How does macOS protect against malware?

How does macOS protect against malware?

Mac users often are told that “Macs don’t get viruses.” This is not really true, of course. Macs can and do get infected. However, it is true that macOS provides some basic protection against malware. This protection can be quite effective in some ways, but, unfortunately, quite ineffective in others. Let’s take a look at how macOS features protect you from malware, and how malware can get past these features.

Quarantine

macOS has a feature that is called Quarantine. Any time a file is downloaded from the Internet, it gets marked with a Quarantine “flag.” When you try to open a downloaded app with this flag set, macOS will kick off a whole bunch of checks.

If all of those checks are successful, macOS will display a message alerting you that you’re opening an application downloaded from the Internet, which you’ll have to allow if you want to use the file. (macOS flashes this message to users to display the true nature of the file, in case it was disguised as another type, for example, an app disguised as a document.)

Once the app has been opened successfully for the first time, the Quarantine flag is removed, and these checks won’t be repeated again.

Some of the other protection features in macOS depend on Quarantine, and unfortunately, there are some ways that apps can get onto your hard drive without being marked with a Quarantine flag. Some examples:

  • Not all apps will properly set a Quarantine flag on files they download; torrent apps and malicious downloaders are two good examples.
  • Copying an app to another Mac after the Quarantine flag has been removed will result in the app not being quarantined on the second Mac.
  • Copying a file to a non-Mac file share or a USB flash drive that is not Mac formatted will result in the Quarantine flag being lost.
  • Vulnerabilities that enable creation of files without going through legitimate download methods allow for flagless apps on the hard drive.

Gatekeeper

Rewind back to when an app is downloaded from the Internet, and a Quarantine flag has been planted. The first of the checks conducted on a quarantined app is a check of the app’s code signature.

A code signature is a bit of cryptographic data that identifies the creator of the app and can be used to determine whether the app has been tampered with. It depends on a certificate obtained from Apple, as part of a $99 developer account.

If the code signature indicates that the app has been tampered with, or that the certificate used to create the signature has been revoked by Apple, macOS won’t allow the app to run at all.

Unfortunately, Gatekeeper is not infallible, and its biggest weakness is Quarantine itself. Gatekeeper checks do not happen for apps that are not quarantined, which includes apps that were quarantined, but have already been opened at least once and are thus no longer quarantined.

This means that an innocent-looking app could download all kinds of malicious processes in the background once installed, and those processes would not be subject to Gatekeeper checks. Similarly, if you had run a malicious app on your computer, and some time later Apple revoked the developer certificate used for its code signature, the app would continue to run on your Mac because code signature checks only happen for quarantined apps as part of Gatekeeper.

This also means that malware could maliciously modify apps on your Mac, which would make the malware devilishly hard to find and remove.

XProtect

A hidden feature of the system that you’d never know was there, XProtect is a basic anti-malware feature also tied to Quarantine. XProtect has a relatively small number of rules for identifying known malicious apps, and every quarantined app that you attempt to open is run past XProtect first. If it matches any of the rules, macOS will not allow you to open it.

XProtect suffers from the same problems as Gatekeeper, in that it can’t protect against anything that doesn’t have a Quarantine flag. There’s a bigger problem, however: at the time of this writing, the most recent rule added to XProtect was on March 13, 2018. So it’s missing rules for nearly an entire year of new malware! The future of XProtect is unclear, but it’s definitely not protecting you against current threats.

Malware Removal Tool

In 2012, a series of attacks on macOS through vulnerabilities in Java resulted in malware being installed simply by visiting a website. Since this bypassed Quarantine, it was not something that the security measures in macOS at that time were equipped to deal with. Thus, Apple silently created the Malware Removal Tool, or MRT.

The MRT is a black box. Nobody really knows exactly how or when it works, and it runs silently, without any notifications to the person using the computer. Its sole purpose is to remove known malware that has gotten onto the computer.

Like XProtect, MRT recognizes only known malware via what appear to be hard-coded rules inside the MRT code. Nobody really knows how those rules work, and lately Apple has taken to obfuscating the malware name strings in the MRT code, so we can’t tell what it’s capable of detecting, either.

There’s no malware called OSX.28a9883.A, but that’s what Apple’s calling it

Unfortunately, MRT has not seen many updates lately that can be identified easily. Because it’s such a black box, it’s impossible to know, but it certainly doesn’t look like it is capable of detecting much recent malware.

System Integrity Protection

Abbreviated as SIP, this feature protects the core system files from modification. Also referred to as “rootless,” this SIP works by preventing all users, including the all-powerful root user, from changing a large number of restricted files on the system. Only certain pieces of Apple software can make changes to these files. This feature can only be turned off by rebooting the computer into recovery mode and entering an arcane command in the Terminal, which is not something the average person is likely to do.

Although SIP caused problems for some software at the time of its introduction, it has proven to be an excellent security measure, ensuring that the system files cannot be tampered with.

thomas$ sudo mkdir /System/blah Password: mkdir: /System/blah: Operation not permitted

As a result, some people believe that SIP plays a role in preventing malware from infecting Macs. Unfortunately, that’s not the case. Even before SIP, only some malware made changes to the files that are now protected by SIP. Malware can infect a Mac quite easily without doing that, and without even needing root permissions. This means SIP does nothing to prevent malware from invisibly infecting your Mac if you make the mistake of opening the wrong app.

Transparency, Consent, and Control

This mouthful is shortened simply to TCC, and it is a new feature of macOS 10.14 (Mojave). TCC protects certain user data against outside access, with the goal of preventing apps from surreptitiously doing things like slurping up your web browsing history.

This is a noble goal, but despite its short life so far, TCC has had some issues. These range in seriousness from a proliferation of permission request dialogs that can cause “dialog fatigue” to vulnerabilities that could allow apps to reach right past TCC and get access to the data anyway.

An example of a TCC dialog. Many people will just click OK to make it go away.

TCC does not prevent malware infection itself. However, it does—when working correctly—prevent malware from gaining access to some of your data. Don’t get too comfortable, though, as malware is still gobbling up unprotected data, such as passwords and credit cards stored in Chrome’s autofill, which is not covered by TCC.

My brain is exploding! What does all this mean?

The good news is that Apple is constantly working on making macOS a safer place. Although security experts are quick to point out holes in the protection features in macOS, your Mac is definitely more secure with them than without them.

However, it’s important to keep in mind that each and every one of these protections does have holes. Malware creators know exactly where those holes are, and are adept (some of them, anyway) at exploiting them. So don’t let your guard down.

In the security world, we like to talk about layers of protection. Having multiple layers is good practice, because if malware gets beyond one or two, it can still be blocked by another layer. With the various holes in current protection features, it makes sense to add another layer of protection to your Mac, such as antivirus software.

Malwarebytes for Mac, for example, can help to plug holes by detecting current threats that XProtect and MRT don’t. With the newly-introduced App Block feature, it can also help plug the holes in Gatekeeper.

So knowing what your Mac is capable of protecting against on its own and where it needs assistance can keep you more secure, whether you’re downloading apps from the Internet or simply taking an extra second to read through those dialog boxes.

ABOUT THE AUTHOR

Thomas Reed

Director of Mac & Mobile

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.