Introduced in Catalina to enable ‘privacy by user intent’, these contain header-UUID pairs, with the UUID identifying the app granted access. But UUIDs change with every restart, so can’t be used to track access prior to the current session.
SIP
Deconfusing the term permissions from security controls and privacy protection. While permissions are set in a file’s attributes, privacy is controlled through elaborate rules.
How to check secure boot, SIP, Gatekeeper/XProtect, its SSV, FileVault, macOS and its firmware, and XProtect Remediator scans.
XProtect, XProtect Remediator, XProtect Behaviour Service, kernel extension excludes, incompatible apps, and some historical remnants, including a database that’s downloaded then vanishes.
It provided 3 protections when introduced in El Capitan in 2015, and has now grown extensively to cover NVRAM, kernel boot arguments, authentication of root, and even malware scans.
Permissions, ACLs, TCC’s privacy controls, SIP and app sandboxes. What they are, and how you can control them to access and maintain your files.
Essential details of each of the three types of XProtect data files, how they’re updated, how to update them, and more. Covers new XProtect in macOS 15.x.
App launch security is built in multiple layers, and not all check are run on every launch of an app. Syspolicy plays a key role, CDHashes are now central, and XProtect scans can make checks on large apps slow.
Three malicious apps – Atomic Stealer, Genieo and XCSSET – against macOS 14.6.1, with full security, SIP disabled, and Gatekeeper disabled.
If you thought spctl disabled Gatekeeper assessments, and disabling SIP had little effect, then you might like to think again.
The Eclectic Light Company 