MRT & XProtect Remediator Logs
Location
/var/log/DiagnosticMessages/ and Unified Log entries (subsystem: com.apple.xprotect, com.apple.MRT)Description
Malware Removal Tool (MRT) and XProtect Remediator are Apple built-in malware scanning and removal tools. MRT runs periodically and after signature updates to scan for known malware families. XProtect Remediator performs regular background scans targeting specific malware threats with individual scan modules for each malware family.
Forensic Value
MRT and XProtect Remediator scan results reveal whether known malware was detected and remediated on the system. The Unified Log captures detailed scan activity including which modules ran, what was scanned, and any detections or removal actions taken. A remediation event confirms the system was previously infected and the specific malware family involved. Gaps in scan execution history may indicate the attacker disabled or tampered with these security mechanisms. Correlating remediation timestamps with other forensic artifacts helps establish the initial infection timeline.
Tools Required
Collection Commands
log
log show --last 30d --predicate "subsystem == 'com.apple.xprotect'" > /forensics/xprotect_remediator_log.txt
log
log show --last 30d --predicate "process == 'MRT' OR process == 'XProtectRemediatorMRTv3'" > /forensics/mrt_log.txt
find
find /Library/Apple/System/Library/CoreServices/XProtect.bundle/ -type f -exec stat -f "%m %N" {} \; > /forensics/xprotect_bundle_info.txtcp
sudo cp -r /var/log/DiagnosticMessages/ /forensics/diagnostic_messages/
Collection Constraints
- •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.