In reply to a post by ian_c:

A process called xProtect runs and phones Apple Towers, but the only reason I know is Little Snitch alerting me. If the check box is checked, it is automatic. Basically, as long as you are on the Net you will be up-to-date within 24 hours max.

Can you see xProtect running in Activity Monitor? or from a 'ps ax' in the terminal as I can't see any such process (...and yes I have installed the update).

In reply to a post by ian_c:

(As far as I can see, a simple uncheck and re-check forces it.)

Yes, so will a re-start.

I discovered one thing- if the computer is in sleep mode when update time comes around, it won't try again when it wakes up.

Could be a nuisance if you somehow get the update time set to the wee small hours!

XProtect operates by modifying the file type detection process, deep in the file system itself. See http://ithreats.net/2010/06/19/about-mac-os-x-v10-6-...

Basically, each file that is written by the OS is checked to see if it meets certain criteria. If it does, its metadata is tagged with a corresponding file type. Most file types are just those that relate files to specific applications, but the XProtect extension adds tags for files that should be quarantined.

Note the comment at the end of the above post. Since XProtect is only triggered by a file save action, it will not detect a pre-existing copy of a malware file, already running on your system. Apple may have moved forward on this since the post was written a year ago, since they need to deal with users with MacDefender already installed. But that may use a different process from XProtect itself.

So you won't see a separate process running, because it's done by the file I/O kernel itself.

XProtectUpdater is the process that calls home and gets the new version of the protection system signatures. It is called by launchctl - the Apple replacement for cron - and the entry that controls it is at /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist, which runs /usr/libexec/XProtectUpdater when it is first installed, and then every 86400 seconds thereafter, (24 hours). So it is launched on a schedule, updates the signature file, and then shuts down again.

In reply to a post by billford:

I discovered one thing- if the computer is in sleep mode when update time comes around, it won't try again when it wakes up.

Could be a nuisance if you somehow get the update time set to the wee small hours!

I'm surprised. Normally, a process controlled by launchctl will run the next time it can if the computer is asleep at the scheduled time. That's how all the other routine maintenance processes operate to rotate logs etc.

In reply to a post by AlanH:

I'm surprised.

I was too, but that's what (didn't) happen this morning, or tonight when I got back home.

It's only one instance so maybe something else interfered, but it might be worth keeping an eye on.

Ta, I was curious as I can see no mention of xProtect in the system log file and it had not updated itself today. I did the check/uncheck in the system prefs to prod it. The iMac is left on so I would have expected it to get the update.