hoakley September 13, 2022 Macs, Technology

How macOS leaves users vulnerable, and unaware of their vulnerability

It isn’t the first time that a Mac user has asked me a simple question, only to discover that, while they thought their Mac was fully protected against malicious software, because of shortcomings in macOS, their Mac has been vulnerable all the time. The reason, as always, is because macOS is so secretive about its protection that the user doesn’t know when it has failed.

Small slip

This particular user, I’ll call him John, posed a common problem. Although he’s diligent about not opening suspicious emails, when trying to open an innocent message, he inadvertently opened something that looked more unpleasant in intent. It had an attachment which made him wonder if he had perhaps run the risk of malware being installed.

As he was running Monterey 12.4 at the time, my immediate suggestion was for him to check the results from his XProtect Remediator scans. If they didn’t detect any malware, then he’d be more than half way to knowing that what he’d done hadn’t caused something to regret. I also suggested that he looked at a third-party anti-malware product for a second opinion. Sadly, he wasn’t able to identify a suitable product to perform a one-off scan for malicious software without starting to pay for it by subscription, so his only check is that from XProtect Remediator.

macOS protection?

As XProtect Remediator in current macOS only reports its scans in the log, he downloaded and ran my free utility XProCheck to view its scan reports. These were completely unhelpful, consisting only of entries containing
<private>
and nothing else. I encouraged him to install the waiting update to macOS 12.5.1, but that didn’t help. Whatever XProtect Remediator was doing, it wasn’t prepared to let anyone else know.

It was then that I got him to check the version of XProtect Remediator installed on his Mac, which turned out to be 62, pushed by Apple on 17 June, and subsequently updated six times to reach the current version 72. Somehow, though, Software Update had failed to install any of those six updates, and not even bothered to inform John.

John had his little misadventure on 4 September. It wasn’t until a week later that he was able to use third-party software to download and install the latest security data updates, and provide his Mac with the full protection that he had been expecting all the time.

In John’s case, this doesn’t appear to be the result of the known and reported bug in installing security data updates through a local Content Caching server. Unravelling just what went wrong with Software Update is unlikely to prove possible, as is often the case.

Vulnerability of secrecy

John’s problems wouldn’t have happened if macOS had alerted him to the fact that its security protection was so badly out of date. He would have taken whatever action was necessary to download and install the current version of XProtect Remediator, and after his small slip could have had immediate confidence that he hadn’t installed malware.

But being one of the tens of millions of ordinary users of macOS:

he didn’t know that macOS had new protection that regularly scans for known malware and can remove it;
he hadn’t been informed that his Mac’s security software was woefully out of date;
he hadn’t been informed that there were security updates waiting to be installed.

We all like systems that don’t trouble us with unnecessary alerts or notifications, but when they’re so secretive that ordinary users don’t know that macOS security protection isn’t working, they’re a vulnerability in themselves. If this article does nothing else, please take the opportunity to check that your Macs are fully up to date and that their protection is functioning properly. Although that’s far from simple in macOS, you’ll find third-party tools like my own SilentKnight, silnite and XProCheck a good start. And they’re completely free to use, and have no annoying habits.

I’d like to acknowledge the advice of others who helped me sort John’s problem out.

34Comments

Add yours

1

EcleX on September 13, 2022 at 6:44 am

SilentKnight is awesome!

LikeLiked by 2 people
- 2
  
  hoakley on September 13, 2022 at 12:44 pm
  
  Thank you.
  Howard.
  
  LikeLike
3

Jayson Kish on September 13, 2022 at 8:32 am

The SystemLogging device management profile that may reveal what those entries marked contain.

https://developer.apple.com/documentation/devicemanagement/systemlogging

LikeLiked by 1 person
- 4
  
  hoakley on September 13, 2022 at 12:46 pm
  
  Thank you. That’s non-trivial, but useful in the event the problem can’t be fixed. With such out-of-date security protection, it’s more important to bring it properly up to date. That old version of XProtect Remediator was missing several of the current scanning modules.
  Howard.
  
  LikeLike
5

Tudorminator on September 13, 2022 at 8:35 am

Malwarebytes offers a free trial for their antivirus. But the free version allows manual scanning (just not scheduled and/or automated) and I think it is verry good for this type of situations.

Full disclosure: after using the free version for a couple of years, I am now a paying (and satisfied) customer. Other than that, I have no affiliation with the company.

LikeLiked by 1 person
- 6
  
  hoakley on September 13, 2022 at 12:47 pm
  
  Thank you.
  I did suggest John tried Malwarebytes, but in this case he decided that scanning a folder or two wasn’t going to answer any of his important questions. He needed a directed search to find evidence of malware on his Mac, not just to check some mail enclosures or downloads.
  Howard.
  
  LikeLike
  - 7
    
    Tudorminator on September 13, 2022 at 1:14 pm
    
    While the Windows version has the option of a targeted (folder or file) scan, the macOS version doesn’t. So it would have scanned the entire filesystem, in addition to the memory.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on September 13, 2022 at 10:30 pm
      
      Thank you. It was John who made the decision, not me.
      Howard.
      
