hoakley August 10, 2019 Macs, Technology

The ‘hardened runtime’ explained

Since the first of June this year, all newly-built apps supplied by developers outside the App Store have been required to be notarized. Although this may not have had as much impact on those using Mojave, notarization is going to be even more important in Catalina when it ships in the next few weeks or so. This doesn’t mean that you won’t be able to run apps which haven’t been notarized – you will still be able to run those which haven’t been signed at all – but any that you download from developers should be now.

Notarization brings with it two main benefits: to be notarized, the app’s developer has to submit it to Apple, who check it for malware. When you first run any notarized app you see a dialog informing you of that check. The other key requirement is that the app has been ‘hardened’. This involves a series of restrictions being placed on that app, which are intended to protect that app’s runtime integrity from certain types of exploits used by malware. These include code injection, the hijacking of dynamically-linked libraries (DLLs), and tampering with the app’s memory space.

For the great majority of apps, hardening causes no conflicts, but for some, such as those which rely on JIT compilation, or unsigned plug-ins or frameworks, hardening would prevent the app from doing its job. So Apple permits developers to opt in to relaxing some specific features of hardening when the app needs to.

Apps also now have to obtain entitlements for them to access protected resources such as your Mac’s camera and microphone, and private databases such as your calendars and address book. These are included in the options for hardened apps.

hardenedruntime

Developers, and users who are interested in discovering more about how this operates, should read the new documentation provided by Apple. This explains each of the options in detail, and suggests alternative solutions which could ensure more complete hardening.

For the majority of Mac apps, hardening and notarization aren’t onerous. Some builds take a bit of work to get them set up properly so that notarization is successful. I found this getting command tools notarized, but once I had worked out my workflow and run it a couple of times, the effort required to repeat it is fairly low.

Fears about Apple using this as some form of app review, as in the App Store, have proved unfounded, as have delays in waiting for notarization to be completed: the process normally only adds a few minutes to the preparation of each public release. We must hope that Apple has made this security call right, and that hardening and notarization prove beneficial to users, which is after all why we’re doing it.

26Comments

Add yours

1

David Brooks on August 10, 2019 at 7:59 am

Hi Howard

Because of my past experiences on my old iMac I don’t wish to experiment on THIS one! I should be most grateful if you would ‘test’ that the ClamXAV package passes the installation process as you have described above. Please let me know, one way or the other. Thanks.

Second point. Have you any experince of/with AIRO? https://www.airoav.com

David

LikeLiked by 1 person
- 2
  
  hoakley on August 10, 2019 at 8:23 am
  
  The commercial version of ClamXAV is notarized by Apple, and has been for several months now. Its installer and the app are also correctly signed using the right types of certificate from Apple, and its installer doesn’t appear to install anything in the least bit suspicious.
  No, I don’t have any knowledge or experience of AIRO, I’m afraid.
  Howard.
  
  LikeLiked by 1 person
- 3
  
  Joss on August 10, 2019 at 10:06 am
  
  Can confirm: I have ClamXAV 3, and it’s notarized, and Gatekeeper assessment says “accepted”.
  
  LikeLiked by 1 person
  - 4
    
    hoakley on August 10, 2019 at 10:08 am
    
    Thank you, Joss – that’s very kind.
    Howard.
    
    LikeLike
5

David B. on August 10, 2019 at 1:18 pm

Thank you! Here’s a screenshot:-

ClamXAV Uninstaller

In order to ‘run’ it, one has to *install* it.

*WHAT* does it install *on* to a Mac in order to _uninstall_ ClamXAV?

Is anything left behind AFTER running the Uninstaller software?

How best can one check?

David

LikeLiked by 1 person
- 6
  
  hoakley on August 10, 2019 at 2:36 pm
  
  Yes, in order to run ClamXAV you have run its installer, which installs the app and its supporting files.
  It doesn’t install anything in order to remove ClamXAV, as far as I can see from its installer. It simply removes old copies of ClamXAV, which is fairly standard.
  The only way to check if it uninstalls everything is to try it, then look to see what it may have left behind.
  Why do you ask?
  Howard.
  
  LikeLiked by 1 person
- 7
  
  Joss on August 11, 2019 at 10:02 am
  
  Several things to do to completely uninstall an app: (1) use an uninstaller like CleanApp, though this app (or rather its daemon) has to be running continually, and it has to be running *before* you install and run ClamXAV for the first time; (2) uninstall ClamXAV using CleanApp; obviously, points 1 & 2 are only relevant, if you have installed CleanApp or a similar third-party uninstaller app; (3) run the proprietary ClamXAV Uninstaller; (4) in case of apps like ClamXAV that come with a pkg installer, open the pkg in Suspicious Package (or Pacifist) and look at the files that get installed by the pkg, then manually check on your volume whether these files were actually removed by the ClamXAV uninstaller (if not, do it manually), and then manually go through the pre- and post-install scripts of the pkg to see if other stuff gets modified or created during installation, and then remove that too; please note that you might need to stop & unload any launch agents and daemons before you delete them; (5) use an app like FindAnyFile to search for “clam”, “clamav”, “ClamXAV” and “canimaansoftware” on your volume to detect any residual files, and delete them too (make sure you run FAF with root permissions, otherwise it won’t find everything). That’s basically my modus operandi when I need to uninstall an app.
  
