hoakley August 7, 2022 Macs, Technology

Last Week on My Mac: Is your Mac still secure from malware?

Recent versions of macOS have come with two tools designed to detect malware and deal with it, by ‘remediation’: XProtect and MRT. This year they have been joined by a third, XProtect.app or XProtect Remediator, and Apple has dropped all references to MRT in its Platform Security Guide. Although Apple has made no announcement of any change in anti-malware tools in macOS, they’re clearly on the change. This article tries to explain where your Mac now stands.

XProtect

Although one of XProtect’s original purposes was to block the use of old and vulnerable versions of third-party software such as Java and Adobe’s Flash, more recently it has mainly scanned executable code to detect known malware. This is based on signature recognition, using data updated once or twice each month to keep pace with changing malware threats. Apple last updated those detection signatures in version 2161 on 30 June 2022.

Apple continues to describe XProtect as a key component in two of the three layers of defences against malware, and has augmented its use in macOS.

MRT

Prior to May this year, Apple listed its Malware Removal Tool, MRT, as another of the key components in the defence against malware. Unlike XProtect, which relies on signatures for detection and can only alert the user when it detects known malware, MRT consists of executable code capable of automatically removing malware and performing other forms of remediation. The extensive capability of MRT was demonstrated by Apple in July 2019, when it was used in a security crisis to remove a vulnerable web server left behind by the Zoom client.

In May 2022, Apple removed all mention of MRT from its Platform Security Guide, and the last update, to version 1.93, was pushed on 29 April 2022, over three months ago. Previously, like XProtect, it had received updates every 2-4 weeks, and currently consists of 3.5 MB of executable code. Release versions of macOS continue to run MRT’s two processes shortly after starting up.

XProtect Remediator

This was introduced in macOS 12.3 on 14 March 2022, and has since been updated, expanded and added to Catalina and Big Sur in their security updates. It poses as an app named XProtect.app, and isn’t an app at all but a collection of executable code modules stored in that bundle. While XProtect has been updated slightly less often than previously and MRT not at all, XProtect Remediator has undergone rapid if not explosive change. This is best illustrated by increasing number and total size of its executable code modules since version 2.

xpremediatorgrowth

In the last 2.5 months, XProtect Remediator has grown from 8 to 14 executable code modules, and from a total executable size of 15 MB to 26 MB.

Indications are that XProtect Remediator includes the functionality of MRT, together with rapidly improving and extending support for the detection and remediation of other malware. As with XProtect and MRT, Apple conceals the identity of the malware handled by XProtect Remediator using code names, including GreenAcre, SheepSwap, SnowBeagle, SnowDrift, ToyDrop and WaterNet, although its initial executables remain named after known malware families such as Adload and Geneio. These are now being observed running following startup, confirming that they are part of macOS active defences against malware.

macOS Mojave and earlier

This leaves these older versions of macOS with the following bundled protection against malware:

XProtect, with its signature-based detection, updated when appropriate, and
MRT, left in abeyance from April 2022.

Apple only seems likely to update MRT in response to a security crisis similar to that in July 2019, leaving Mojave and earlier unable to detect and remove malware detected or changed since April 2022. Although XProtect’s detection signatures will be updated periodically, Apple’s efforts are currently being devoted primarily to further improvement of XProtect Remediator.

macOS Catalina and later

Although Catalina is expected to cease receiving security updates with the release of Ventura, probably in October, it just made the cut for XProtect Remediator, and should continue to benefit from its updates. This leaves Catalina, Big Sur and Monterey with the following bundled protection against malware:

XProtect Remediator, featuring Apple’s latest detection and remediation methods,
XProtect, with its signature-based detection, updated when appropriate, and
MRT, left in abeyance from April 2022.

Although the effectiveness of XProtect Remediator has yet to be tested outside Apple, its capabilities should far exceed those of XProtect’s signature recognition and MRT.

