hoakley August 30, 2022 Macs, Technology

macOS now scans for malware whenever it gets a chance

In the last six months macOS malware protection has changed more than it did over the previous seven years. It has now gone fully pre-emptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later. This article updates those I’ve previously written about Apple’s new tool in the war against malware, XProtect Remediator.

Until XProtect Remediator arrived in macOS 12.3 last March, system tools for tackling malware were essentially limited to XProtect and MRT. XProtect was mainly used to check apps and other code which had a quarantine flag set, against a list of signatures of known malware, and can only detect. While Apple has broadened its scope to check more frequently, and continues to update those signatures every couple of weeks, they have their limits. MRT ran scans to both detect and remove (‘remediate’) known malware, most noticeably shortly after startup, but infrequently.

XProtect Remediator consists of executable code modules which both scan for and remediate detected malware. At present, these include the following:

Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
DubRobber, a troubling and versatile Trojan dropper also known as XCSSET;
Eicar, a harmless standard test for anti-malware products;
Genieo, a browser hijacker acting as adware, summarised here;
GreenAcre, an Apple internal name;
MRTv3, referring to Apple’s original malware remediator;
Pirrit, malicious adware explained in detail here;
SheepSwap, an Apple internal name;
SnowBeagle, an Apple internal name;
SnowDrift, identified by Stuart Ashenbrenner of Jamf as CloudMensis, spyware first identified by ESET;
ToyDrop, an Apple internal name;
Trovi, a cross-platform browser hijacker.
WaterNet, an Apple internal name.

These are orchestrated by XProtectPluginService, an XPC service which is scheduled and dispatched using the DAS-CTS system that does the same for most periodic background tasks. What’s unusual with XProtect Remediator is that the task dispatched goes on to choose and run different scanning modules. Thus the only practical way to discover which run and when is from the log. Fortunately, that’s straightforward using the log search predicate
subsystem == "com.apple.XProtectFramework.PluginAPI"
being the orchestrator of XProtect Remediator’s scans. Using that on a Mac running Monterey 12.5.1 24/7 without sleep reveals the following scanning activity over a typical day.

The DubRobber (XCSSET) scanner is by far the most frequently run, performing scans lasting 15-35 seconds every hour or two during periods of low user activity. Other scans observed include the modules for:

Adload for a period of 8 seconds, once or so each day;
Eicar for less than 0.01 second, twice;
Geneio for 0.5 second, once;
GreenAcre for 1.2 seconds, once;
MRTv3 for 17 seconds, once;
Pirrit for 0.5 seconds, once;
SheepSwap for 5 seconds, once;
SnowBeagle for 10 seconds, once;
SnowDrift (CloudMensis) for 9 seconds, once;
ToyDrop for 0.02 second, once;
Trovi in a group of three brief scans of less than 0.1 second each;
WaterNet in one sustained bout, without any reported conclusion.

They make the complete set.

These frequent DubRobber scans present a structured series of log entries, starting with a check for a verifiable XPC connection protocol. After that, a Yara rule is loaded and telemetry enabled, as it remains throughout the rest of the scan. There’s a series of static code signature checks, then a series of path checks. File and further Yara checks follow that, and at the end is an event before the scan report, which takes the form
{"caused_by":[],"status_message":"NoThreatDetected","status_code":20,"execution_duration":15.570410966873169}
which appears self-explanatory.

These scans should now be taking place on all Macs running macOS Catalina and later, with the current XProtect Remediator installed. They’re most likely to take place when your Mac is awake but doing little other than background tasks, such as routine backups, and receiving incoming email as it arrives.

For those running these recent versions of macOS this represents a big step forward. It also dispels any doubt as to whether this new malware protection has gone live yet: it’s both alive and scanning actively already.

Update

I have amended the list of scans observed to reflect my further experience.

Updated 2020 GMT 30 August 2022.

32Comments

Add yours

1

piattj on August 30, 2022 at 10:18 am

Hi Howard, excellent info, as ever. Thanks. Have we finally reached a point where the inbuilt macOS antimalware provision becomes the equal of third party AV vendors? I have been running Bitdefender but now will uninstall that, and rely on the XProtect capability plus the Objective-See tools, which get serious praise. Can we tell whether XProtect Remediator is as, let’s say, sophisticated as external AVs? Many thanks.