  LikeLiked by 1 person
  - 8
    
    David B. on August 11, 2019 at 10:44 am
    
    Thank you for your contribution, Joss.
    
    Have you the time and/or inclination (!) to use the ClamXAV uninstaller on your computer and report here the procedure which you encounter?
    
    Also search your machine afterwards to determine what, if anything, remains?
    
    Have you, by chance, ever tried to communicate with ClamXAV on their Facebook page?https://www.facebook.com/clamxav
    
    LikeLike
    - 9
      
      hoakley on August 11, 2019 at 11:39 am
      
      David,
      I’m afraid that I had to edit your comment to remove potentially defamatory content.
      Howard.
      
      LikeLike
    - 10
      
      David B. on August 11, 2019 at 12:01 pm
      
      No problem, Howard. 🙂
      
      Do you know roughly (or even exactly!) how many people read your Blog?
      
      David
      
      LikeLiked by 1 person
    - 11
      
      hoakley on August 11, 2019 at 12:12 pm
      
      Last month, 65,000 distinct visitors viewed over 130,000 pages here, so it’s quite a few.
      Howard.
      
      LikeLike
  - 12
    
    Joss on August 11, 2019 at 9:30 pm
    
    I’m not on Facebook. Don’t do social media except for Twitter, and there only for infos on macOS & security. But I have had contact with the ClamXAV developers a couple of times over the years, and they were always quick to respond, and honest too. Even implemented one of my ideas.
    
    But I wouldn’t really want to uninstall ClamXAV, because I use it every day. Have been their customer since forever. Why? Because I support clamav (the original), I think it’s great simply because it exists, and because you can get millions of additional third-party malware definitions for it, which makes it (probably) the most potent signature-based AV product cross-platform, and frankly because I buy a lot of software and like to support smaller developers. 😉 I don’t use the main app, though, and I’ve also disabled the real-time protection sentry, which I believe is overkill, especially since anti-malware products on macOS are in my humble opinion snake oil (see below). Instead I use my own TouchBar shell script that utilizes the ClamXAV command line tools, which is basically the original clamav package with clamscan etc., plus an additional VirusTotal check, plus thorough code signature validations etc. including modified code, nested executables with different code signatures, change in bundle’s master signature compared to the last scan etc.… I run that on every download that contains (potential) executables, macros etc. So due to the CLI support, ClamXAV has a definite added value for me. But I’m always on the lookout for free third-party macOS malware definitions that would work with clamav. Then it might be OK to ditch ClamXAV and go back to the original clamav.
    
    As for anti-malware in general: I think it’s snake oil, and you’ll be totally fine without any AV product. If you don’t behave negligently online and locally, and if you use a good adblocker like AdGuard, then you’re already halfway there. macOS itself is pretty tight, starting with the Unix core, enhanced with SIP and now the read-only system container in Catalina, access restrictions without certain entitlements or user opt-in (TCC etc.), Gatekeeper & notarization, all of that so much better than Windows and in some aspects even OpenBSD, and of course XProtect and MRT. All of that is of course far from perfect, and I’d love to have a macOS built-in equivalent to Windows Defender, which is aeons ahead of XProtect/MRT due to behavioral & heuristic analyses, but you can remedy that yourself with the freeware tools by Objective-See, especially BlockBlock, RansomWhere, ReiKey and OverSight. You can also block command & control servers by installing additional software like Little Snitch (or Objective-See’s freeware LuLu). If you’re paranoid like me, you can always create your own security tools and scanners, or install XFENCE by F-Secure, which goes far beyond macOS when it comes to protecting read/write access to your files.
    
    So with all that, the built-in macOS tools and a couple of other security applications to account for Apple’s mediocre anti-malware policies in macOS, you should be pretty safe. If you still don’t want to live without an AV product, don’t go for real-time protection—it’s really overkill—, and just use Malwarebytes, use it as a freeware, and run a manual scan once a month or so… or go for ClamXAV, if you want CLI support like I do.
    
    LikeLiked by 1 person
  - 13
    
    Joss on August 11, 2019 at 9:40 pm
    
    And one important postscript: always stay up-to-date; I use CoreCode MacUpdater to always get the latest software updates, which is especially important when dealing with security software, and of course the macOS updates too, the small stuff like Gatekeeper, XProtect etc. Howard’s LockRattler is super valuable in this respect, but enabling automatic updates should also suffice (“Install system data files and security updates”) in System Preferences > Software Update.
    