The future of malware protection on macOS

The introduction of XProtect Remediator and apparent cessation of development of MRT open a gulf in malware protection bundled in macOS. Although Mojave and older versions aren’t unsupported, new and changed malware which isn’t reliably detected by XProtect’s updated signatures is likely to pass unnoticed on those older macOS, putting those Macs at increasing risk.

Those still using Mojave and earlier are also unable to assess that developing gap because of Apple’s insistence to obfuscate the identities of malware detected and remediated by MRT and by XProtect Remediator. For example, Apple doesn’t disclose what family of malware is addressed by the SnowDrift executable code in XProtect Remediator, so users can’t know whether Mojave systems might be susceptible to it, nor whether XProtect or MRT can detect it.

This is likely to become even more difficult when Apple completes the transition to Apple silicon and discontinues support for Intel Macs. As all Apple silicon Macs will have switched to relying on XProtect Remediator, it appears unlikely that Apple will provide any further support for MRT, leaving older systems with XProtect alone.

If you still run a Mac with Mojave or earlier, now is the time to reassess its risk from malware, and either upgrade it to Catalina or later, or provide additional protection to compensate for the loss of MRT. If the Mac itself is capable of running more recent macOS, it may be wiser to upgrade it, and retain the older macOS in a virtual machine, which can be isolated from risk and from the rest of that system.

Conclusions

Protection from changed and new malware provided by MRT ceased in April 2022.
Macs still running Mojave and earlier have been at increasing risk from malware attack since then.
Macs capable of running Catalina or later should be upgraded so they benefit from XProtect Remediator.
If access to Mojave or earlier is still required, that is best provided in a virtual machine.
Macs that can’t be upgraded beyond Mojave (for whatever reason) are likely to benefit from third-party protection.
Several tools from Objective-See are suitable, particularly KnockKnock, which supports older macOS.
Vendors of anti-malware products should provide information specifically targeted at Mac users still using Mojave and earlier, to help them address this increasing risk. That should include coverage of changed and new threats since April 2022, and support for those older versions of macOS.
Apple should fully inform Mac users of its current and future anti-malware support policies. Current information in the macOS User Guide is so vague as to be almost useless.

38Comments

Add yours

1

Macintoshista on August 7, 2022 at 7:55 am

As for these so-called Mac anti-virus products such as Norton, Sophos etc., do they do anything more than just scan for Windows viruses which won’t affect your Mac directly anyway?

LikeLiked by 1 person
- 2
  
  John Gilbert on August 7, 2022 at 10:18 am
  
  Norton and Sophos – not much for the home user. But you need to look at the larger IT environment when assessing risk and mitigation.
  
  As a home user of Apple devices, I have long given up on traditional A-V products. Better to rely on Apple’s protections augmented by Mac specific tools – in my case daily Malwarebytes scans and the Objective-See tools (that Howard mentions) along malware and tracking protection provide by filtered DNS and browser protection.
  
  But if you are running Macs in an ‘enterprise’ environment (probably mostly Windows) then the risks to the organisation are much wider and require a more systematic approach to end point thread detection. In this situation it is essential that all devices are able to detect and block Windows malware. The Nortons and Sophoses of this world play an important role there.
  
  LikeLiked by 1 person
- 3
  
  hoakley on August 7, 2022 at 3:36 pm
  
  It depends on the product. I know, for instance, that Malwarebytes does check for a great many PUPs and malware which are Mac-only. I’m afraid that I have a long-standing aversion to anything Norton since an unfortunate incident many years ago. Sophos has a reasonable reputation, and seems quite popular.
  I don’t have a simple answer, I’m afraid, but I think the need is there. Maybe the vendors will take up the invitation to be clearer as to what their products do, and how they can help those using older macOS now.
  Howard.
  