LikeLiked by 2 people
- 2
  
  hoakley on August 30, 2022 at 10:49 am
  
  Thank you. That’s an excellent question that I certainly can’t answer. I haven’t yet seen a really meaningful objective assessment of any anti-malware product.
  What I think we can safely conclude is that these scanning modules are intended both to detect and remediate malware, and they’re being run sufficiently to be able to do their job.
  I’d certainly keep the Objective-See tools, which work differently anyway, and are well-proven.
  Howard.
  
  LikeLiked by 1 person
3

Darrin on August 30, 2022 at 12:09 pm

Pretty interesting stuff I’m sure our corp. security team has no knowledge of. Unfortunately we run multiple third party security software on our endpoints, and are always questioning if they’re responsible for user reported performance issues. Anyway, in your opinion, are there notable processes and or directory locations we should be excluding from inspection by these other security tools so that Apple’s malware detection/remediation can execute without triggering those other tools to waste processor cycles? Thanks as always for your deep dives.

LikeLiked by 2 people
- 4
  
  hoakley on August 31, 2022 at 9:03 pm
  
  Sorry – your question got overwhelmed!
  If you’re using a signature-based detection system, you’ll need to ensure that the components in XProtect Remediator aren’t false positives. Back in March or April, soon after it first appeared, one detection system did trigger a false positive on one of the scanner executables.
  Otherwise I’m not sure how either would interact adversely. From what I see, the scanners are looking for patterns indicative of malware, which includes at least some signatures, but also other signs of known malicious behaviour.
  If you’re running EndpointSecurity clients in Ventura, they’ll be given access to scan results and actions, but not apparently in older versions of macOS.
  Otherwise it’s a matter of seeing what happens, I think.
  Howard.
  
  LikeLike
5

RalphB on August 30, 2022 at 3:40 pm

Really an excellent discovery, Howard, and MUCH appreciated. Good to know that Apple’s system sofware is now proactively protecting against malware. Thank you!

LikeLiked by 2 people
- 6
  
  hoakley on August 30, 2022 at 6:42 pm
  
  Thank you.
  Howard.
  
  LikeLike
7

Willy on August 30, 2022 at 6:08 pm

The question is how do you disable that “feature”?

Sounds like it wastes a lot of resources, spams logs, etc., just to try to detect something that’s not there ideally. 1/2 minute every hour for that one single malware family, that’s 12min every day of wasted CPU cycles, disk activity, etc. Lets assume something like 30 Million active Mac systems that’s already like 6 Million wasted CPU hours every day. Quite the environmental impact, IMHO

LikeLiked by 1 person
- 8
  
  hoakley on August 30, 2022 at 6:48 pm
  
  I think you’ll have to disable SIP and remove its LaunchAgents and LaunchDaemons property lists
  If that’s the worst ‘waste’ on your Mac, you must have disabled most of macOS, with its metadata indexing, backups, Siri knowledge updates, ML support, and a great deal else.
  As these are all run as background tasks, on the E cores of Apple silicon Macs, they don’t get in the way of what the user is doing, and are remarkable frugal in their use of energy.
  Personally, I’d rather have better protection against malware, and better protection for the whole Mac community. You never know, it might even reduce the scale of the problem.
  Howard.
  
  LikeLiked by 1 person
9

Michael Tsai - Blog - Active Mac Malware Scans on August 30, 2022 at 9:04 pm

[…] Howard Oakley: […]

LikeLike
10

Apple overhauls built-in Mac anti-malware you probably don’t know about | Ars Technica on August 31, 2022 at 3:36 pm

[…] months macOS malware protection has changed more than it did over the previous seven years," Oakley writes. "It has now gone fully preemptive, as active as many commercial anti-malware products, provided […]

LikeLike
11

David Brooks on August 31, 2022 at 5:03 pm

Howard

Does Apple scan files held in one’s iCloud Drive? If not, could malware lurk there?

