Skip to main content

FAQ

Do I need separate antivirus and firewall software on macOS?

No, you do not need separate antivirus or firewall software on macOS. On both macOS and Windows, the built-in antivirus and firewall are sufficient — nowadays they already provide a very good level of security, and on Mac this has always been the case. Normally these are enabled by default, but they can be turned off by the user. If that happens, XFA will flag it.

How frequently does the XFA agent run checks?

The XFA agent runs checks and reports the status approximately every 6 hours. The exact timing varies slightly to prevent active hours from being determined based on activity. Whenever XFA is opened on the device, a check will also be performed to ensure the data is recent. In that case, the results are also reported so that the administrator has the latest status as well.

What does XFA's "Secrets in Environment" check detect?

XFA scans for environment variables whose name suggests they contain sensitive credentials. We check for variable names containing patterns like:

  • KEY (e.g. API_KEY, PRIVATE_KEY, AWS_ACCESS_KEY)
  • TOKEN (e.g. AUTH_TOKEN, GITHUB_TOKEN)
  • SECRET (e.g. CLIENT_SECRET, JWT_SECRET)
  • PASSWORD / PASSWD (e.g. DB_PASSWORD)
  • CREDENTIAL (e.g. AWS_CREDENTIAL)
  • OAUTH (e.g. OAUTH_TOKEN)
  • ENCRYPTION_KEY, SIGNING_KEY

Where do we look?

  • Process environment — variables inherited by all child processes
  • Shell environments (bash, zsh, fish) — variables set in shell config files
  • Running process command lines — secrets passed as arguments (e.g. docker run -e API_KEY=xxx)
  • macOS launchd session — variables inherited by GUI apps (IDEs, AI assistants)
  • Windows registry — user and system-level environment variables

Why does this matter?

Secrets stored in environment variables are accessible to every process running in that context — including AI coding assistants, IDE plugins, and any tool launched from the terminal or desktop. This is a significant attack surface.

info

XFA only records the variable name (e.g. OPENAI_API_KEY), never the actual secret value.

We exclude known safe variables like PATH, HOME, SSH_AUTH_SOCK, locale settings, etc. to avoid false positives.