  LikeLike
4

EcleX on August 7, 2022 at 8:28 am

Many thanks for the informative article. Perhaps it could be remembered that if Automatic updates are not selected in Software Update, it reports the Mac as being up to date when it is not, which is utterly misleading. In such case, SilentKnight can find and install such security updates.

LikeLiked by 2 people
- 5
  
  hoakley on August 7, 2022 at 3:37 pm
  
  Thank you. This is primarily about those versions of macOS that are now getting even fewer security data updates. I’m sure those using Mojave still would be delighted to have XProtect Remediator on their Macs.
  Howard.
  
  LikeLike
6

kapitainsky on August 7, 2022 at 9:55 am

Good to know that Apple is working to keep their defences up to date. Thank you for keeping us informed.

I used in the past (forced by company) Symantec and Sophos – both on macOS and Windows. My personal experience is – never again – number of issues I had to deal with was unbelievable. It was useful maybe 20 years ago but since then things changed – both Windows and macOS provide built in protection. Maybe without bells and whistles but definitely working. 3rd party products always stay behind OS updates and changes. My take now is to do stupid things only in virtual machine, keep all software I use up to date (for macOS I recommend https://www.corecode.io/macupdater – I have no connection to them – but love their product) and always have proper backup and archive of all things I care about.

This is good article about antivirus/antimalware situation:

https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

LikeLiked by 2 people
- 7
  
  hoakley on August 7, 2022 at 3:39 pm
  
  Thank you. That Are Technically article is 4 years old and about Windows. The threat landscape on Macs now is completely different, and here my primary concern are those Mac users who can’t update to Monterey or Ventura, particularly for those on Mojave and earlier who don’t have XProtect Remediator.
  Howard.
  
  LikeLike
8

R. Gerard on August 7, 2022 at 11:50 am

I provide help and support to seniors in an aging-in-place community, some of whom have very old Macs running OS all the way back to El Capitan, OSX 10.11.

After reading your article it appears it is time to tell them they need to install extra protection and run it on a daily basis..

Would you suggest ti tell them to d/l Intego Virus Barrier from the App Store and run it daily or use KnockKnock instead, keeping in mind please that many of these seniors are, politely, not very Mac-savvy, so the simplest AV check for them to run is probably going to be the better choice.

Many thanks,

LikeLiked by 2 people
- 9
  
  kapitainsky on August 7, 2022 at 2:00 pm
  
  Basic thing I do in similar situations is install and set as default some up to date web browser. Chrome still runs on El Capitan and Firefox on Sierra.
  
  LikeLiked by 1 person
  - 10
    
    kapitainsky on August 7, 2022 at 2:28 pm
    
    For older hardware also very good option is to forget macOS and install Linux – it can really bring an old mac back to life.
    
    LikeLiked by 1 person
    - 11
      
      R. Gerard on August 7, 2022 at 3:07 pm
      
      As to the web browser, I tell them NEVER use Chrome; you give up too much of your privacy to Google. What I have done is switch them over either to Firefox or Brave.
      
      As for the Linux suggestion, it is not even in the realm of the possible to get seniors in their 70s and 80s to learn Linux. That is a good suggestion for me to remember, however, re my 2012 MB Pro which maxed out at Catalina.
      
      Thanks for commenting!
      
      LikeLiked by 1 person
    - 12
      
      hoakley on August 7, 2022 at 3:49 pm
      
      Catalina is still good though, as it has and supports XProtect Remediator. The is in Mojave and earlier.
      Howard.
      
      LikeLike
    - 13
      
      kapitainsky on August 7, 2022 at 4:19 pm
      
      I have upgraded my 80s mum to Linux – and after few weeks she is very happy about how fast her “new” computer is now. Of course depends what user does but e.g. Firefox on Mac OS and Linux works exactly the same. Home folders structure is similarly familiar. When you press print it prints the same etc. I would love that older Macs can stay native forever but it is how it is. For somebody who only uses web browser old Apple hardware is perfectly capable and only problem in time is outdated software.
      
