Something that Mac users didn’t see coming was the new XProtect update. The Mac built-in anti-malware software now includes two new signatures which will help to detect and block Windows malware executables that can run on macOS.
These signatures in questions are called ‘PE‘ and ‘MACOS.d1e06b8‘. The first one will detect Windows PE files, while the second one will be able to detect Windows executable files which are particularly made to run on Mac machines as well.
For those of you who are unfamiliar with XProtect, this is a signature-based system linked to Gatekeeper. To put it simply, XProtect is macOS X’s built-in anti-malware protection. It is based on Yara rules and blacklists (Yara is an open-source tool created by Google for rudimentary malware inspections). XProtect examines apps on your device and ensures that they don’t match a list of known malicious applications.
If Gatekeeper finds a potentially dangerous file, it warns the user and also uses a form of quarantine, which is similar to the one that can be seen on Windows devices. If anything suspicious is found on your Mac, the signature of the file in question will be checked thanks to XProtect’s malware definition records.
With this latest upgrade, XProtect will now also be able to block typical ‘Windows’ malware, created to run on Mac machines.