Last Week on My Mac: Changing anti-malware tools in macOS

Fixing security vulnerabilities in macOS is important, but often overshadows its defences against malware, something we seldom talk about. The last few years have seen system software move from being lightly protected by SIP to locked away in a sealed snapshot. What Apple hadn’t addressed until more recently were its tools for the detection of malware and the remediation of its ill-effects.

I started tracking changes in those tools seven years ago, when the threat landscape was very different. At that time, XProtect was more concerned with blocking older and vulnerable versions of Flash and Java, then the basis for most popular exploits. Although XProtect did use signatures to detect some malware, remediation was the primary function of a separate tool, MRT.

For seven years Apple’s security engineers played cat and mouse with malware, frequently updating the data used by XProtect, and building new versions of MRT. Lately this sustained effort hasn’t been able to keep pace, and detection tools have struggled in the face of rapidly changing malicious code. There’s only so much you can do with a rule-based detection system as used by XProtect, so it was time to move on to something more capable.

The first step towards that came on 14 March 2022, when Monterey 12.3 added what appeared to be a new app with a familiar name, XProtect.app. This is on the Data volume in the folder /Library/Apple/System/Library/CoreServices, and firmlinked to merge with the matching folder on the System volume at /System/Library/CoreServices. Like MRT.app, it isn’t an app at all, but a structured suite of executable tools kept in an app bundle. That first silent release didn’t do much, and passed unnoticed. In little more than a fortnight, Apple has just updated it from version 2 to 64, and has increased the number of those executable modules from eight to twelve. Yet the last update to MRT was over two months ago, on 29 April 2022.

Executable tools included in the current version give clues as to what this new security tool, XProtect Remediator, is capable of. In addition to XProtect itself, these are named for:

Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
DubRobber, a troubling and versatile Trojan dropper also known as XCSSET, added in version 62;
Eicar, a harmless standard test for anti-malware products;
Genieo, a browser hijacker acting as adware, summarised here;
GreenAcre, an Apple internal name, added in version 62;
MRTv3, referring to Apple’s original malware remediator;
Pirrit, malicious adware explained in detail here;
SheepSwap, an Apple internal name;
ToyDrop, an Apple internal name, added in version 64;
Trovi, a cross-platform browser hijacker.
WaterNet, an Apple internal name, added in version 64.

Looking through the strings in some of these modules strongly suggests they were coded in Swift. With two exceptions all are between 1.7-1.9 MB in size; XProtect is much smaller, and XProtectRemediatorMRTv3 at 4.4 MB is even larger than the current release of MRT, which is 3.3 MB. Given that one module deals with the simplicity of the Eicar test, and another the complexity of DubRobber/XCSSET, those suggest that much of their code is similar, and required for them to be self-contained.

Launching and scanning by XProtect Remediator is controlled by property lists in /Library/Apple/System/Library for LaunchAgents/com.apple.XProtect.agent.scan.plist, LaunchAgents/com.apple.XprotectFramework.PluginService.plist, LaunchDaemons/com.apple.XProtect.daemon.scan.plist and LaunchDaemons/com.apple.XprotectFramework.PluginService.plist, and fresh copies of those have been installed with the updates to version 62 and 64. There’s also an XPC plugin service in the XProtect.app bundle.

Although its initial release was confined to macOS 12.3, when version 62 was pushed on 16-17 June it was installed on all three currently supported versions of macOS, but not on Mojave or earlier. That contrasts with traditional XProtect and MRT, which still support all versions going back to El Capitan.

The pace of the rollout of XProtect Remediator has increased sharply in June. What looked like a curiosity back in March is now growing rapidly, as if it’s on a schedule to be ready for this autumn/fall, and the release of macOS 13 Ventura. Watch Activity Monitor and you’ll see its executable modules being run from time to time in macOS 12.4. Although MRT remains active at present, most noticeably shortly after logging in, XProtect Remediator is starting to work for its living.

Apple hasn’t been exactly silent about this change either. Close reading of its Platform Security guide reveals that it had signalled this change. The May 2021 edition of that guide listed MRT as the third layer in the defences of macOS against malware, stating that it “acts to remediate malware that has managed to successfully execute.”

A year later in May 2022, MRT has vanished altogether from the guide, which now describes a different system:
“Should malware make its way onto a Mac, XProtect also includes technology to remediate infections. For example, it includes an engine that remediates infections based on updates automatically delivered from Apple (as part of automatic updates of system data files and security updates). It also removes malware upon receiving updated information, and it continues to periodically check for infections. XProtect doesn’t automatically reboot the Mac.”

I think macOS is about to change its anti-malware tools for the better.

11Comments

Add yours

1

EcleX on July 3, 2022 at 7:59 am

Thanks for the information. Does it make sense to install third-party anti-malware tools in Mac, besides the ones built-in macOS? In such a case, which ones would be the best?