      LikeLiked by 1 person
  - 14
    
    hoakley on August 7, 2022 at 3:48 pm
    
    Simply changing to another browser is of very limited help, though. What these folk need is a single, simple solution to replace the protection that Apple used to provide.
    Howard.
    
    LikeLike
    - 15
      
      kapitainsky on August 7, 2022 at 4:05 pm
      
      Thank you but this time I tend to disagree with your comment. IMHO web browser is the most likely attack vector for majority of users. It is asking for trouble when using unpatched Safari with well known security vulnerabilities. Of course it is not panacea for all challenges caused by malware but definitely the easiest and the most effective step to improve security of old computer running outdated OS.
      
      LikeLiked by 1 person
    - 16
      
      hoakley on August 7, 2022 at 4:21 pm
      
      Thank you.
      Did you read the article above? Where does it discuss browser vulnerabilities, or claim that they have changed recently?
      I’m drawing attention to a specific problem in the detection and removal of malware on macOS. That has changed, and anyone running Mojave or earlier now has a problem as a result of a change Apple made in April, when it apparently discontinued support for MRT. How can a browser compensate for that loss? Does it review downloaded executable code, and remove any found to be malicious?
      Howard.
      
      LikeLike
- 17
  
  hoakley on August 7, 2022 at 3:46 pm
  
  Thank you. There’s no simple answer at the moment, and I hope the vendors will step up now and recognise this problem and its market.
  First, no anti-malware product in the App Store can ever do a complete job, because of the limitations imposed on apps there. Although they can provide quite good browser protection, that’s only part of the requirement.
  While KnockKnock is straightforward to use, I don’t think they’d find it so. Most of Objective-See’s tools are more suited to more advanced users.
  So I’d be looking more at a product like Malwarebytes. I know that its Mac support is excellent, and it’s both a serious product and simple to use. But I’m also sure there are alternatives, and would hope the industry responds to this need.
  Howard.
  
  LikeLike
18

Giles Roditi on August 7, 2022 at 7:52 pm

Thank you Howard, very clear. I appreciate your diligent hard work.
Giles

LikeLiked by 1 person
- 19
  
  hoakley on August 7, 2022 at 10:06 pm
  
  Thank you.
  Howard.
  
  LikeLike
20

R. Gerard on August 7, 2022 at 8:38 pm

The seniors I help also gift me their old Mac computers when they get a new one with the assurance from me that I will strip all their personal data from their computers before giving them to a local charity that is helping Afghan refugees who worked for the USG in Afghanistan resettle in the Washington, DC metro area.

Next time I get a really old Mac, I think I will experiment with installing Linux on it.

If I may, last time I played around with Linux, there were multiple “flavors” if you will. Which is the easiest version for a Mac user to learn and, most important of all, is there a Linux version of Zoom because these seniors attend Zoom sessions multiple times a week or even a day.

LikeLiked by 1 person
- 21
  
  hoakley on August 7, 2022 at 10:09 pm
  
  I’m sorry, I’m no Linux expert, I’m just trying to virtualise it!
  One other thought I’d have for your seniors is the prospect of moving to an iPad. That would be modest in cost even for a new one, a relatively familiar environment, and for many far easier to use.
  I wish you success with them.
  Howard.
  
  LikeLiked by 1 person
22

R. Gerard on August 7, 2022 at 9:20 pm

I see that the Premium version of Malwarebytes is $45/year for one computer.
The free version does only one thing: Cleans up an already infected computer.

I don’t know how many of these seniors can shell out $45 every year so, does the free KnockKnock provide about the same level of protection as the free level of Malwarebytes or better protection?

If it provides better protection, I’ll learn how to use it myself and teach them on Zoom sessions how to do so themselves.

Many thanks and sorry to take up so much of your time and patience.

