Che cosa protegge / protegge XProtect su Mac OS X?

Il "sistema" Xprotect non è in realtà un motore AV in quanto tale. Cerca un numero molto limitato di stringhe di testo, o "firme", in tipi specifici di file. Per questo motivo, è di gran lunga meno utile di un vero programma AV (a te se pensi che sia necessario). Inoltre, controlla solo i file scaricati con determinate app: Safari, Mail, Messaggi e app di terze parti che hanno attivato un'impostazione per utilizzare Xprotect per controllare anche i loro file. Inoltre, imposta solo un flag sui file e dipende dall'interazione dell'utente per la protezione. Quindi un utente non esperto può vedere la finestra di dialogo che avverte che un file è pericoloso, ma continua a fare clic sul pulsante necessario per aprirlo.

Come dici tu, non protegge dai download di BitTorrent (anche se specifici client BitTorrent potrebbero utilizzare la funzione) e non protegge da file copiati da qualsiasi tipo di supporto rimovibile o file copiati su una rete.

Questa è la spiegazione di Apple:

About the "Are you sure you want to open it?" alert (File Quarantine / Known Malware Detection) in OS X

OS X improves download validation by providing file quarantine in applications that download files from the Internet. This means that downloads are checked for safety (known malware) when you try to open them.

File Quarantine

File quarantine-aware applications that download files from the Internet, or receive files from external sources (such as email attachments), attach quarantine attributes.

• Quarantine-aware applications include Safari, Messages, iChat and Mail.
• These attributes include date, time, and a record of where the file was downloaded from.

When you open a file received through a quarantine-aware application, OS X warns you where the file came from. You receive an alert asking, "Are you sure you want to open it?" You should click Cancel if you have any doubts about its safety.

If you have multiple user accounts on your Mac, the user account that downloaded the file is the only user account that can remove the quarantine attribute on a file. All other user accounts can open a quarantined file, but they are still presented with an alert asking "Are you sure you want to open it?" every time they open the file.
Known malware check

Mac OS X Snow Leopard v10.6 and later also check for known instances of "malware", or malicious software. When you open a quarantined file, OS X checks to see if it includes known malware. If so, an alert message similar to the following appears:

If you see "(file name) will damage your computer." You should click Move to Trash.

If the file is a disk image, you should click Eject Disk Image and then delete the source file.

Tip: Click the Help icon in the lower left corner of the alert message for more information about malware.

Blocking web plug-ins

To help limit exposure to potential "zero day" exploits from web plug-in enabled content, OS X also blocks specific versions of web plug-ins from functioning – including Java web apps, or Adobe Flash content. Typically an update to the web plug-in is available on the same day, or shortly after OS X blocks the web plug-in. Install the new update to restore web plug-in function.

Gatekeeper

OS X Lion v10.7.5 and later include Gatekeeper, a technology that allows developers to sign applications. Signed applications normally don't present an alert when you download and open them. Internet files downloaded from other applications get file quarantine attributes but without date, time, and link of the file downloaded.

Advanced users only

You can toggle the ability of File Quarantine to receive updates from Apple about malware and web plug-ins.

Important: Deselecting this option disables the ability to identify new malware, and leaves your Mac vulnerable to new malware without notification.

Fonte: Informazioni su "Sei sicuro di volerlo aprire?" avviso (File Quarantine / Rilevamento malware noto) in OS X