      LikeLike
9

jmrichards7f14f5632c on September 13, 2022 at 2:30 pm

DetectX Swift and Intego VirusBarrier Scanner are both good. I know the Scanner is free, and I think DetectX Swift has a free version as well.

LikeLiked by 1 person
- 10
  
  hoakley on September 13, 2022 at 10:31 pm
  
  Thank you. It was John who made the decision. AFAIK DetectX Swift is currently EOL, waiting on a new version. I don’t know VirusBarrier.
  Howard.
  
  LikeLike
11

Duncan on September 13, 2022 at 3:08 pm

I find that running John Norstad’s Disinfectant from a bootable floppy is a good way to check your hard disk.

LikeLiked by 1 person
- 12
  
  hoakley on September 13, 2022 at 3:32 pm
  
  Haha!
  Yes, I well remember.
  Howard
  
  LikeLike
13

edro123 on September 13, 2022 at 4:10 pm

Howard,

Thank you so much for all the work you do and the utilities you provide. They are an enormous help for us Mac users.

Ed

LikeLiked by 1 person
- 14
  
  hoakley on September 13, 2022 at 10:32 pm
  
  Thank you.
  Howard.
  
  LikeLike
15

jimgbuffalo on September 13, 2022 at 5:26 pm

BitDefender has a free manual scanner that doesn’t install a bunch of background stuff.

LikeLiked by 1 person
- 16
  
  hoakley on September 13, 2022 at 10:34 pm
  
  Thank you. I haven’t used it, but it was John who did the choosing.
  Howard.
  
  LikeLike
17

Sebby on September 13, 2022 at 8:05 pm

VirusTotal? That’s free, after a fashion, and very useful in times like this.

But really, for someone like me the primary threat comes from outside exposure to vulnerabilities, not inside exposure to accidents. I’d gladly spare all the virus scanning in the world for updated system software, to within the limits supported by hardware.

LikeLiked by 1 person
- 18
  
  hoakley on September 13, 2022 at 10:36 pm
  
  Thank you.
  I’m not sure how you would use VirusTotal to determine whether an email enclosure had dumped something nasty into your Mac. And isn’t that exactly what security is supposed to protect you from?
  Howard.
  
  LikeLike
  - 19
    
    Sebby on September 14, 2022 at 1:02 am
    
    VirusTotal is just an online interface to a bunch of virus scanners, so presumably you’d just scan your suspicious payload as if you were using a local scanner and pointing to the suspect file directly on your own system. It might be enough to learn what you were up against, or if it represented any kind of threat at all (sometimes spammers and phishers simply attach documents to avoid server-side spam scanners and the real attack is stealing an identity when the victim follows instructions and gives up information).
    
    LikeLiked by 1 person
    - 20
      
      hoakley on September 14, 2022 at 7:00 am
      
      Thank you.
      So you’re seriously suggesting that on a live production Mac, an ordinary user like John should run a suspicious email enclosure against VirusTotal to check whether it contains known malicious content?
      Howard.
      
      LikeLike
    - 21
      
      Sebby on September 14, 2022 at 5:07 pm
      
      Sure, why not? Is it really any different from using some third-party AV to do the same thing, except for the small detail that it happens online and your file might be scrutinised by random strangers? I’d say you’re getting a very good deal, if you just need another (50+ as of now, I think it is) opinions about a suspicious file.
      
      But I’m probably missing the point where our protagonist has somehow triggered automatic execution of malware, or thinks as much, and isn’t sure quite how or if any damage was done, for whatever reason. Well, at that level of paranoia, I’d say a third-party commercial scanner with real-time protection (I’ve had good experience with MalwareBytes, which my bank gives me for free) provides the best insurance. I don’t think it’s worth it–not on any platform, all of which have free options–but HMMV. And, as you are now informing us, the XProtect scanners are comparable for presumably most of the common cases, which will help if someone has a little accident and gets themselves infected by a common strain in a trojan download or adware, which is still by far the most common reason this happens. Not dismissing that case at all, but being cautious is a fabulous defence against all malware, and keeping patched, of course. And Apple should absolutely make XProtect right if it’s broken (just looked: content cache blocked new payloads, turned off the cache again, sigh).
      
      LikeLiked by 1 person
    - 22
      
      hoakley on September 14, 2022 at 6:43 pm
      
      I think you’re missing the point that this sensibly security-conscious user made a motor error, in which he opened a message which he suspects may have containing a malicious payload. All he wants to do is reassure himself that his Mac hasn’t been compromised as a result.
      I get similar messages from many people in the same situation.
      Frankly, to suggest they should isolate what might be malicious and check its hash against those of known malware on VirusTotal is absurd.
      He doesn’t want to pay a subscription for third-party malware protection. But he wasn’t aware of what macOS could offer him, because even in Apple’s Platform Security Guide (a document which he wouldn’t go near, and most of which he wouldn’t understand) Apple doesn’t make it clear what protection is provided, nor how he could use it to check his Mac when he wants the assurance.
      In the end, he was let down not by XProtect Remediator, but by Software Update’s failure to do its most important job. He was unimpressed by third-party offerings, which all seemed to want him to start a subscription, and none of which – to him – would address his fairly simple need.
      As I say, I come across similar users very frequently. They aren’t stupid, just ordinary Mac users, you know the kind that Apple tries to appeal to.
      Howard.
      
