1. Forum
  2. Usenet
  3. UK.COMP.SYS.MAC

  • Changing anti-malware tools in macOS

    From David Brooks@21:1/5 to All on Sun Jul 3 08:12:36 2022
    XPost: alt.computer.workshop

    By hoakley - 3 July 2020

    Fixing security vulnerabilities in macOS is important, but often
    overshadows its defences against malware, something we seldom talk
    about. The last few years have seen system software move from being
    lightly protected by SIP to locked away in a sealed snapshot. What Apple hadn’t addressed until more recently were its tools for the detection of malware and the remediation of its ill-effects.

    I started tracking changes in those tools seven years ago, when the
    threat landscape was very different. At that time, XProtect was more
    concerned with blocking older and vulnerable versions of Flash and Java,
    then the basis for most popular exploits. Although XProtect did use
    signatures to detect some malware, remediation was the primary function
    of a separate tool, MRT.

    For seven years Apple’s security engineers played cat and mouse with
    malware, frequently updating the data used by XProtect, and building new versions of MRT. Lately this sustained effort hasn’t been able to keep
    pace, and detection tools have struggled in the face of rapidly changing malicious code. There’s only so much you can do with a rule-based
    detection system as used by XProtect, so it was time to move on to
    something more capable.

    The first step towards that came on 14 March 2022, when Monterey 12.3
    added what appeared to be a new app with a familiar name, XProtect.app.
    This is on the Data volume in the folder /Library/Apple/System/Library/CoreServices, and firmlinked to merge with
    the matching folder on the System volume at
    /System/Library/CoreServices. Like MRT.app, it isn’t an app at all, but
    a structured suite of executable tools kept in an app bundle. That first
    silent release didn’t do much, and passed unnoticed. In little more than
    a fortnight, Apple has just updated it from version 2 to 64, and has
    increased the number of those executable modules from eight to twelve.
    Yet the last update to MRT was over two months ago, on 29 April 2022.

    https://eclecticlight.co/2022/07/03/last-week-on-my-mac-changing-anti-malware-tools-in-macos/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)