k.transmission</key>
<dict>
<key>LSApplicationCategoryType</key>
<string>public-category.internet</string>
<key>LSFileQuarantineEnabled</key>
<true/>
</dict>
XProtect data is stored in the following location: /System/Library/CoreServices/CoreTypes/XProtect*
Downloading latest XProtect definitions from Apple:
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true
sudo softwareupdate --background-critical
sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool false