hoakley Macs, Technology

Last Week on My Mac: Does Apple support its security software?

Over the last few years, winds of change have swept through macOS security. Apple made a promising start on improving its documentation in its Platform Security Guide, has even published several technical articles in its security blog, and has released not one but two new tools to tackle malicious software. But there are now signs of fatigue: the Platform Security Guide hasn’t been updated for almost two years, and I’m seeing increasing numbers who are being snubbed when they have problems with those new tools, in particular XProtect Remediator.

XProtect Remediator first appeared in Monterey 12.3, released just over two years ago, and became fully airborne later that summer. Since then, every 24 hours or so, all Macs running macOS Catalina or later get a paired set of scans to detect and remove or remediate known malicious software. I believe that I was the first to identify and describe XProtect Remediator on 12 June 2022.

What has been odd, by normal standards at least, is that throughout this, XProtect Remediator has never reported anything to the user in an alert or notification. Instead, it writes its reports to the log, and, from Ventura onwards, as events in Endpoint Security, from where third-party software can inform the user. I don’t know of any other developer of similar anti-malware scanning software that conceals its successful detections and remediations in this way, and I suspect few would pay for software that does that.

Whatever the reasons for that, I have devoted many weeks of work to discovering what XProtect Remediator does, how it works, what it detects, and how effective it is against real, live malware. As a result, I have released a free app that extracts its reports from the log, and incorporated basic checks in two other apps, SilentKnight and most recently Skint. Those haven’t been developed in isolation from Apple.

There is a problem common to all products that try to detect malicious software, in false positives. Over the 20 months or so since XProtect Remediator went live, several of its scanning modules have reported what appear to be false positives. At the moment, that for BadGacha appears most prone to that, and I have received many reports, including this one just recently:
BadGacha ⚠️ FailedToRemediate time 0.0000759 {"caused_by" [], "execution_duration":7.593631744384766e-05, "status_message":"FailedToRemediate", "status_code":24}
(XProCheck adds the ⚠️ to aid the user; it isn’t part of the log entry. I have also added spaces to make this more readable.)

Most of these false positives don’t report detections or attempts at remediation, but something the scanning module isn’t happy with. A few go further and claim to have detected malware, but it’s unusual for them to report a failed attempt to remediate a detection. I therefore advised that user to contact Apple Support.

To our disappointment, Apple Support didn’t appear concerned, and told them that such events don’t get reported to the user unless there’s something that the user needs to do. They were then pointed at a discussion on Apple Support Communities, where the “Best reply” may be familiar to some of you. I will step through that response, which Apple Support clearly felt was sound guidance. To assist in distinguishing that “Best reply” I will quote from it verbatim in italics.

“For clarification, XProtect does not display any messages like this. It has virtually no user interface. The user interface it does have is infuriating, and more disruptive to the user experience than any malware. I know this makes no sense, but that’s the way the world works.”

This immediately reveals that the respondent is unable to draw the distinction between ‘classic’ XProtect, the part of Gatekeeper that performs checks on executable code before it’s run, and the newer XProtect Remediator, which scans for telltale signs of malicious software when your Mac isn’t in use.

When malware is detected as the user is trying to open or run it, alerts presented by macOS are clear, apart from the terminology used. I give two examples resulting from live malware.

xprxcs02

In this case, MACOS.2070d41 turns out to mean a variant of what’s more generally known as XCSSET, also termed by Apple as DubRobber.

xprmensis01

SnowDrift refers to what everyone else knows as CloudMensis.

“All of these reports about “BadGacha” are from people using a certain app written by a social media influencer. This app takes low-level log reports, that no one should ever, ever look at, and displays them.”

macOS includes Console, an app intended to view the contents of the log, and even documents it in the Console User Guide, where it writes “Console collects log messages that are generated from your computer and connected devices, and you can use these messages to check on your computer’s performance and solve problems.” XProCheck, SilentKnight and Skint all use the official command tool log to obtain their log extracts, and do nothing underhand or outside Apple’s documentation for macOS.

Without resorting to log extracts, it’s well nigh impossible to diagnose or even detect many problems in macOS, particularly those with Time Machine, iCloud and Spotlight. To tell users never to look at entries in the log is frankly disgraceful.

“If Apple had a reason to report any kind of “BadGacha” virus, then there would be a dialog pop-up telling you. You wouldn’t be able to dismiss the dialog and you wouldn’t be able to use your computer. Your only solution would be to erase the hard drive and install the latest version of macOS Sonoma. Because this isn’t happening, these reports are, therefore, false.”

Although no one outside Apple has yet identified the malware named by Apple as BadGacha, I think we can be fairly confident that it’s not a “virus” in any sense of the term. This part of the “Best reply” then descends to complete fiction revealing that its author has never observed a successful malware detection by XProtect Remediator, despite apparently writing authoritatively about what they think would happen. Let me show you what happens when XProtect Remediator does detect and remediate real, live malware in macOS.

xprdet02

In this case, the scanners correctly detected evidence of XCSSET as DubRobber, Genieo, and CloudMensis as SnowDrift. No alerts or dialogs appeared, no notifications were posted, and there were no other indications apart from these log entries, and corresponding events posted in Endpoint Security.

xprocheck155

Here’s another run using live malware, this time as reported in that terrible app XProCheck, of a successful detection and remediation of KeySteal. Again, no alerts or dialogs, no notifications, no other reports to the user, no requirement to “erase the hard drive” (a good thing too, as few Macs now have internal hard drives, and this one doesn’t). So all the expectations given here to the user are fictitious, and none of them grounded in any experience of what really does happen. To tell a user that the log reports written by XProtect Remediator are therefore “false” is not only patently incorrect but it’s also exceedingly dangerous.

So if you have a problem with macOS security, such as log entries reporting the detection or remediation of malicious software by XProtect Remediator, should you contact Apple Support, only to be pointed at such misleading and dangerous comments on Apple Support Communities?

I may be a mere “social media influencer”, but one thing I have learned in almost fifty years of using computers, and 35 years of developing for and writing about Macs for the specialist computer press, is that you assess such reports carefully, and don’t jump to dangerous conclusions.