LikeLiked by 1 person
- 23
  
  hoakley on August 7, 2022 at 10:10 pm
  
  In the right hands, KnockKnock is far superior, as it usually deals effectively with future malware, not just that of the past. But I think you need to have play with it to see whether it would work for them, or worsen their problems.
  Howard.
  
  LikeLike
24

Christian on August 7, 2022 at 10:00 pm

Hi Howard,
Can we assume that we can disable MRT (LaunchDaemon and LaunchAgent) on Mojave and earlier? For example, I still have a Sandy Bridge laptop with 10.11 and you can feel how MRT is pumping resources at boot, so if its protection is nil, I’d be prone to disable it…
Thank you! 🙂

LikeLiked by 1 person
- 25
  
  hoakley on August 7, 2022 at 10:14 pm
  
  I don’t say anywhere that MRT provides no protection, rather that it doesn’t address new and changed malware since April. There are still many different types of malware that it will continue to protect against, as Apple did keep it quite up to date until then.
  MRT normally runs a scan soon after boot, which is why you’re seeing that. Once that’s complete it normally doesn’t run again. It might even have the useful side-effect of blowing the dust out of the fans!
  Howard.
  
  LikeLike
26

baron on August 7, 2022 at 10:52 pm

Forgive the incorrigible proofreader I fear to be, but “XProtect Remediator (…) was introduced in macOS 12.3 on March 14, 2023” should probably be anticipated by a year…

LikeLiked by 1 person
- 27
  
  hoakley on August 8, 2022 at 5:24 am
  
  Thank you – nothing to forgive, I’m most grateful and have corrected the typo.
  Howard.
  
  LikeLike
28

Brian on August 8, 2022 at 5:21 am

Would it be better to upgrade to Catalina with the popular DOSDude patcher and lose System Integrity Protection, or stay with Mojave? Those are my two choices. Thank you.

LikeLiked by 1 person
- 29
  
  hoakley on August 8, 2022 at 5:29 am
  
  Given that SIP is one of the primary protections for the whole of macOS, I think your risks in turning that off in order to benefit from a secondary protection such as XProtect Remediator would be greater, not less. While there are good alternatives to Remediator, there’s nothing that can substitute for SIP.
  I’m sorry that you’re forced to make that choice.
  Howard.
  
  LikeLike
30

almeath on August 8, 2022 at 6:29 am

Thanks for this detailed assessment Howard. I will use it to help keep my older Macs reasonably secure. The referral to the Objective-See apps was especially helpful.

LikeLiked by 1 person
- 31
  
  hoakley on August 8, 2022 at 7:45 am
  
  Thank you, Al. I wish you security.
  Howard.
  
  LikeLike
32

Myob on August 10, 2022 at 1:53 pm

HEY APPLE, from the above article, a thousand times this:
“Apple should fully inform Mac users of its current and future anti-malware support policies. Current information in the macOS User Guide is so vague as to be almost useless.”

Thank you, Howard, for the explanations in the article and the comment section.

LikeLiked by 1 person
- 33
  
  hoakley on August 10, 2022 at 2:46 pm
  
  Thank you.
  Howard.
  
  LikeLike
34

Mark on August 15, 2022 at 5:00 pm

Thank you for clearly laying out the state of macOS malware protection by version.

It has helped put my mind slightly more at ease about my dilemma of what to do in regards to upgrading my operating system.

My computer is a 2017 12″ MacBook (i7, 16GB) currently running Mojave.

I would like to upgrade to a more modern version of macOS for the security benefits, however, as a user of Macs since OS X 10.3, I am having real difficulties adapting to the UI changes starting in Big Sur. We upgrade my wife’s MacBook Pro to Monterey (from Catalina), which I use occasionally as it is faster for certain tasks, and I hoped that over time I would start to enjoy (i.e. able to work seamlessly) the new UI, however that has not happened.

My plan is to do a clean install of Catalina on my MacBook (with a small partition for Mojave to run Aperture) and my hope is that Catalina will be sufficiently protected for a while to come (years?) through XProtect Remediator, and thus be safe to use.