LikeLiked by 1 person
- 2
  
  hoakley on July 3, 2022 at 12:37 pm
  
  Thank you.
  That all depends on your security risk assessment. Apple intends that for the great majority of users, the protection provided by macOS is more than adequate. If your risk assessment indicates that it isn’t sufficient for your use case, then you may wish to add third-party protection. I’ve always recommended Malwarebytes, but some here have reported bad experiences with it. As I don’t use third-party products myself, I’m not the right person to ask for recommendations.
  Howard.
  
  LikeLike
3

antek on July 3, 2022 at 10:39 am

The question is will Apple release new signatures fast enough to keep up with new versions of malware? I mean, should this defense layer be considered an alternative way of defending the machine to the commercial AVs, or it’s just a better-than-nothing layer in case the user doesn’t have any AVs installed?

LikeLiked by 1 person
- 4
  
  hoakley on July 3, 2022 at 12:47 pm
  
  Well, no one can ever release new specific signatures fast enough to detect everything. I think that’s part of the point here: currently, XProtect’s Yara-based scans and detection has to be very specific, to avoid too many false positives. With executable code able to go beyond what can be achieved in that scan, Apple can make smarter detection and remediation which isn’t limited to Yara signatures.
  As none of us knows how effective this will prove, and no one has been able to compare it against third-party products anyway, we simply don’t know whether it will work much better. However, Apple’s investment in its engineering shows that it believes it will be a significant improvement.
  Apple’s line has always been that the great majority of macOS users shouldn’t need to use any third-party products. I think that has held good, but it clearly needs to address more versatile malware better.
  Howard.
  
  LikeLike
5

Christian on July 3, 2022 at 6:41 pm

Hi Howard,
I have a basic question regarding the gateway or gateways that can harm the Mac. So far, I think that this only applies to the browser. Am I wrong about that? Thank you very much for more information about the danger situation outside the browser.

LikeLiked by 1 person
- 6
  
  hoakley on July 3, 2022 at 10:00 pm
  
  Sadly, this applies to any external connection. Email attachments are a not uncommon means, although links within them are more widely used. Exploits have also appeared for iMessages. Malware has been distributed on physical media, such as USB ‘Thumb’ drives.
  Howard.
  
  LikeLike
7

markbot2zero on July 6, 2022 at 9:30 pm

Thank you, Howard, for this summary of built in protections in macOS.

Patrick Wardle, a leading macOS/iOS researcher has released his book, “The Art of Mac Malware”:

https://taomm.org/

The .pdf version is free to download. (I hope everyone considers supporting Patrick, and his non-profit company, Objective-See, via Patreon. You can sign on for as little as $2 a month.)

His website is here:

https://objective-see.org/index.html

Watching videos of Patrick reverse engineering malware (and creating his own) is fascinating, even if you can’t quite follow everything. (I certainly can’t.)

I haven’t had a chance to read the book thoroughly yet, but it appears that the vast majority of malware has to be installed via “user interaction.” In other words, the user has to be duped into downloading and installing, supplying an admin password.

I’m guessing, not sure, that no actual malware has been able to penetrate macOS itself within the Signed System Volume. So, no “rootkits,” or other compromises in the integrity of the OS itself. This, as far as I can tell, is a huge step forward in Mac security and severely limits the damage which malware can do.

Yes, Apple, much to its credit, has baked many layers of defense into macOS, and there are any number of 3rd party anti-malware packages, but I tell my clientele that the strongest defense against Mac malware is you, the user.

And paradoxically, you’re also the weakest point.

I don’t recommend any commercial anti-malware except Intego’s free “Virusbarrier Scanner,” available from the Mac App Store. It’s strictly an “on demand” scanner, no so-called “realtime” protection. I tell clients that *they* are the realtime protection and to run the app once a month against their storage as a precaution — and to call me if it comes up with any hits.

So far, no calls.

-Mark

LikeLiked by 1 person
- 8
  
  hoakley on July 7, 2022 at 5:41 am
  
  Thank you. Yes, I’ve known Patrick for a few years now, and have been recommending his software since it first appeared.
  Howard.
  
  LikeLike
9

Joey Jay on July 7, 2022 at 2:24 pm

As a side note, running macOS remotely on the Internet is now an option. Your security can be outsourced and scaled by high-end professionals such as those at https://macminivault.com. They’ll also manage and encrypt your data and backups. You can then access any of your customized desktops from any web browser. All of this, of course, is priced for commercial use.

LikeLiked by 1 person
- 10
  
  hoakley on July 7, 2022 at 8:40 pm
  
  Thank you. Yes, I think there are a couple of cloud services like that now. I’m sure they’re very useful for those prepared to pay for them.
  Howard.
  
  LikeLike
11

Apple is updating XProtect and MRT. Is it enough? - SecureMac on August 1, 2022 at 4:12 pm

[…] Howard Oakley has written about what seem to be forthcoming changes to XProtect and MRT. His blog post on MRT is worth reading in full, but we’ll summarize the highlights […]

LikeLike

Share this:

Related