Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

fabrum

macrumors member
Original poster
Jan 15, 2021
48
3
ClamXAV says found trojan in XProtect.app called Trojan.OSX.Generic in the pathway: /Library/Apple/System/Library/CoreServices/XProtect.app

Is XProtect.app a genuine macOS file? Some posts that I found say that only XProtect.bundle is a legitimate macOS file. Please help! Should I delete it? MalwareBytes finds nothing on my mac!

thank you
 

DeltaMac

macrumors G5
Jul 30, 2003
13,720
4,563
Delaware
My opinion is that is suspicious.
XProtect.bundle is normal.
XProtect.app may not be correct.
That folder is likely to be protected by the system.
It may be a challenge to remove it. You should try using ClamXAV, which may be able to remove it (or should tell you how to proceed.
 

fdeawfawef

macrumors newbie
Sep 28, 2019
3
0
I have the same issue as fabrum. I ran the ClamXAV scan pre and post IOS 12.3 upgrade and the Trojan error showed in the post scan run. I have entered a support ticket with ClamXAV.
 

fdeawfawef

macrumors newbie
Sep 28, 2019
3
0
I have the same issue as fabrum. I ran the ClamXAV scan pre and post IOS 12.3 upgrade and the Trojan error showed in the post scan run. I have entered a support ticket with ClamXAV.
As well the STATUS in the ClamXAV window notes it as ERROR. the full trojan name reported is Trojan.OSX.Generic
 

fabrum

macrumors member
Original poster
Jan 15, 2021
48
3
I, too, have contacted ClamXAV. I posted to the Apple Communities Forums also, so far only one post which says that both XProtect.app and XProtect Bundle are legitimate. Other users input would be appreciated. Anyone with technical knowledge please post! Is there someone in Apple Corp that we can contact?
 

FNH15

macrumors 6502a
Apr 19, 2011
822
867
ClamXAV says found trojan in XProtect.app called Trojan.OSX.Generic in the pathway: /Library/Apple/System/Library/CoreServices/XProtect.app

Is XProtect.app a genuine macOS file? Some posts that I found say that only XProtect.bundle is a legitimate macOS file. Please help! Should I delete it? MalwareBytes finds nothing on my mac!

thank you

I’m inclined to think ClamXAV is wrong: https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web

XProtect is part of the built-in Apple AV.
 

WSE51

macrumors newbie
Oct 12, 2015
3
4
ClamXAV support replied to me this morning:


Janelle Richards (ClamXAV)
17 Mar 2022, 13:25 GMT

Hi William,

Thank you for your email, and I'm sorry you're experiencing this issue!

We are aware of XProtect being mistakenly quarantined as a Trojan by ClamXAV. This is a false positive. We have rectified this, and it shouldn't show up on your scan any more.

Going forward, we will be working to make sure that this does not happen again. However, if you do see it pop up again, not to worry! Nothing about this will damage your computer in any way.
We are currently looking into why this is happening, and what we can do to make sure it doesn't happen again in the future.

If you have any questions, please do not hesitate to contact us.

Kind regards,
Janelle
 

fdeawfawef

macrumors newbie
Sep 28, 2019
3
0
ClamXAV support replied to me this morning:


Janelle Richards (ClamXAV)
17 Mar 2022, 13:25 GMT

Hi William,

Thank you for your email, and I'm sorry you're experiencing this issue!

We are aware of XProtect being mistakenly quarantined as a Trojan by ClamXAV. This is a false positive. We have rectified this, and it shouldn't show up on your scan any more.

Going forward, we will be working to make sure that this does not happen again. However, if you do see it pop up again, not to worry! Nothing about this will damage your computer in any way.
We are currently looking into why this is happening, and what we can do to make sure it doesn't happen again in the future.

If you have any questions, please do not hesitate to contact us.

Kind regards,
Janelle
I received the same response and I re-ran the scan and the Trojan error did not show.
 

fabrum

macrumors member
Original poster
Jan 15, 2021
48
3
I too received the same message from ClamXAV. I want to know how they could be ignorant of a major security change by Apple Corp.
 

YanniDepp

macrumors 6502a
Dec 10, 2008
556
132
It's a false alarm.

Antivirus software works by looking for patterns of data in infected files. The software scans a file, sees that it matches a pattern, and assumes it's infected with that particular virus. This is what virus definition files are - just a big list of all the patterns of data and which viruses or malware they belong to.

If you have more than one anti-malware application, it's quite possible that one of the applications would pick up the other application's definition file, see the patterns, and assume it's infected. That's what's happening here - ClamAV has found XProtect's definition file, seen patterns it thinks are viruses, and assumes it's infected.

If you ever want to test your antivirus software safely, there's a test pattern you can use. Almost all antivirus software is programmed to pick it up as if it's a virus, but it's just a harmless text file designed to set off antivirus software. Just create a text file with this text and save it. Your antivirus software should trip immediately:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
 

bogdanw

macrumors 603
Mar 10, 2009
6,040
2,955
I want to know how they could be ignorant of a major security change by Apple Corp.
The is no mention of the XProtect.app in the release notes for Monterey 12.3.
https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes

There is no mention on the whole site for developers
XProtect_1.jpg


XProtect.app is not actually a GUI app at the moment, it’s just a folder with a number of services.

XProtect_2.jpg

Security through obscurity is just bad security practice in 2022.
 
  • Like
Reactions: Bazza1

FNH15

macrumors 6502a
Apr 19, 2011
822
867
The is no mention of the XProtect.app in the release notes for Monterey 12.3.
https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes

There is no mention on the whole site for developers
View attachment 1978469


XProtect.app is not actually a GUI app at the moment, it’s just a folder with a number of services.

View attachment 1978470

Security through obscurity is just bad security practice in 2022.

It’s clearly mentioned here: https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/web
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.