Kind regards,
David

LikeLiked by 1 person
- 12
  
  hoakley on August 31, 2022 at 8:34 pm
  
  First, Apple doesn’t have access to your files held in iCloud Drive. Only you do.
  Next, files in iCloud Drive can be in one of two states, with respect to any specific Mac. The file can be ‘evicted’, in which case a small stub file is stored locally, and the file itself is only in the cloud; or it can have been downloaded to local storage, so that a copy is on your local storage and in the cloud. The Finder displays icons to indicate those files that have been evicted.
  Because files can be large and could take an hour or more to download, those that are evicted couldn’t be checked. However, those with local copies could be.
  Finally comes the question as to whether any file scanner checks those particular files. Currently, I don’t think that any macOS tool conducts a general scan of data files or documents, but they tend to look in specific places, usually for executable code, or for known malicious components. While you can store apps in iCloud and run them from there, that’s quite unusual. So I doubt whether iCloud Storage comes in the remit of any existing scanner.
  Nothing gets put into iCloud unless you or an app you have been using puts it there, which means it has to pass through your Mac on its way. So if you were to put a malicious file there, it would remain there until you removed it. But who would do that?
  It’s also worth noting that iCloud is, in quarantine terms, considered to be ‘local’ and secure storage, so you can move files freely with it, without them attracting a quarantine flag in the way that moving by AirDrop does. That’s because you manage it, and apps only have restricted access too.
  Howard.
  
  LikeLike
  - 13
    
    David B. on August 31, 2022 at 10:18 pm
    
    Your comprehensive response is very much appreciated, Howard. 🙂
    I bought my first iMac in 2009. The very first time that I ever went to http://www.icloud.com was on the 27 August – just 4 days ago! I was surprised by what I saw in my iCloud Drive folder, but I now have a much better understanding of matters. Thank you so very much for your help.
    
    Kind regards,
    David
    
    LikeLiked by 1 person
  - 14
    
    cyrenaic on September 4, 2022 at 4:05 pm
    
    You state “First, Apple doesn’t have access to your files held in iCloud Drive. Only you do.”
    
    I am not sure that is accurate – yes the files are encrypted at rest and transit, but they are not E2E encrypted. Apple has the keys. This is not to imply they routinely are looking at someone’s files, but that doesn’t mean they don’t have the capability.
    
    https://support.apple.com/en-us/HT202303
    
    LikeLiked by 1 person
    - 15
      
      hoakley on September 4, 2022 at 4:15 pm
      
      Thank you. In the context of this comment, it is accurate. Yes, Apple can have access to the data held in iCloud Drive, but it only does so in specific circumstances, such as when there’s a legitimate legal request to provide the contents, or you request data recovery. The overall picture is even more complex, and I have summarised it in this article.
      But suggesting that Apple might “scan” someone’s iCloud Drive, as in this case, simply isn’t going to happen.
      Howard.
      
      LikeLiked by 1 person
16

G.J. Parker on August 31, 2022 at 8:43 pm

Say macOS does find an infection. Does it tell you or do you have to go look? I mean, if I get infected, I would like to know so I can figure out how it happened. Thanks for another interesting article.

LikeLiked by 1 person
- 17
  
  hoakley on August 31, 2022 at 8:57 pm
  
  That’s an interesting question. Bear in mind that this is very new software, and will undoubtedly change in the coming months.
  At present, it’s designed not just to detect, but also to remediate by removing the malicious software and repairing any damage. While in Catalina, Big Sur and Monterey this is likely to occur silently, and the only way you’ll know what happened is by browsing the log, from Ventura onwards this is available to third-party products using the EndpointSecurity interface, which I expect will include many free and commercial security tools.
  I suspect to a degree this will be demand-fed: log messages refer to telemetry, which suggests that Apple may be collecting anonymous information about detections and actions. If there are few, then maybe it will remain largely hidden; if there are plenty, then I suspect Apple will have to come up with a human interface. But until recently, when this seems to have gone live, Apple didn’t have any useful data.
  The traditional XProtect and MRT interfaces remain – for instance, if XProtect finds something which matches a malware signature, you’re told to trash it by an alert. But XProtect can’t remediate, and I don’t think MRT was really sophisticated enough to repair much (although I could be wrong on that).
  So it will be interesting to see where this goes.
  Howard.
  
  LikeLike
18

Apple introduced major security updates to macOS - 9to5Mac on September 1, 2022 at 1:02 am

[…] Howard Oakley of Eclectic Light Company (via ArsTechnica) has been monitoring both tools for some time to get an idea of how Apple keeps […]

LikeLike
19

no on September 1, 2022 at 8:10 pm

As long as they won’t cost much battery. They can do whatever to keep me safe.

I installed gibberish anti-virus software back to WinXP ages, its a total waste of time.

LikeLiked by 1 person
20

Electricuser on September 1, 2022 at 9:44 pm

Er, remember when Google’s Keystone got frisky and did bad things on some systems? Isn’t there a risk of accidental silent remediating of false positive content? Yes malware is a problem, but a rogue bit of MacOS deleting stuff is also a risk.

