RIP XProtect and MRT?

Over a week ago, Thomas Reed of Malwarebytes reported new Mac malware in the form of CoinTicker. Unlike much of the malware affecting macOS over the last few months, detection and removal of CoinTicker looks a perfect task for Apple’s built-in security tools XProtect and MRT. Apple’s response was rapid, as usual: it pushed a Gatekeeper update, which presumably ensured that the developer certificate used by CoinTicker is well and truly revoked.

Since then, over the last week, there have been no further security updates. There is no sign of a new set of ‘yara’ signatures to allow XProtect to detect this new malware, neither has there been any update to MRT to remove it.

What’s more, there hasn’t been any change in XProtect’s detection signatures since 13 March 2018 (over 7 months ago), and the last time that MRT was updated to remove new malware was 19 June 2018 (over 4 months ago).

So the question we should all be asking is whether Apple is continuing to support XProtect and MRT, or whether it has let them die in silence?

Presumably both XProtect and MRT report back to Apple when they do detect malware, and Apple has most likely seen a steep decline in those reports. What Apple hasn’t had, of course, are any reports of Macs which have detected CoinTicker or any other recent malware, as macOS doesn’t seem able to detect anything nasty released or revised over the last seven months.

Since the arrival of the first beta-release of Mojave, there have been sporadic rumours about new malware protection coming in macOS. Despite a plethora of new and changed security systems, such as TCC and DataVaults, Apple hasn’t identified any such replacement for XProtect and MRT, and latest notes about security updates don’t mention that either.

Besides, even if Mojave 10.14.2 were to bring something wonderfully new, there are many Macs which are stuck with Sierra or High Sierra which would need a retrofit if they were to remain protected after the demise of XProtect and MRT. Discontinuing support for these established security tools would expose millions of Mac users as fair game to attackers.

Apple has recently been publishing a great deal about privacy, where it can see clear water between its products and those of its competitors. Tim Cook’s fourth essential principle of privacy as a fundamental human right states that “security is at the heart of all data privacy and privacy rights.” And those new and glossy privacy pages repeatedly refer to data being “secure”.

Yet at the moment, macOS users should be concerned at whether Apple’s computer operating system detects or removes recent malware like CoinTicker. What security protection does Mojave now have, and what does Apple still support for High Sierra and Sierra?

Silence is not an answer.