How does SDK retrieves Real-time Protection state of XProtect on macOS?

Overview

This article explains how SDK checks and reports the Real-Time Protection (RTP) status of XProtect on macOS. It also describes why we use this approach and the external guidelines that shape our logic.

SDK Implementation of GetRealTimeProtectionState for XProtect

On macOS Sequoia and later If xprotect CLI tool is available, we use it to query the RTP state directly.

On Earlier macOS versions Since the CLI tool is not available, we instead check whether the following XProtect services are loaded:

• com.apple.XprotectFramework.PluginService
• com.apple.XProtect.daemon.scan

If both services are loaded, we report RTP as enabled. If either one is missing, RTP is considered disabled.

Why we use this logic

Since Apple does not provide:

• Any official public document that explains XProtect’s logic or detection methods.
• Any command or API that can programmatically enable, disable, or verify XProtect’s RTP state.

When implementing our RTP detection logic, we found no Apple-published specifications that could serve as an authoritative reference.

To make sure our method was aligned with accepted security practices, we followed guidance from the macOS Security Compliance Project (mSCP), which is maintained by the United States National Institute of Standards and Technology (NIST).

The mSCP provides a programmatic way to generate security guidance for macOS systems. One of its rules, os_anti_virus_installed, requires that:

“An approved antivirus product MUST be installed and configured to run.”

In this context, the antivirus product is XProtect.

Finally, Apple itself recognizes the mSCP on their official Platform Certifications page, which adds credibility to this reference.

References

• GitHub - usnistgov/macos_security: macOS Security Compliance Project
• macos_security/rules/os/os_anti_virus_installed.yaml at main · usnistgov/macos_security
• macOS Security Compliance Project