In the last six months macOS malware protection has changed more than it did over the previous seven years. It has now gone fully pre-emptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later. This article updates those I’ve previously written about Apple’s new tool in the war against malware, XProtect Remediator.
Until XProtect Remediator arrived in macOS 12.3 last March, system tools for tackling malware were essentially limited to XProtect and MRT. XProtect was mainly used to check apps and other code which had a quarantine flag set, against a list of signatures of known malware, and can only detect. While Apple has broadened its scope to check more frequently, and continues to update those signatures every couple of weeks, they have their limits. MRT ran scans to both detect and remove (‘remediate’) known malware, most noticeably shortly after startup, but infrequently.
XProtect Remediator consists of executable code modules which both scan for and remediate detected malware. At present, these include the following:
- Adload, an endemic Trojan known for downloading unwanted adware and PUPs, summarised here;
- DubRobber, a troubling and versatile Trojan dropper also known as XCSSET;
- Eicar, a harmless standard test for anti-malware products;
- Genieo, a browser hijacker acting as adware, summarised here;
- GreenAcre, an Apple internal name;
- MRTv3, referring to Apple’s original malware remediator;
- Pirrit, malicious adware explained in detail here;
- SheepSwap, an Apple internal name;
- SnowBeagle, an Apple internal name;
- SnowDrift, identified by Stuart Ashenbrenner of Jamf as CloudMensis, spyware first identified by ESET;
- ToyDrop, an Apple internal name;
- Trovi, a cross-platform browser hijacker.
- WaterNet, an Apple internal name.
These are orchestrated by XProtectPluginService, an XPC service which is scheduled and dispatched using the DAS-CTS system that does the same for most periodic background tasks. What’s unusual with XProtect Remediator is that the task dispatched goes on to choose and run different scanning modules. Thus the only practical way to discover which run and when is from the log. Fortunately, that’s straightforward using the log search predicate
subsystem == "com.apple.XProtectFramework.PluginAPI"
being the orchestrator of XProtect Remediator’s scans. Using that on a Mac running Monterey 12.5.1 24/7 without sleep reveals the following scanning activity over a typical day.
The DubRobber (XCSSET) scanner is by far the most frequently run, performing scans lasting 15-35 seconds every hour or two during periods of low user activity. Other scans observed include the modules for:
- Adload for a period of 8 seconds, once or so each day;
- Eicar for less than 0.01 second, twice;
- Geneio for 0.5 second, once;
- GreenAcre for 1.2 seconds, once;
- MRTv3 for 17 seconds, once;
- Pirrit for 0.5 seconds, once;
- SheepSwap for 5 seconds, once;
- SnowBeagle for 10 seconds, once;
- SnowDrift (CloudMensis) for 9 seconds, once;
- ToyDrop for 0.02 second, once;
- Trovi in a group of three brief scans of less than 0.1 second each;
- WaterNet in one sustained bout, without any reported conclusion.
They make the complete set.
These frequent DubRobber scans present a structured series of log entries, starting with a check for a verifiable XPC connection protocol. After that, a Yara rule is loaded and telemetry enabled, as it remains throughout the rest of the scan. There’s a series of static code signature checks, then a series of path checks. File and further Yara checks follow that, and at the end is an event before the scan report, which takes the form
which appears self-explanatory.
These scans should now be taking place on all Macs running macOS Catalina and later, with the current XProtect Remediator installed. They’re most likely to take place when your Mac is awake but doing little other than background tasks, such as routine backups, and receiving incoming email as it arrives.
For those running these recent versions of macOS this represents a big step forward. It also dispels any doubt as to whether this new malware protection has gone live yet: it’s both alive and scanning actively already.
I have amended the list of scans observed to reflect my further experience.
Updated 2020 GMT 30 August 2022.