Does Apple check apps for viruses?

Today, apps are among the most critical elements of a security architecture. Even as apps provide amazing productivity benefits for users, they also have the potential to negatively impact system security, stability, and user data if they’re not handled properly.

Because of this, Apple provides layers of protection to help ensure that apps are free of known malware and haven’t been tampered with. Additional protections enforce that access from apps to user data is carefully mediated. These security controls provide a stable, secure platform for apps, enabling thousands of developers to deliver hundreds of thousands of apps for iOS, iPadOS, and macOS—all without impacting system integrity. And users can access these apps on their Apple devices without undue fear of viruses, malware, or unauthorized attacks.

On iPhone, iPad, and iPod touch, all apps are obtained from the App Store—and all apps are sandboxed—to provide the tightest controls.

On Mac, many apps are obtained from the App Store, but Mac users also download and use apps from the internet. To safely support internet downloading, macOS layers additional controls. First, by default in macOS 10.15 or later, all Mac apps need to be notarized by Apple to launch. This requirement helps to ensure that these apps are free of known malware, without requiring that the apps be provided through the App Store. In addition, macOS includes state-of-the-art antivirus protection to block—and if necessary remove—malware.

As an additional control across platforms, sandboxing helps protect user data from unauthorized access by apps. And in macOS, data in critical areas is itself protected—which helps ensure that users remain in control of access to files in Desktop, Documents, Downloads, and other areas from all apps, whether the apps attempting access are themselves sandboxed or not.

Please don’t include any personal information in your comment.

Maximum character limit is 250.

Thanks for your feedback.

Apple operates a threat intelligence process to quickly identify and block malware.

Three layers of defence

Malware defences are structured in three layers:

1. Prevent launch or execution of malware: App Store, or Gatekeeper combined with Notarisation

2. Block malware from running on customer systems: Gatekeeper, Notarisation and XProtect

3. Remediate malware that has executed: XProtect

The first layer of defence is designed to inhibit the distribution of malware and prevent it from launching even once — this is the goal of the App Store, and Gatekeeper combined with Notarisation.

The next layer of defence is to help ensure that if malware appears on any Mac, it’s quickly identified and blocked, both to halt spread and to remediate the Mac systems it’s already gained a foothold on. XProtect adds to this defence, along with Gatekeeper and Notarisation.

Finally, XProtect acts to remediate malware that has managed to successfully execute.

These protections, further described below, combine to support best-practice protection from viruses and malware. There are additional protections, particularly on a Mac with Apple silicon, to limit the potential damage of malware that does manage to execute. See Protecting app access to user data for ways that macOS can help protect user data from malware and Operating system integrity for ways macOS can limit the actions malware can take on the system.

Notarisation

Notarisation is a malware scanning service provided by Apple. Developers who want to distribute apps for macOS outside the App Store submit their apps for scanning as part of the distribution process. Apple scans this software for known malware and, if none is found, issues a Notarisation ticket. Typically, developers staple this ticket to their app so Gatekeeper can verify and launch the app, even offline.

Apple can also issue a revocation ticket for apps known to be malicious — even if they’ve been previously notarised; macOS regularly checks for new revocation tickets so that Gatekeeper has the latest information and can block launch of such files. This process can very quickly block malicious apps because updates happen in the background much more frequently than even the background updates that push new XProtect signatures. In addition, this protection can be applied to both apps that have been previously and those that haven’t.

XProtect

macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly. Apple monitors for new malware infections and strains and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections. XProtect automatically detects and blocks the execution of known malware. In macOS 10.15 or later, XProtect checks for known malicious content whenever:

• An app is first launched

• An app has been changed (in the file system)

• XProtect signatures are updated

When XProtect detects known malware, the software is blocked and the user is notified and given the option to move the software to the Bin.

Note: Notarisation is effective against known files (or file hashes) and can be used on apps that have been previously launched. The signature-based rules of XProtect are more generic than a specific file hash, so it can find variants that Apple has not seen. XProtect scans only apps that have been changed or apps at first launch.

Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesn’t automatically reboot the Mac.

Automatic XProtect security updates

Apple issues the updates for XProtect automatically based on the latest threat intelligence available. By default, macOS checks for these updates daily. Notarisation updates, which are distributed using CloudKit sync are much more frequent.

How Apple responds when new malware is discovered

When new malware is discovered, a number of steps may be performed:

• Any associated Developer ID certificates are revoked.

• Notarisation revocation tickets are issued for all files (apps and associated files).

• XProtect signatures are developed and released.

  These signatures are also applied retroactively to previously notarised software and any new detections can result in one or more of the previous actions occurring.

Ultimately, a malware detection launches a series of steps over the next seconds, hours and days that follow to propagate the best protections possible to Mac users.

Please don’t include any personal information in your comment.

Maximum character limit is 250.

Thanks for your feedback.

Does Apple scan virus apps?

Can Apple detect viruses on iPhone?