The Three XProtects of Christmas

For many years the only tool built into macOS to scan for and remove malicious software was MRT. Its high point came in early July 2019, when Apple repurposed it to remove a hidden vulnerable web server that had been widely installed with the Zoom client. By 2021, Apple had decided to replace MRT with something more modern and capable. The first version of XProtect Remediator was installed in macOS Monterey 12.3 on 14 March 2022, and over the following summer it grew to replace MRT, which was last updated on 29 April 2022, and is now no longer installed with macOS although it may still be obtained as an update.

XProtect Remediator (XPR) is installed and updated outside macOS updates, in the XProtect.app bundle in /Library/Apple/System/Library/CoreServices, in macOS 10.15 Catalina and later. It contains individual executable scanning modules, one of which covers old malware that MRT dealt with. Its first standalone update on 17 June 2022 brought the total of its named malware scanners to eight, and it has grown steadily ever since to a total of 22 in its current version 122.

XPR complements the traditional XProtect, which provides macOS Gatekeeper security checks with a set of detection rules to be applied when scanning apps and executable code before they’re run. Those rules are contained in a separate XProtect bundle alongside XPR, principally in a Yara definitions file, and are used to determine whether to open and execute code at that moment.

Instead, XPR’s scanners are run periodically in the background at frequencies set by XPR itself, according to Apple’s current threat assessments. That’s an improvement on MRT’s scans, that were normally only performed shortly after macOS started up, so provided little protection for Macs that were left running for long periods. Each XPR scan consists of two complete runs, one as the current user, the other as root.

Like XProtect, XPR is updated frequently according to changes in threat. In its early days XPR updates came every two weeks as new scanning modules were developed. Currently updates are released at least once a month, as existing modules are improved, new modules are added, and their scanning frequencies change.

As of XPR version 122, the following scanner modules are included:

Adload, first detected in 2017, added to MRT 1.21 in 2017, one of the original modules in XPR, and still going strong;
BadGacha, added in XPR 91 on 2 March 2023;
BlueTop, added in 108 on 8 August 2023;
CardboardCutout, added in 122 on 19 December 2023;
ColdSnap, added in 99 on 8 June 2023;
DubRobber, added to XProtect on 16 April 2021, and in XPR 62 on 17 June 2022, for XCSSET, a versatile Trojan dropper, first detected in 2020;
Eicar, one of the original modules in XPR, a non-malicious test;
FloppyFlipper, added in 93 on 16 March 2023;
Genieo, detected by XProtect since at least 2013, one of the original modules in XPR, a browser hijacker acting as adware;
GreenAcre, added in 62 on 17 June 2022;
KeySteal, added in 91 on 2 March 2023, exfiltrating keychain contents;
MRTv3, one of the original modules in XPR, covering older malware inherited from MRT;
Pirrit, added to MRT on 6 April 2016, one of the original modules in XPR, malicious adware;
RankStank, added in 96 on 27 April 2023;
RedPine, added in 114 on 12 October 2023, believed to cover TriangleDB malware;
RoachFlight, added in 96 on 27 April 2023;
SheepSwap, one of the original modules in XPR;
SnowBeagle, added in 67 on 21 July 2022;
SnowDrift, added in 68 on 4 August 2022, for CloudMensis spyware;
ToyDrop, added in 64 on 30 June 2022;
Trovi, included in XProtect since 2016, one of the original modules in XPR, a cross-platform browser hijacker;
WaterNet, added in 64 on 30 June 2022.

XPR’s detections, remediations and other findings are reported in the Unified log for all versions of macOS from Catalina, and in Ventura and later as events in Endpoint Security. Otherwise, they aren’t notified to the user in any way. Support for monitoring Endpoint Security is normally confined to third-party commercial security products, although some free-to-use apps including Objective-See’s BlockBlock are now monitoring Endpoint Security events. macOS currently provides no way by which the user is informed of the detection of malware by XPR, or its removal, successful or otherwise.

xpro013

In this log excerpt, XPR has reported that it detected and successfully removed DubRobber/XCSSET.

Occasionally, as with any other malware detection software, XPR reports false positives. Recently, some innocent third-party helpers, including 1Password-Crash-Handler, SnagitHelper2024, crashpad_handler and GoogleSoftwareUpdateAgent, have been triggering false detection reports for BadGacha, for instance. These should be reported both to the third-party developer responsible for that product, and through Apple Support, so that Apple’s security engineers can be informed.

My free SilentKnight checks whether scans have been taking place, and whether any have resulted in detection or remediation. Fuller information, for Catalina and later, is available in my free XProCheck.

xpr1

macOS Ventura introduced a third type of XProtect, XProtect BehaviorService (XBS), part of Apple’s new Bastion behavioural-based malware detection system. Rather than on-demand or periodic scans of static code, this watches for potentially malicious behaviours, such as attempts to access folders used by browsers such as Safari and Google Chrome. At present, XBS and the Bastion system only record such events and don’t attempt to intervene. Behaviours and exceptions are defined by two files contained within the Resources folder inside XPR’s bundle. Changes in those, in XPR’s scanning modules, and in XProtect’s detection signatures, are reported on this blog for each update released by Apple.

Terms

XProtect provides detection signatures and rules for on-demand Gatekeeper checks to determine whether code is safe to run.
XProtect Remediator performs periodic background scans to look for known malicious software, and tries to remove any that it detects.
XProtect BehaviorService provides behavioural rules and lists of exceptions for Bastion to monitor potentially malicious behaviour.

If you fund, develop or distribute malicious software, I suggest that this Christmas you should read Dante’s Inferno, and Charles Dickens’ Christmas Carol, so you can prepare for your future.