As with Willy above, an off switch might be nice.

LikeLiked by 1 person
- 21
  
  hoakley on September 1, 2022 at 9:48 pm
  
  Thank you.
  As MRT can already do that, how do you cope? It too has no off switch, and has been running on Macs fairly universally for many years now.
  Howard
  
  LikeLike
  - 22
    
    Electricuser on September 1, 2022 at 10:00 pm
    
    Yes, a fair point Howard. You are correct, yet this feeling of loss of control of my Mac in the name of a greater good should be noticed. It feels like a potential attack vector for a hacker. It’s irrational to say this in this hallowed space, but thanks for tolerating my new and little opinion.
    
    LikeLiked by 1 person
    - 23
      
      hoakley on September 1, 2022 at 10:14 pm
      
      The kernel and every extension is a potential attack vector for a hacker. That’s what security is trying to secure, and that’s why it’s so important to install updates promptly, to fix those vulnerabilities. Unless you wrote the kernel and the rest of macOS personally, you’ve lost control of it the moment it boots. Do you manage Mach zone memory by hand? Or move data in and out swap?
      Surely the whole purpose in having a computer is so that it can do things for us, rather than us having to do everything for it.
      Do you spend all day looking for evidence of malware? Of course not – why should you when your Mac could be doing that for you.
      There are issues of communication that I’ll return to on Sunday, though.
      Howard.
      
      LikeLike
  - 24
    
    Electricuser on September 1, 2022 at 10:03 pm
    
    Oh, to answer the question, I unticked the little software update box about downloading security updates in the background. I never liked the idea of updates happening I didn’t know about.
    
    LikeLiked by 1 person
    - 25
      
      hoakley on September 1, 2022 at 10:16 pm
      
      Same here. I check when they’re available, and download and install them under my control. But I’m extremely keen to get them quickly. I’ll never forget when Apple had to use MRT to remove the hidden and vulnerable web server installed by Zoom software. That was a real lesson in the importance of security data updates.
      Howard.
      
      LikeLike
    - 26
      
      hoakley on September 1, 2022 at 10:19 pm
      
      Oh – and unticking that box and not manually installing MRT updates doesn’t disable MRT at all. It still runs, shortly after your Mac has started up. Only your version will be the last that was installed with the latest macOS update, and will be worthless for dealing with quite common malware like XCSSET/DubRobber.
      Howard.
      
      LikeLike
27

Electricuser on September 2, 2022 at 6:56 am

I’ve periodically lurked, visited and enjoyed the depth of investigation and explanation here for many years. Keep up the great honest, open work Howard.

I look forward to your thoughts on how communication might be improved around updates. To me, ‘sneaking’ an (MRT) update onto my Mac is the issue. I appreciate overt security updates and often enjoy reading the backstory of the ingenious exploits.

Yes, Zoom’s previous subversive behaviour set a very bad example, one which I raised with them. I feel I had a small hand in their change of installer technique to a more conventional approach. i.e. not running the installation in the ‘check if it can be installed’ stage.

LikeLiked by 1 person
- 28
  
  hoakley on September 2, 2022 at 9:16 am
  
  Thank you.
  My solution to the updates problem is simple: I turn disable them, and run SilentKnight instead. Just the moment, it’s much more reliable too.
  Howard.
  
  LikeLike
29

macOS’s New XProtect Now Regularly Scans for Malware - TidBITS on September 2, 2022 at 7:22 pm

[…] his Eclectic Light Company blog, Howard Oakley has published an analysis of XProtect Remediator, a modular malware scanner that Apple built into XProtect in macOS 12.3 Monterey and backfilled […]

LikeLike
30

Humberto A. Sanchez II on September 4, 2022 at 1:40 am

Nice article; As always keep up the good work

LikeLiked by 1 person
- 31
  
  hoakley on September 4, 2022 at 5:27 am
  
  Thank you.
  Howard.
  
  LikeLike
32

Apple Has Made Major Updates to macOS Malware Protection in 2022 – MacRumors on November 9, 2022 at 12:05 pm

[…] to macOS malware tools over the course of the last six months, according to updates tracked by Howard Oakley at Eclectic Lighting Company (via Ars Technica).“In the last six months, macOS malware protection has changed more than it […]

LikeLike