Last Week on My Mac: the trouble with better security

Last week’s project was to deliberately challenge macOS Ventura 13.1 with malicious software, and quite an adventure. I was particularly interested in two aspects: first, how different levels of security protection affected the ability of built-in protection to protect the user, and perhaps more importantly what the user would be informed of. After all, you can have the best tools and defences, but if you aren’t aware that your Mac has encountered something malicious, you’re lost.

Having a little insight into the complexity of macOS security, I suspected that progressively disabling its protective layers would change its behaviour in complex ways. Two things that I hadn’t expected were the lack of dependence on quarantine, and the way that XProtect Remediator appeared to step in to compensate for reduction in other layers.

Quarantine had always been something of a gentleman’s agreement: if potentially malicious software was downloaded in a way that let a quarantine flag be attached to it, and didn’t play dirty, then Gatekeeper could perform its full first-run checks. Not any more, though, as macOS has welshed on its side of that agreement, and now seems to check everything much the same in the end. That doesn’t of course mean you can strip all those quarantine flags, just that when malware tries that, it doesn’t get the advantage that it used to.

XProtect Remediator was more of an unknown. It’s designed to be as unobtrusive as possible, and run its scans with minimal impact on our use of the Mac. The drawback with doing so is that, unlike with Gatekeeper’s warnings, the user is likely to be absent if a scan does discover something untoward. Posting a notification in the small hours of the morning isn’t going to be much use.

So significant scan results have to be stored for the user to retrieve after the fact, and this is where these new scans run into trouble. According to current dogma, there’s only two places XProtect Remediator can post its results: as entries in the Unified log, which it does in all compatible macOS from Catalina on, and as Endpoint Security events, as it does in Ventura. If you’re a regular user running a fairly standard system, neither of those will be accessible at all.

Before Apple introduced the Unified log in macOS Sierra, it wasn’t uncommon for users to browse the log. Many who relied on Time Machine to make their backups used to check it to ensure that no errors had occurred. Sierra instantly put a stop to that, with its endless log chatter drowning everything else out, and Console left unable to help. Over the last six years, that has only grown worse, to the point where many of us are now turning off logging by some subsystems in a desperate bid to retain access to the log. XProtect Remediator’s log entries might as well be encrypted for all the help they’ll be to the average user.

Endpoint Security remains a mystery, though. Often, when Apple introduces valuable new features, it retains the initiative by exploiting them before third-parties can. Yet, in the case of Endpoint Security, there’s nothing that I’ve seen in macOS that seems to do anything useful with it. While several third-parties do offer products that use it, most seem aimed more at corporate and enterprise markets. Third-party security products aimed at ordinary users, or even small business, seem thoroughly vague about Endpoint Security support, something I for one want to know more about before I’d consider subscribing to their products.

We’re left with what’s one of Apple’s most promising and capable defences against malware, incapable of informing the user about the most important security events, such as the detection of malware, and the outcome of its attempts to remove it.

When the original XProtect, run as part of Gatekeeper checks, suspects an app you’re trying to run is malicious, you see an immediate and unmistakeable warning, even though the name given to the malware may be unhelpful. A few hours later, when its Remediator sibling discovers and removes malicious components, it passes on in silence. That surely can’t be what Apple intends.

I’d like to think that, somewhere in Apple, there’s an engineer just putting the finishing touches to an addition for Privacy & Security in System Settings that will better inform the user in macOS 13.3 or so. It may not help those stuck with earlier macOS that still enjoy the protection of XProtect Remediator, but it would be an important step forward.