    LikeLiked by 1 person
14

David B. on August 10, 2019 at 4:14 pm

Howard – you are normally so precise! Please read my post again and then reread your answer!

What I’d like to know is if YOU can install the UN-installer – does it follow the correct Apple procedures? (Like the IN-staller does)

Have you a machine ‘free’ upon which to install ClamXAV, then UN-install it and then check to see what may have been left behind?

David

LikeLiked by 1 person
- 15
  
  hoakley on August 10, 2019 at 4:22 pm
  
  I’m sorry, I don’t know of any uninstaller. I downloaded the ClamXAV installer, about which you asked questions, including whether it was notarized. I answered those, and Joss was kind enough to confirm my answers.
  If you suspect that an anti-malware product isn’t what it claims to be, then don’t use it. There’s plenty of choice, including established and ‘safe’ products from the likes of Malwarebytes.
  I’m afraid that if you want a product checked to see if it installs malware, you’ll need to ask a security researcher – that’s what they do professionally. And no, I don’t have a spare Mac here which I might use to examine potential malware; researchers normally use virtual machines, which I also don’t have available at present, although I’m likely to by the release of Catalina.
  Howard.
  
  LikeLiked by 1 person
16

David B. on August 10, 2019 at 5:20 pm

My turn to help you! 🙂

You’ll find the Uninstaller at the very bottom of this page: https://www.clamxav.com/support/FAQs/

What I was asking is ……. does this Uninstaller – which has to be IN-stalled (look closely again at the image I provided earlier) – follow the same Apple criteria for Notarization and Signing as the primary software package? I hope it won’t be too difficult a task for you to test it. Thanks.

David

LikeLiked by 1 person
- 17
  
  hoakley on August 10, 2019 at 5:34 pm
  
  That uninstaller is exactly what it claims: it contains Installer.app scripts which uninstall the entire ClamXAV installation, lock, stock and barrel. As it doesn’t contain an app or anything which it installs, it can’t be notarized. But it is correctly signed using the right type of Apple-issued certificate.
  Howard.
  
  LikeLike
18

Valdo on August 11, 2019 at 6:29 am

AIRO is kinda strange company, no address, no location…

LikeLiked by 1 person
- 19
  
  David B. on August 11, 2019 at 6:44 am
  
  AIRO is based in Israel. They attended the recent conference arranged by Patrick Wardle – you can spot their logo in the photos, here:- https://www.flickr.com/photos/objectivebythesea/albums/72157709146481412
  
  They have a Facebook page here:- https://www.facebook.com/airoav/
  
  I have been using their AV product on their 30 day Free Trial for quite some time without, apparently, any ill effects! I’m still uncertain of the need to buy it though! HTH
  
  David
  
  LikeLiked by 1 person
20

Valdo on August 12, 2019 at 2:03 pm

The Dylib Hijack Scanner was notarized, so I have high hopes to be able to use the LuLu and KnockKnock in Catalina

LikeLiked by 1 person
21

EcleX on August 12, 2019 at 2:25 pm

Then I think that applications like TinkerTook System will not run and maybe even DiskWarrior and Cocktail.

LikeLiked by 1 person
- 22
  
  hoakley on August 12, 2019 at 2:48 pm
  
  I don’t know of any reason for that. Their developers shouldn’t have any problems notarising them.
  Howard
  
  LikeLike
  - 23
    
    EcleX on August 12, 2019 at 5:21 pm
    
    Thanks. I meant that for macOS 10.15 Catalina, since such applications change the system as far as I know, and I understand that such system is read-only in Catalina.
    
    LikeLiked by 1 person
    - 24
      
      hoakley on August 12, 2019 at 5:32 pm
      
      They do change system configuration settings, which are not protected by SIP or by the read-only system volume. So, although there might be some exceptions, they should be able to do everything that they do already.
      Howard.
      
      LikeLike
25

Tony on September 4, 2019 at 10:59 am

Just a tidbit: Apple has delayed (as of 3rd Sept 2019) some of the demands on apps for Catalina, presumably because some developers are struggling.
https://developer.apple.com/news/?id=09032019a

LikeLiked by 1 person
- 26
  
  hoakley on September 4, 2019 at 11:36 am
  
  Thank you, Tony.
  I saw that last night, and am still trying to understand it and its implications for security. Apple has been operating a ‘historic’ notarization scheme for some months now, and it’s hard to tell whether this is actually anything different. I’ve also seen developers reporting that attempts to use that still report the same errors that they reported earlier, so I’m currently baffled as to what is going on here.
  Howard.
  
  LikeLike