      LikeLike
23

Brian on September 14, 2022 at 12:06 am

ClamXAV is a commerical malware checker with a 30-day free trial. I’m surprised how often it is forgotten about in reviews. It written for Mac, but based on the Open Source ClamAV software and can scan for Mac and Windows-specific problems.

LikeLiked by 1 person
- 24
  
  hoakley on September 14, 2022 at 6:58 am
  
  Thank you.
  Howard.
  
  LikeLike
25

piattj on September 14, 2022 at 9:58 am

Howard. Top stuff, as ever – thanks! Just a note. I find that XProCheck can only be run from an admin privs account, which is a slight faff. SilentKnight runs from a non-admin account. Is this expected behaviour? Ta!

LikeLiked by 1 person
- 26
  
  hoakley on September 14, 2022 at 10:01 am
  
  Thank you. Yes it’s explained in the docs. XProCheck has to access the log, which requires admin privileges. SilentKnight doesn’t.
  Sorry, I don’t make the rules.
  Howard
  
  LikeLike
27

piattj on September 14, 2022 at 11:13 am

LOL. You’re right. At the top of the guide! It’s so easy to use that I didn’t even read the guide. Kudos to you!

LikeLiked by 1 person
- 28
  
  hoakley on September 14, 2022 at 1:00 pm
  
  Thank you.
  Howard.
  
  LikeLike
29

Bernd on September 14, 2022 at 11:51 am

>I also suggested that he looked at a third-party anti-malware product for a second opinion. Sadly, he wasn’t able to identify a suitable product to perform a one-off scan for malicious software without starting to pay for it by subscription,
>

Good anti-virus programs for the Mac:

– https://apps.apple.com/de/app/virus-scanner-plus/id595374522?mt=12
buy once; must be set up for each user account on the Mac.

– https://apps.apple.com/de/app/bitdefender-virus-scanner/id500154009?mt=12 like above, _free_ but missing live scan in background. You have to click for each scan and remember to do it regularly.

– More professional is https://www.bitdefender.com/solutions/antivirus-for-mac.html# : pay per year, easy cloud administration overview of client status. Free test available. Introduction price is much lower as license extension, so consider to by two or three year license initially.

LikeLiked by 1 person
- 30
  
  hoakley on September 14, 2022 at 1:01 pm
  
  Thank you.
  Howard.
  
  LikeLike
31

Anonymous on September 14, 2022 at 12:47 pm

The most annoying users are Mac/Linux users, claiming they have nothing to fear, as they are safe from those malware binaries. Wrong! Not getting infected personally is still a huge problem for yourself, because you will infect the people you need. Sure, the email malware might not work in your Monterey install, but what if you email your doctor and he gets his Windows machine infected by something you never scanned for? Then it’s your problem, because your doctor will have to close his doctors office, leaving you behind. And all that although your Mac is safe, right? Not at all smart to think you’re safe with a Mac. Never has been a good idea. I’ve done it wrong myself, admittedly.

MRT.app is less of a malware scanner than a copyright protection mechanism, by the way. In my book, MRT.app is a malware. It deletes data. My local data. Even if it’s a malware that MRT.app deletes, I demand to be informed immediately about that – which is not happening. MRT.app is also a mutating binary. An attack vector as you can’t make sure that the MRT binary you have installed is actually the correct one. Hashes don’t work and if they do, compare those hashes with what? Security by obscurity seems to be the agenda at Apple in that regard. What if somebody jumps into the definitions db update supply chain and changes the definitions to whatever he wants? Super possible. Currently, that’s THE El Dorado of psychological warfare. Missing files, but no notifications whatsoever for the victim. Apple wrote that malware for you in that case, no suspicious processes anywhere. And the genius bar protips? “Oh yeah, the new APFS is still a little buggy! ;)”. Uh huh? And the ads, well the ads tell you that you’re safe. What a hoax, IMHO.

Godawful times we’re living in, especially outside of the USA.

Greetings and thank you for your nice website and software, Mr. Oakley. Greatly appreciated! 👋

LikeLiked by 1 person
- 32
  
  hoakley on September 14, 2022 at 1:02 pm
  
  Thank you.
  You may not have noticed, but MRT is all but dead, or at least deeply unconscious. Apple hasn’t used or updated it since April. XProtect Remediator has essentially replaced it now, on Catalina and later.
  Howard.
  
  LikeLike
  - 33
    
    Anonymous on September 14, 2022 at 2:08 pm
    
    I wasn’t aware of that yet, actually. Thank you again Mr. Oakley! Amazing.
    Well then I’m going to look into that right now in Parallels. Let’s see 🤓
    
    LikeLiked by 1 person
34

macOS Ventura Security and Privacy Guide - SecureMac on December 13, 2022 at 9:20 pm

[…] “secretive,” as security researchers like Howard Oakley have pointed out. On his blog, Oakley described a recent issue in which a user’s version of XProtect Remediator failed to update automatically — leaving the […]

LikeLike