How XProtect works is to some extent a bit of a black box, but the latest iteration of the report does shed a little light on what’s happening:
“Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). This system removes malware upon receiving updated information, and it continues to periodically check for infections; however, XProtect doesn’t automatically restart the Mac. In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
As for App Store security, EU readers will note that this section hasn’t yet been updated to include what security Apple provides around purchases made from third party stores. That’s likely to make interesting reading once it does appear. But the document does explain the five different security processes that govern apps sold through the company’s own App Store. These include automated malware scans, human review, manual checks, user reviews, and processes for correction and removal of bad/scam apps.