FAQ
Do I need separate antivirus and firewall software on macOS?
No, you do not need separate antivirus or firewall software on macOS. On both macOS and Windows, the built-in antivirus and firewall are sufficient — nowadays they already provide a very good level of security, and on Mac this has always been the case. Normally these are enabled by default, but they can be turned off by the user. If that happens, XFA will flag it.
How frequently does the XFA agent run checks?
The XFA agent runs checks and reports the status approximately every 6 hours. The exact timing varies slightly to prevent active hours from being determined based on activity. Whenever XFA is opened on the device, a check will also be performed to ensure the data is recent. In that case, the results are also reported so that the administrator has the latest status as well.
What does XFA's "Secrets in Environment" check detect?
XFA scans for environment variables whose name suggests they contain sensitive credentials. We check for variable names containing patterns like:
- KEY (e.g. API_KEY, PRIVATE_KEY, AWS_ACCESS_KEY)
- TOKEN (e.g. AUTH_TOKEN, GITHUB_TOKEN)
- SECRET (e.g. CLIENT_SECRET, JWT_SECRET)
- PASSWORD / PASSWD (e.g. DB_PASSWORD)
- CREDENTIAL (e.g. AWS_CREDENTIAL)
- OAUTH (e.g. OAUTH_TOKEN)
- ENCRYPTION_KEY, SIGNING_KEY
Where do we look?
- Process environment — variables inherited by all child processes
- Shell environments (bash, zsh, fish) — variables set in shell config files
- Running process command lines — secrets passed as arguments (e.g.
docker run -e API_KEY=xxx) - macOS launchd session — variables inherited by GUI apps (IDEs, AI assistants)
- Windows registry — user and system-level environment variables
Why does this matter?
Secrets stored in environment variables are accessible to every process running in that context — including AI coding assistants, IDE plugins, and any tool launched from the terminal or desktop. This is a significant attack surface.
XFA only records the variable name (e.g. OPENAI_API_KEY), never the actual secret value.
We exclude known safe variables like PATH, HOME, SSH_AUTH_SOCK, locale settings, etc. to avoid false positives.
What does XFA's "Unattended remote access" check detect?
XFA checks whether third-party remote control tools are installed on your device and configured to allow unattended access. Unattended access means that someone can connect to your device remotely without you being present to approve the connection — effectively a persistent backdoor into your device.
Which tools are checked?
- TeamViewer
- AnyDesk
- Chrome Remote Desktop
XFA does not flag these tools simply for being installed. The check only triggers when unattended access is actively configured (e.g., a permanent password is set or a service is running that allows connections without on-screen approval).
Why does this matter?
Unlike standard remote sessions where you must accept an incoming connection, unattended access allows a third party to connect at any time without your knowledge. This creates a significant security risk, especially if the tool was installed by a third party (e.g., IT support, a contractor) and not removed afterwards.
How do I fix this?
To become compliant, you can either:
- Disable unattended access in the tool's settings (e.g., remove the permanent password in TeamViewer, disable the unattended access option in AnyDesk, or remove your device from Chrome Remote Desktop).
- Uninstall the remote control tool entirely if you no longer need it.
This check is separate from the built-in OS remote access checks (screen sharing, remote login, remote management, remote scripting), which only cover native operating system features.