Is Apple’s Malware Removal Tool dropping out of macOS 13?

When it comes to grokking security in macOS you have to be able to read tea-leaves and crystal balls. The only source of hard information is Apple’s Platform Security Guide, conveniently published each year a month or two before WWDC. This year, eagle-eyed readers noticed a significant absence: all mention of the Malware Removal Tool, MRT, has gone.

Instead, the guide refers only to XProtect:
“Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesn’t automatically reboot the Mac.”

Could this mean that MRT’s days are numbered, and that this autumn/fall it will be dropped from macOS 13? What would we be losing?

Although called an app, isn’t an app at all, and can’t be run as an app through the Finder. Instead, its binary is used as a command tool run in two circumstances: each time your Mac starts up, and when has just been updated. MRT runs in two different modes, controlled by the -a and -d options, which run it in agent or daemon mode, respectively.

The dummy app is located in /Library/Apple/System/Library/CoreServices/, among the Data volume additions to /System/Library/CoreServices/ on the System volume. It’s written in Swift, and is normally run by two launchd property lists:

  • the LaunchAgent at /Library/Apple/System/Library/LaunchAgents/ runs MRT at load as an agent, with the -a option;
  • the LaunchDaemon at /Library/Apple/System/Library/LaunchDaemons/ runs MRT at load as a daemon, with the -d option.

Running in daemon mode, MRT performs thousands of signature checks against Apple’s Certificate Revocation List (CRL), many of which generate errors. It also presumably checks items against its own list of what it can remove. Running in agent mode, it’s far quieter, and only likely to generate some sandbox errors in the log. It then appears to run against a different set of rules which could, for example, remove malicious or unwanted files and directories. This suggests that daemon mode assembles a list of actions which are then performed in agent mode. When run after startup, MRT runs first in daemon then in agent mode, both completing in the first few minutes after boot.

Unfortunately, since 2018, Apple has obfuscated the names of malware which MRT can remove. Prior to that, it was possible to search the string content of its executable and discover the names of malware which it claimed to be able to ‘remediate’.

Beyond its former brief description, Apple has long remained silent on what MRT does. It has broken that silence only once, in early July 2019, when it was called into play to remove part of an app which wasn’t malware, but left users with a serious vulnerability: Zoom.

One of the biggest problems posed by that old version of the Zoom client was that it installed, in a hidden folder, a web server which was left behind, still active, when you uninstalled the app. This web server could reinstall the Zoom client, and was found to have its own vulnerability as well. However Zoom responded to the other issues in its client software, it was vital that all copies of this web server were removed, particularly from Macs whose users might have forgotten that they had ever installed Zoom’s client. This wasn’t something that Zoom was able to handle alone: they needed Apple, just as Apple needed to remove Zoom’s web server before it was exploited.

The solution lay in repurposing MRT to detect and destroy Zoom’s web server in its hidden folder, much in the way that it does for malware. The delivery vehicle had therefore to be an urgent ‘silent’ security update containing the new version of MRT, which Apple had ready to push out on 10 July 2019.

Then everything went strange. Instead of Apple breaking its self-imposed silence on security updates and explaining this direct to users, it passed the message on to Zack Whittaker at TechCrunch, then re-tweeted TechCrunch’s tweet linking to that news story. Not only that, but the story was coy over detail: it didn’t mention MRT, merely that the “silent update” had been released, and that all users would receive it automatically. Neither did it explain that users needed to do anything other than wait for the update to be installed.

MRT may be receding deeper into the shadows, but for the time being it remains an invaluable tool for Apple to handle problems like those posed by Zoom. MRT currently gets updated every month or so, and I can’t see Apple changing that in macOS 13, without an equally powerful kill switch.