macOS Catalina and later versions have a built-in anti-malware scanning service called XProtect Remediator (XPR). This service periodically checks for known malware on your Mac and attempts to remove it in a process known as remediation. However, XPR operates silently in the background and does not notify you when it scans or detects and removes malware. Instead, it records these events in a log, which can be accessed by third-party software. It’s important to note that XPR’s scans are scheduled to run once a day as both the user and root. Some users may notice warnings and strange behavior from XPR when using utilities such as XProCheck or browsing the log, but this is normal and healthy. Occasionally, XPR may not report scans within 24 hours due to the Mac not being awake and inactive at a suitable time. To ensure scans are performed, it’s recommended to leave your Mac running and idle for an hour or so. Users may also encounter reports of signature errors and aborted scans after installing an update to XPR, but these can be disregarded as XPR will restart itself and resume scans normally. If you restart your Mac soon after an update, you may not see these reports as the new version
https://eclecticlight.co/2023/08/12/why-macos-anti-malware-scans-can-behave-oddly/