(The only downside to my plan is that with the dropping of Catalina as an officially supported OS from Apple, Homebrew will stop supporting it as well – requiring that binaries need to be built rather than downloaded – the last package I needed to install (and all its dependencies) took 20 hours (no joke), to compile on my MacBook)

LikeLiked by 1 person
- 35
  
  hoakley on August 15, 2022 at 9:56 pm
  
  Thank you.
  Yes, we all hope that support for ‘Remediator’ in Catalina is long-term.
  Howard.
  
  LikeLike
36

Michael Tsai - Blog - XProtect Remediator on August 15, 2022 at 9:04 pm

[…] Howard Oakley: […]

LikeLike
37

markbot2zero on August 15, 2022 at 11:23 pm

Thank you, Howard.

re: “First, no anti-malware product in the App Store can ever do a complete job, because of the limitations imposed on apps there.”

You’ve mentioned this before. I also recommend Intego Virusbarrier Scanner from the App Store for my older clientele (most of whom are younger than me), because it’s:

1. Free

2. Simple

3. Easy to remove, if you don’t want it anymore.

At some point if you could discuss how the App Store limitations affect something like VB, it would be helpful.

The question to me isn’t whether it can do a complete job (Can any AV, or combination of AV, do a complete job? And how would you know if it did?) but whether, if used in conjunction with the built in protections of macOS (which seem to be becoming steadily more comprehensive and effective) and perhaps augmented by other 3rd party software, it is a useful adjunct.

Part of the problem is that we don’t even know what most AV software even does (er, right?) not to mention the fact that the threat environment is constantly changing and evolving. We don’t know whether products overlap, with each other or with built in protection, or how well they anticipate future threats.

I liked the simple AV product originally created by Thomas Reed, but when Malwarebytes took it over, it became a paid, realtime program, that installs a lot of guck (the realtime part) I don’t want and don’t recommend. I find the company’s hype (“Crushes the growing threat of Mac malware!”) off-putting and disingenuous.

I think “realtime” protection is actually dangerous, because users think they’re invulnerable, that is, they think they’re safe, with no further expenditure of effort needed. As I’ve mentioned here before, in my view, a properly educated and supported user *IS* the realtime protection for his or her Mac.

Anyway, at your recommendation, I did install Malwarebytes on my MacBook Pro, and am getting used to it. I also run DetectX Swift, even though I don’t really know what it does. I guess I just like the name and the author has posted here.

Bottom line for me is that the question, “Is your Mac still secure from malware?”, can never really be answered in the affirmative. I hope so, but I’m still learning, working my way through Patrick Wardle’s “The Art of Mac Malware,” available absolutely free here:

https://taomm.org/

Just today, Patrick found a serious vulnerability in Zoom:

https://www.patreon.com/posts/running-zoom-now-70555474

I’m sorry this turned into a book-length missive. Thank you for reading and, as always, for everything you do here.

Best,

-Mark

P.S. Well, this is weird. WordPress wouldn’t let me log in, either in Firefox or Safari. One of those days…

LikeLiked by 1 person
- 38
  
  hoakley on August 16, 2022 at 6:50 pm
  
  Thank you.
  The limitations that Apple imposes on App Store apps, including mandatory sandboxing, simply mean that no app claiming to be anti-malware could ever be effective operating under such constraints. I don’t have a problem with that: most of my apps also aren’t suitable for the App Store requirements either.
  Whether you need third-party protection is a decision you need to make after risk assessment. In my case, I rely completely on macOS, but then I only every use the current (or next!) macOS, and keep it up to date meticulously. I do still use Objective-See’s tools when I feel I need to.
  My concerns now rest with those who cannot upgrade beyond Mojave, and as I wrote, I’d like to see third-party vendors catering for them in particular. I’m hoping that some at least will.
  Howard.
  
  LikeLike