Last Week on My Mac: Well-kept secrets, macOS malware protection

There was a time when anti-malware products were sold on the strength of how many and which malware they detected and removed. Now I cannot even get an idea of how many different malware products might affect macOS 10.11 to 10.13, nor how many of them current anti-malware products can protect against.

This is complicated by the existence of many synonyms for different malware variants: what Apple calls OSX.Machook.A in XProtect is elsewhere known simply as OSX/Machook, and most commonly as OSX/WireLurker, which might be the same as what Apple’s MRT refers to as OSX.WireLurker.A, but is presumably different from XProtect’s OSX.Machook.B.

Yesterday’s long listing of the malware from which macOS provides at least partial protection may have surprised you in its extent. Currently, XProtect should detect 86 different types of malware, and MRT should attempt to remove 51. Between them, they know around a hundred, perhaps as many as 115, depending on their conflicting terminology.

Because Apple doesn’t document their coverage, there are many misunderstandings. One claim made by an otherwise reputable vendor is that Apple’s anti-malware protection doesn’t tackle adware and unwanted software. It does: look through my list and you’ll see that XProtect blocks common ‘PUPs’ including no less than seven variants of Genieo, together with AdLoad, Mughthesec, and many more. Apple introduced one of its first anti-malware products back in May 2011, in Security Update 2011-003 for Mac OS X 10.6, to tackle and remove MacDefender.

If macOS does provide such extensive coverage against malware, where could it possibly fall short? To understand that, look at the life cycle of a malware product.

Like all software, malware undergoes product development and testing before release. Then comes the difference: the time interval from release to detection, and the deployment of countermeasures, which spells the end of product life.

For users, the crucial metric is the time between malware release and the deployment of countermeasures, although it is unusual to be able to get an accurate figure for the period between release and detection. So in practice, what we normally observe is the period between detection and the deployment of effective countermeasures.

To take a very recent example, Patrick Wardle of Objective-See released information about MaMi on 12 January 2018, and within five days, early on 17 January, Apple pushed an update which should be able to remove MaMi infection from your Mac. If we make the big assumption that MaMi was released shortly before 12 January, then the time that all Macs were at full risk from MaMi would have been less than a week.

Other examples give greater cause for concern. XcodeGhost probably first affected iOS apps in March 2015, and wasn’t detected until the middle of September 2015, six months later. By that time, it affected over three thousand different iOS apps, largely confined to the iOS App Store for China.

So long as XProtect and MRT rely on recognising known malware, the period between malware release and Apple’s pushed updates to protection will remain critical.

If you’re going to add third-party protection against malware, there seems little point in choosing a product which is also subject to a similar period of high risk. The best that you can hope for is that the additional anti-malware product will be slightly more effective, and its malware recognition data will be updated slightly earlier. It won’t alter the risk during the period between release and the deployment of countermeasures.

It makes much more sense to use a product which doesn’t suffer that same period of full risk. That requires it to base its detection not on known signatures, but on behaviours. Some of the best examples are Objective-See‘s tools to watch and block mechanisms used for persistence – KnockKnock, BlockBlock, RansomWhere?, and Oversight, for instance. Sqwarq’s DetectX combines a signature-based approach with behavioural analysis. Little Snitch can make you aware of unexpected outgoing network connections which can be symptomatic of early malware infection.

What is most surprising about Apple’s current strategy against malware in macOS is not the extensive coverage afforded by XProtect and MRT, but its apparent lack of interest in monitoring behaviours. This is the more surprising because Apple’s own installers so often behave in ways which could be malicious. My most recent instance of this is the silent silent update, which bypasses both SIP and Apple’s own Install History.

For all the measures introduced in High Sierra to combat rogue kernel extensions, Apple shows no sign of introducing new strategies in protecting macOS against malware during the period of full risk between its release and the deployment of countermeasures. Until it does so, built-in protection will always be trying to catch up with the malware threat, and will never be prepared to meet it.