XProtect.app unchecked in Full Disk Access pane of System Preferences/Security & Privacy/Privacy

builtinbc wrote:

Just noticed that in Monterey 12.4, XProtect.app is showing up in the Full Disk Access pane of System Preferences/Security & Privacy/Privacy, and it is unchecked. It is not showing up in Files and Folders

Can you show a screen shot of this situation...

Shift Command 5

Take screenshots or screen recordings on Mac - Apple Support

You cannot tamper with the XProtect part of the quarantine system, as it is stored in folders which are protected by SIP.

what is the status of SIP(?) from your Terminal.app copy and paste:

csrutil status

Also from Terminal lets see the GateKeeper status, copy and Paste:

spctl --status

also Checking The Status Of Filevault encrypted copy & paste:

fdesetup status

Xprotext shows up in Full Disk Access and by default is unchecked— this seems normal

Xprotect is not restricted in Files and Folders (ie not listed)— this seems normal

Has anyone heard anything further about Xprotect.app appearing unchecked in the "full disk access" pane? I have heard that some add on malware protection apps do such during the installation process but being that I have none, that's not the case for me. XProtect.app continues to reappear daily in the full disk access pane after I remove it.

Barring info, I guess I'll plop down some funds and get add on malware detection and mitigation software :(

P.s. For any continuing to believe MacOS is impervious to malware if one is cautious, read 12.5 security content, study and understand some of these are zero click and in the wild.

About the security content of macOS Monterey 12.5 - Apple Support

After a bit of digging around, there does seem to have been some recent changes to XProtect in recent versions of Monterey (https://eclecticlight.co/2022/06/12/last-week-on-my-mac-introducing-xprotect-remediator-successor-to-mrt/) which appears to have introduced XProtect.app in CoreServices. There's also some discussion here (https://forums.macrumors.com/threads/clamxav-says-found-trojan-in-xprotect-app.2338293/) around ClamXAV false positives for this new XProtect.app from March.

I'm not saying I have the answers here, and I'm still unsure why it would appear in the privacy prefs, but it's looking perhaps more benign/buggy than malicious.

P.S. Looking at today's EtrecheckPro report, I'm seeing XProtect and XProtectPayload updates in June on my machines, but nothing out of the ordinary.

I don't think anybody says Monterey is impervious to malware.

All these vulnerabilities, however, could only be exploited if the user installs a malevolent application.

No third party "security" software can prevent that. These vulnerabilities are actually bugs in the OS that need fixing.

That is why keeping the OS up to date, especially the security updates that are often done, is very important.

If you were download and install an application that exploited one of these bugs, no bitdefender, symantec or whatnot would do anything about it.

Same here, XProtect.app showed up in my “full disk access” control panel and was unchecked. I’m sure this was recent and clueless how it got there.

if I’m not mistaken being in that pane and unchecked would normally limit an apps access where as being checked would grant more access to the app.

apple silicon m1 mbp sip, gatekeeper, and fv enabled.

Interesting, XProtect is appearing at all in Security & Privacy >> Full Disk Access

It certainly does Not show up in my Setups running Monterey 12.4 on Mac Mini M1 and M1 MBA also Monterey 12.4

Q - " it has a valid code signature, and it is cleared by VirusTotal.

A - Would not trust any Third Party Application or in this case a Website that purports to scans any of my computers

Understand, we are all working Remotely from all around the world. 

Therefore, we do not have the On-Hands experience the User ( you ) has with this computer.

The next best thing for us to having an actual On-Hand experience on this computer is to follow the steps below

Download the Application Etrecheck directly from a well Respected ASC Contributor. And Safe to use.

The application is free or paid from added features. 

Run the application with Full Disc Access ( Security & Privacy - Full Disc Access ).

It will take a Snap Shot -  both the hardware and software.

 The Report will Not Reveal Any Personal Information. 

Post back the Full Report - copy and paste - using the Additional Text Icon ( 3rd Icon to last )

We can have a look at the report for possible issues and may have possible suggestions to resolve the issues.

I just noticed this today too, XProtect.app in 'Full Disk Access' unchecked. It's the same across two machines (M1 and Intel).

I keep a close eye on these settings, and this is the first time I've seen this, so I'm imagining it's most likely the result of a recent update (perhaps 12.4).

Same here - XProtect appears as is unchecked.

FWIW, I would not expect it to appear at all, since this is part of the system and obviously needs access.

The most obvious example is the Finder - nobody would consider denying it access to the drives, but still it does NOT appear in Full Disk Access. I think the same applies to all the relevant system services - probably everything in /System/Applications and /System/Library/CoreServices is exempt from these restrictions.

If it helps put your mind at rest, this occurred on two separate machines that I wiped only few months ago (full disk erasure via recovery mode, fresh Monterey) and have installed very little third party software since. I'm extremely careful about what I install and where I install it from, and use a small suite of trusted security software from the outset. Given this, and based on what I've read around recent changes to XProtect, I'd be very surprised if this was the result of an infection or zero day exploit. It's not impossible, but I have to imagine in this case, it's highly unlikely.

With regards to security software, they shouldn't really interfere with your disk access settings beyond asking for their own permissions.

Effective defenses against malware and other threats - Apple Community

builtinbc wrote:

we seem to have lost the OP here...

Ok

To hack a Apple computer would require a direct, physical access and the ability to bypass the built-in security features of macOS.