Last Week on My Mac: Changing anti-malware tools in macOS

Fixing security vulnerabilities in macOS is important, but often overshadows its defences against malware, something we seldom talk about. The last few years have seen system software move from being lightly protected by SIP to locked away in a sealed snapshot. What Apple hadn’t addressed until more recently were its tools for the detection of malware and the remediation of its ill-effects.

I started tracking changes in those tools seven years ago, when the threat landscape was very different. At that time, XProtect was more concerned with blocking older and vulnerable versions of Flash and Java, then the basis for most popular exploits. Although XProtect did use signatures to detect some malware, remediation was the primary function of a separate tool, MRT.

For seven years Apple’s security engineers played cat and mouse with malware, frequently updating the data used by XProtect, and building new versions of MRT. Lately this sustained effort hasn’t been able to keep pace, and detection tools have struggled in the face of rapidly changing malicious code. There’s only so much you can do with a rule-based detection system as used by XProtect, so it was time to move on to something more capable.

The first step towards that came on 14 March 2022, when Monterey 12.3 added what appeared to be a new app with a familiar name, This is on the Data volume in the folder /Library/Apple/System/Library/CoreServices, and firmlinked to merge with the matching folder on the System volume at /System/Library/CoreServices. Like, it isn’t an app at all, but a structured suite of executable tools kept in an app bundle. That first silent release didn’t do much, and passed unnoticed. In little more than a fortnight, Apple has just updated it from version 2 to 64, and has increased the number of those executable modules from eight to twelve. Yet the last update to MRT was over two months ago, on 29 April 2022.

Executable tools included in the current version give clues as to what this new security tool, XProtect Remediator, is capable of. In addition to XProtect itself, these are named for:

  • Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
  • DubRobber, a troubling and versatile Trojan dropper also known as XCSSET, added in version 62;
  • Eicar, a harmless standard test for anti-malware products;
  • Genieo, a browser hijacker acting as adware, summarised here;
  • GreenAcre, an Apple internal name, added in version 62;
  • MRTv3, referring to Apple’s original malware remediator;
  • Pirrit, malicious adware explained in detail here;
  • SheepSwap, an Apple internal name;
  • ToyDrop, an Apple internal name, added in version 64;
  • Trovi, a cross-platform browser hijacker.
  • WaterNet, an Apple internal name, added in version 64.

Looking through the strings in some of these modules strongly suggests they were coded in Swift. With two exceptions all are between 1.7-1.9 MB in size; XProtect is much smaller, and XProtectRemediatorMRTv3 at 4.4 MB is even larger than the current release of MRT, which is 3.3 MB. Given that one module deals with the simplicity of the Eicar test, and another the complexity of DubRobber/XCSSET, those suggest that much of their code is similar, and required for them to be self-contained.

Launching and scanning by XProtect Remediator is controlled by property lists in /Library/Apple/System/Library for LaunchAgents/, LaunchAgents/, LaunchDaemons/ and LaunchDaemons/, and fresh copies of those have been installed with the updates to version 62 and 64. There’s also an XPC plugin service in the bundle.

Although its initial release was confined to macOS 12.3, when version 62 was pushed on 16-17 June it was installed on all three currently supported versions of macOS, but not on Mojave or earlier. That contrasts with traditional XProtect and MRT, which still support all versions going back to El Capitan.

The pace of the rollout of XProtect Remediator has increased sharply in June. What looked like a curiosity back in March is now growing rapidly, as if it’s on a schedule to be ready for this autumn/fall, and the release of macOS 13 Ventura. Watch Activity Monitor and you’ll see its executable modules being run from time to time in macOS 12.4. Although MRT remains active at present, most noticeably shortly after logging in, XProtect Remediator is starting to work for its living.

Apple hasn’t been exactly silent about this change either. Close reading of its Platform Security guide reveals that it had signalled this change. The May 2021 edition of that guide listed MRT as the third layer in the defences of macOS against malware, stating that it “acts to remediate malware that has managed to successfully execute.”

A year later in May 2022, MRT has vanished altogether from the guide, which now describes a different system:
“Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesn’t automatically reboot the Mac.”

I think macOS is about to change its anti-malware tools for the better.