Apple overhauls built-in Mac anti-malware you probably don’t know about

Apple overhauls built-in Mac anti-malware you probably don’t know about

Ars Technica·2022-09-01 06:04

12 with 9 posters participatingMacs don't have visible anti-malware software built-in, at least not in the same way that Microsoft does with Windows' highly visible Defender software. But Apple began to include rudimentary anti-malware protections with macOS versions with Snow Leopard in 2009. Called "XProtect," this system service downloaded and installed new malware definitions in the background in between major macOS security updates, mostly to protect against the installation of known, in-the-wild malware.Since then, Apple has added multiple anti-malware features to macOS, though they're not always branded that way. Gatekeeper, app notarization, System Integrity Protection, the Signed System Volume, and access controls for hardware and software are all, one way or another, about proactively protecting system files from being tampered with and making sure that installed apps do what they say they're doing. Another under-the-hood tool, the Malware Removal Tool (MRT), acts more like a traditional anti-malware scanner, periodically receiving definitions updates from Apple so that it could scan for and remove malware already present on your system.Howard Oakley at the Eclectic Light Company makes a habit of tracking updates to XProtect and the MRT, and he maintains several utilities that check the versions of your definitions (as well as your installed firmware and other Mac esoterica that Apple regularly updates but rarely mentions). And he says that Apple's anti-malware tools have undergone a dramatic but mostly silent change over the last few months.Since around the release of the 12.3 update for macOS Monterey, he's been tracking a new "" feature that has been added to Monterey, Big Sur (11), and Catalina (10.15). As mentioned in Apple's most recent Platform Security documentation, this is a familiar name for a new app that replaces the old MRT. appears to scan for known malware much more aggressively than the MRT did.Advertisement "In the last six months macOS malware protection has changed more than it did over the previous seven years," Oakley writes. "It has now gone fully preemptive, as active as many commercial anti-malware products, provided that your Mac is running Catalina or later."Examining the activity of the XProtect app on a Mac with sleep disabled, Oakley determined that it is scanning for most known Mac malware at least once per day "during periods of low user activity." But it can scan much more frequently than that, and the scan frequency appears to be determined on a case-by-case basis. Oakley observed XProtect scanning for malware called DubRobber "every hour or two." In contrast, MRT was run "infrequently" and "most noticeably shortly after startup."Notably, for users of older macOS versions, Apple sometimes provides updates for these behind-the-scenes tools long after it has stopped providing security patches for macOS. Oakley says that old versions of XProtect and the MRT were being updated in macOS versions as old as El Capitan (10.11), originally released in 2015.While this means that macOS Catalina users should benefit from the new XProtect tool even after security updates end, it, unfortunately, seems as though the older MRT tool is no longer being updated on Mojave (10.14) and older macOS versions. Oakley dates MRT's last update to April 2022, shortly after macOS 12.3 and the new XProtect app were released. These macOS versions were already more vulnerable than newer, fully patched versions, but Apple leaving the old MRT tool behind will make upgrading even more important for people who want to keep their Macs secure.


Read full article on Ars Technica