This week has seen a couple of surprise updates from Apple: on Tuesday, it pushed an update to XProtect’s data files, bringing them to version 2101; the very next day it pushed an update to its malware removal tool MRT, bringing it up from version 1.35 to 1.38.
The last time that Apple updated detection signatures in XProtect was 13 March 2018, in version 2099. Since then, it has only updated the minimum acceptable version number for Adobe’s Flash Player to run.
MRT’s last version was pushed on 19 June 2018, and there has been no sign of the missing versions 1.36 or 1.37.
Unlike XProtect’s data files, which are in plain text so readily readable, MRT is supplied as a closed app. Looking through its string content shows that version 1.38 does bring significant additions. However, while Apple used to use generally-recognised names for the malware detected and removed, the binary code in MRT now uses cryptic internal code names, making it effectivelly impossible to know what changes have been made in terms of protection.
Meanwhile, Apple’s programme to get all third-party apps which aren’t shipped through the App Store checked and notarized is gathering pace. Apple has announced that in the Spring of 2019, it will make the first launching of notarized apps more distinctive than it is at present. It is still on course to require all apps with third-party certificates either to be supplied through the App Store or to be notarized.
That means that at some time, probably in 2019, macOS will cease running newly-installed apps which rely only on a developer signature. Apple hasn’t announced when that will occur, but it is generally thought that it will be introduced in macOS 10.15.
Meanwhile it is rumoured that malware authors are exploring how they can circumvent additional security imposed by notarization, either by exploiting bugs which might allow non-notarized apps to run as if they had been notarized, or by cheating Apple’s scrutiny and getting malware notarized.
One significant area which Apple has yet to address is the notarization of command tools. Although command tools can have security certificates attached, most don’t and macOS seems quite happy to run them without. I believe that it may now be possible to get command tools notarized, but this isn’t (yet) a regular feature of Xcode, and I don’t know of any command tools which are now notarized.
Another issue which Apple seems to be addressing is the need for users to be able to run their own un-notarized apps, such as those built using Automator and AppleScript. Its wording in respect of the future requirement for notarization appears to limit that to apps built by others. It seems likely that user-built apps will be self-certified and not need to undergo any process such as notarization.
So where does this leave users as far as built-in security protection is concerned?
If you’re not yet running Mojave, then MRT is clearly still being supported, but it looks like Apple has abandoned the Yara-based signature checks of XProtect. Because your macOS cannot check whether apps have been notarized either, if you install apps which originate from outside the App Store or thoroughly secure sources (such as Microsoft, Adobe), then you shouldn’t expect macOS to protect your Mac from malware. Chances are it won’t. You should now be looking at a good anti-malware product such as Malwarebytes, if you don’t already use one.
If you’re running Mojave, the situation isn’t as clear cut. If you install software which isn’t notarized from sources which could have been hacked or might even be malicious, then you clearly need additional protection, at least until notarization becomes mandatory. It’s always possible to get caught by a malicious website or online exploit, but again the chances of that happening depend greatly on the sites that you visit, the online activities you engage in (cryptocurrency trading has been targeted), and your susceptibility to exploitation (which we always underestimate).
It is – and always has been – true that good third-party anti-malware software is important for Macs. Whether you need it is a matter of risk assessment. Simply assuming that running the latest version of macOS will protect you is dangerous, and everyone using an older version should think again whether their protection is now sufficient.