macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly.
XProtect checks for known malicious content whenever:
-
An app is first launched
-
An app has been changed (in the file system)
-
XProtect signatures are updated
-
if it detects malware , it moves it to Bin.