For those engineers in Apple’s SEAR, others who undertake Mac security work for other organisations, and independent researchers, I thank you for all your work to protect us in the past, present and future: merry Christmas!

I’m grateful to Mike and others for contributing information used above.

17Comments

Add yours

1

Maurizio on December 23, 2023 at 8:51 am

Hello Howard ,

Have you ever found signs of malware in software distributed via appstore or by notarized developers? and as a corollary, do you believe that meta scanning engines like virustotal are effective for checking binaries downloaded from the web?

Happy Holidays

LikeLiked by 1 person
- 2
  
  hoakley on December 23, 2023 at 9:17 am
  
  No, I have never discovered malware on any of my Macs, not since I started using them in 1989. 🤞
  I believe that meta scanning engines are best left to security researchers. Ordinary users can scare themselves witless if they try using them!
  Happy holidays to you too, Maurizio.
  Howard.
  
  LikeLiked by 1 person
  - 3
    
    Dakotamoons on December 23, 2023 at 7:26 pm
    
    Boy, is that ever the truth.
    So glad you said the quite part out loud.
    It’s such a scam that all of these “malware” app are trying to push on us.
    Unless I’m missing something, I totally concur.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on December 23, 2023 at 10:09 pm
      
      I don’t think that anti-malware apps are necessarily a scam. I know several excellent security engineers and researchers who put their life and soul into their reputable security products. There are some excellent ones around.
      But do we need them?
      If you’re someone who could be targeted by a serious attack, then I think that additional protection could well be important. But for ordinary users, it’s far more important that they behave securely. Don’t click on links in emails, be very careful which web links you click on, and which sites you visit. The human link is always the weakest, and there is a great temptation to install a product and expect it to deal with all the threats that you don’t want to be bothered with.
      Personally, I’m happy with the protection that macOS now provides. But others may wish extra. It’s a personal choice.
      Howard.
      
      LikeLiked by 1 person
    - 5
      
      Dakotamoons on December 24, 2023 at 1:55 am
      
      Thank you Howard for clarifying my writ large broad brush generalization so succinctly. I can not disagree with your thesis in any way. Yes, there would be specific scenarios where malware interdiction would be wise.
      
      LikeLiked by 1 person
6

John Gilbert on December 23, 2023 at 10:21 am

Thank you for your continuing efforts in keeping us better informed regarding essential software about which Apple prefers us to be in ignorance.
Wishing you Merry (and not too cold) Christmas.

LikeLiked by 1 person
- 7
  
  hoakley on December 23, 2023 at 9:57 pm
  
  Thank you, John.
  It looks like a mild (10˚C and more) but wet and windy Christmas here. I wish you better weather, and a very merry Christmas. Thank you for all your comments and contributions over the year.
  Howard.
  
  LikeLike
8

artiste212 on December 24, 2023 at 2:53 am

Howard, it’s nearly 10 pm. I just read this email and when I reached the penultimate paragraph, i laughed out loud so hard I woke my wife. All I can say about what you wrote is,”Bravo!”

LikeLiked by 2 people
- 9
  
  hoakley on December 24, 2023 at 10:32 pm
  
  Thank you. Merry Christmas!
  Howard.
  
  LikeLike
  - 10
    
    artiste212 on December 25, 2023 at 12:45 am
    
    Merry Christmas to you, Howard!
    
    LikeLiked by 1 person
    - 11
      
      hoakley on December 25, 2023 at 5:52 pm
      
      Thank you – Merry Christmas to you too!
      Howard.
      
      LikeLike
12

Bill Stanford on December 24, 2023 at 7:48 am

Howard, thanks as ever for this important overview of Sonoma’s malware protection — and for all the work you do! It’s much appreciated (and in my own case, stored…). Happy Christmas to you, and let’s hope ’24 brings better things!

LikeLiked by 2 people
- 13
  
  hoakley on December 24, 2023 at 10:35 pm
  
  Thank you, Bill. Happy Christmas!
  Howard.
  
  LikeLike
14

John Gilbert on January 2, 2024 at 2:41 am

BadGacha is getting worse for false positives. I don’t have the ones you mention (software not installed). I was getting consistently repeating reports for HoudahSpotHelper and Malwarebytes. Perhaps due to update to macOS 14.2.1, they have both gone, but now getting alerts for Lingon X Agent.

The alerts are all like this:
2024-01-02 03:10:43.944568+1100 localhost XProtectRemediatorBadGacha[91385]: [com.apple.XProtectFramework.PluginAPI:XPDynamicCodeSignature] Failed to get code signature for XPProcess[3987:Lingon X Agent]: UNIX[No such file or directory]
2024-01-02 03:10:43.945403+1100 localhost XProtectRemediatorBadGacha[91385]: [com.apple.XProtectFramework.PluginAPI:XPProcess] getExecutable() failed for 3987: No such file or directory

The helper apps all seem to be correctly signed – as reported by Apparency.

BadGacha would seem to be checking signatures for running processes and failing to open the associated executable.

Perhaps it is a good thing that Apple does not give us notifications for problems it finds. 🙂

LikeLiked by 1 person
- 15
  
  hoakley on January 2, 2024 at 7:29 am
  
  Thank you.
  Have you reported these to the developer, and through Apple Support?
  Howard.
  
  LikeLike
  - 16
    
    John Gilbert on January 2, 2024 at 10:28 pm
    
    Yes to Apple Support and I am having an email chat with HoudahSpot developer. He doesn’t see the same problem, either with HoudahSpot or with Lingon X. Must be something specific to my iMac and some others who report the false positives with different apps.
    
    LikeLiked by 1 person
    - 17
      
      hoakley on January 3, 2024 at 9:47 am
      
      Thank you. That’s odd!
      Howard.
      
      LikeLike