How to Check XProtect Version in Mac OS
Need to know what version of Gatekeeper and Xprotect are installed on a Mac? You can find this information through the command line of Mac OS. GateKeeper, MRT (Malware Removal Tool), and XProtect are all built-in features of Mac OS designed to prevent malware threats and other nefarious software from being installed or used on a Mac. These security features exist in the background and are updated with regular system software updates to Mac OS, but Apple will also push quiet updates to xprotect or MRT to add new definitions and block newfound threats.
Advanced users may wish to know what version of Xprotect definitions is installed on a Mac. We’ll show you how you can check which Xprotect version is on a Mac via the command line, this can be particularly useful for remote administration tasks using the ssh client, but it can be just as helpful to check XProtect versions on a local machine as well.
How to Check the XProtect Version on a Mac
The following commands are slightly different depending on the version of MacOS in use, use which is appropriate for your system software release.
- Open the Terminal application (found in /Applications/Utilities/) and enter the following command string on a single line to read the contents of the XProtect plist and export the version number:
- Hit return key and you will see something like the following, which indicates the vision number of Xprotect as well as the source and when the install date of that Xprotect version was:
- Optionally, you can trigger a manual update of the xprotect and Gatekeeper software update mechanism in Mac OS
Check XProtect Version on MacOS Catalina (10.15.x) & MacOS Mojave (10.14.x) and later:
system_profiler SPInstallHistoryDataType | grep -A 5 "XProtectPlistConfigData"
Check XProtect for MacOS High Sierra (10.13.x) and Sierra (10.12.x):
defaults read /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist Version
Install Date: 2/11/20, 6:34 PM
As mentioned, the method for macOS Catalina and Mojave will also show you the Xprotect update install date and time as well as the Xprotect version, which can be valuable information for sysadmins, IT workers, infosec, and general administrators.
These approaches have been tested on modern versions of Mac OS, though it may not work in earlier versions. Let us know in the comments below what you find with other releases of system software.
You an also use cat to dump the raw plist contents and grep for “Version” to discover the same data:
cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.meta.plist |grep -A1 "
The version number is going to be meaningless to most Mac users, this is really mostly helpful to systems administrations, IT professionals, and those who work in security professions who want to check the exact version of XProtect definitions installed on a Mac, usually to make sure a computer(s) have received an important security update.
Checking When XProtect was Last Updated
Another useful trick is to check when the malware definition list of Xprotect plist file(s) were last modified either with stat or ls:
Or you can check with ls -l:
ls -l /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist
Either will show the last modification date of the Xprotect.plist file, which will tell you when it was last updated.
How to Check XProtect for Specific Threat Coverage
If the version is less relevant to you, perhaps you’d rather see if a specific threat or malware is included in the XProtect block list. This can be easily done by dumping the contents of the Xprotect plist file and scanning through the list manually, or again by using grep to look for a specific match.
For example, if you want to see if “OSX.Dok.B” is covered, you can grep the XProtect plist specifically for that match:
cat /System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.plist |grep -A1 "OSX.Dok.B"
If you see a match to what you searched for, it is included in the protection list.
This is Way Over My Head, How Can I Protect My Mac and Update Xprotect?
The average Mac user can make sure their system software and associated security updates are installed and up to date.
To make sure that Xprotect, MRT, and Gatekeeper are updated by Apple, you can set your Mac OS system software update settings as found in Apple menu > System Preferences > “App Store” to be like so:
Setting both “Automatically check for updates” and “Install system data files and security updates” and having stable sustained internet access should be sufficient to install critical background updates to Gatekeeper, MTR and XProtect as is, but updating system software to the latest available version of Mac OS and installing any available security updates is generally considered good security practice. You can also check all of the options for auto-updates, or just have Mac OS automatically install updates too, but however you adjust the settings be sure the “security updates” setting is enabled.
Do you have any other tips, tricks, or thoughts about Xprotect, MRT, and Gatekeeper security features, updating, versioning, or general status? Let us know in the comments!