Last Week on My Mac: Are malware defences changing again?

According to the Apple Platform Security guide, the three layers of malware defences in macOS consist of:

  1. The App Store, or the combination of Gatekeeper and Notarization, to prevent the launch or execution of malware.
  2. Gatekeeper, Notarization and XProtect, to block malware from running.
  3. MRT, to “remediate” malware that has already run.

Gatekeeper and notarization checks are built into macOS, but XProtect and MRT are dependent on their own pushed updates. As Apple explains:

  • For XProtect, “Apple monitors for new malware infections and strains, and updates signatures automatically — independent from system updates — to help defend a Mac from malware infections.”
  • “The Malware Removal Tool (MRT) is an engine in macOS that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates).”

XProtect and MRT are unusual among Apple’s security tools, in that they’re almost independent of the version of macOS that you’re running. Current data for XProtect and the MRT tool itself still appear to be fully functional in all versions going right back to El Capitan. This is important for users of those older systems, whose Gatekeeper is far less stringent and easily bypassed, and which are ignorant of notarization and unable to check it.

Although updates to XProtect’s data files and to MRT always have been irregular, a year ago they occurred quite frequently, with XProtect updates every 7-21 days, and MRT every month or so. As of today, the last XProtect update was pushed on 24 September (version 2151), and there has only been one very minor update to MRT (1.85) since 13 September – a period of over two months.

The last time that there were such long intervals between security data updates was with the release of Mojave in 2018, when XProtect went without updates for nine months, and MRT was left for six months. At that time, I questioned whether macOS security was in the process of change, which might have accounted for that long pause.

Sure enough, it appears that later in Mojave’s cycle, and before July 2019, Apple had changed checks made by macOS on code signatures, extending online revocation checks using OCSP to apps which had already cleared quarantine. Later that year in Catalina it introduced notarization, involving “checks for new revocation tickets so that Gatekeeper has the latest information and can block the launch of such files.” The latter takes place using frequent “CloudKit sync”, according to the Platform Security guide.

Another factor is the discovery of new malware affecting Macs. Earlier this year, XProtect was engaged in a prolonged cat-and-mouse engagement with a succession of Adload, XCSSET and Bundlore/Shlayer variants, with frequent tweaking of its signatures. Despite Apple’s diligent pursuit of those rodents, just like Tom and Jerry, the mice always seemed to be able to outmanoeuvre the cat in pursuit. Perhaps Apple reappraised the situation at the end of the summer and decided on a different strategy.

Apple’s declared response to malware, though, still places XProtect and MRT in important roles. According to the Platform Security guide:
“When new malware is discovered, a number of steps may be performed:

  • Any associated Developer ID certificates are revoked.
  • Notarisation revocation tickets are issued for all files (apps and associated files).
  • XProtect signatures are developed and released.
  • MRT signatures are developed and released.
  • These signatures are also applied retroactively to previously notarised software, and any new detections can result in one or more of the previous actions occurring.

Ultimately, a malware detection launches a series of steps over the next seconds, hours and days that follow to propagate the best protections possible to Mac users.”

Whatever is happening, this can only worry those using earlier versions of macOS. For all their limitations, XProtect and MRT have still been providing Macs with valuable malware detection and removal. If malware defences in Monterey are moving away from those tools, and Apple has cut back their maintenance, that leaves Big Sur and earlier worryingly exposed. Thankfully, third-party malware protection typically still supports macOS back to Sierra (10.12), but Apple has always maintained that Mac users have no need for anything other than what’s provided in macOS.

With Thanksgiving and the start of the long holiday season, and the next round of macOS updates and security updates due any week now, it will be interesting to see whether XProtect and MRT receive any further updates before next year. If I were still reliant on Big Sur or any previous version of macOS, I think I’d use that time to try out some third-party protection, just in case these key players in my malware defences weren’t going to be the same any more. Without them, Apple’s three layers start looking alarmingly empty.