hoakley November 28, 2021 Macs, Technology
Last Week on My Mac: Are malware defences changing again?
According to the Apple Platform Security guide, the three layers of
malware defences in macOS consist of:
The App Store, or the combination of Gatekeeper and Notarization, to
prevent the launch or execution of malware.
Gatekeeper, Notarization and XProtect, to block malware from running.
MRT, to “remediate” malware that has already run.
Gatekeeper and notarization checks are built into macOS, but XProtect
and MRT are dependent on their own pushed updates. As Apple explains:
For XProtect, “Apple monitors for new malware infections and strains,
and updates signatures automatically — independent from system updates —
to help defend a Mac from malware infections.”
“The Malware Removal Tool (MRT) is an engine in macOS that remediates
infections based on updates automatically delivered from Apple (as part
of automatic updates of system data files and security updates).”
XProtect and MRT are unusual among Apple’s security tools, in that
they’re almost independent of the version of macOS that you’re running.
Current data for XProtect and the MRT tool itself still appear to be
fully functional in all versions going right back to El Capitan. This is
important for users of those older systems, whose Gatekeeper is far less
stringent and easily bypassed, and which are ignorant of notarization
and unable to check it.
Although updates to XProtect’s data files and to MRT always have been
irregular, a year ago they occurred quite frequently, with XProtect
updates every 7-21 days, and MRT every month or so. As of today, the
last XProtect update was pushed on 24 September (version 2151), and
there has only been one very minor update to MRT (1.85) since 13
September – a period of over two months.
The last time that there were such long intervals between security data
updates was with the release of Mojave in 2018, when XProtect went
without updates for nine months, and MRT was left for six months. At
that time, I questioned whether macOS security was in the process of
change, which might have accounted for that long pause.
Sure enough, it appears that later in Mojave’s cycle, and before July
2019, Apple had changed checks made by macOS on code signatures,
extending online revocation checks using OCSP to apps which had already
cleared quarantine. Later that year in Catalina it introduced
notarization, involving “checks for new revocation tickets so that
Gatekeeper has the latest information and can block the launch of such
files.” The latter takes place using frequent “CloudKit sync”, according
to the Platform Security guide.
Another factor is the discovery of new malware affecting Macs. Earlier
this year, XProtect was engaged in a prolonged cat-and-mouse engagement
with a succession of Adload, XCSSET and Bundlore/Shlayer variants, with
frequent tweaking of its signatures. Despite Apple’s diligent pursuit of
those rodents, just like Tom and Jerry, the mice always seemed to be
able to outmanoeuvre the cat in pursuit. Perhaps Apple reappraised the
situation at the end of the summer and decided on a different strategy.
Apple’s declared response to malware, though, still places XProtect and
MRT in important roles. According to the Platform Security guide:
“When new malware is discovered, a number of steps may be performed:
Any associated Developer ID certificates are revoked.
Notarisation revocation tickets are issued for all files (apps and
XProtect signatures are developed and released.
MRT signatures are developed and released.
These signatures are also applied retroactively to previously notarised
software, and any new detections can result in one or more of the
previous actions occurring.
Ultimately, a malware detection launches a series of steps over the next
seconds, hours and days that follow to propagate the best protections
possible to Mac users.”
Whatever is happening, this can only worry those using earlier versions
of macOS. For all their limitations, XProtect and MRT have still been
providing Macs with valuable malware detection and removal. If malware
defences in Monterey are moving away from those tools, and Apple has cut
back their maintenance, that leaves Big Sur and earlier worryingly
exposed. Thankfully, third-party malware protection typically still
supports macOS back to Sierra (10.12), but Apple has always maintained
that Mac users have no need for anything other than what’s provided in
With Thanksgiving and the start of the long holiday season, and the next
round of macOS updates and security updates due any week now, it will be
interesting to see whether XProtect and MRT receive any further updates
before next year. If I were still reliant on Big Sur or any previous
version of macOS, I think I’d use that time to try out some third-party
protection, just in case these key players in my malware defences
weren’t going to be the same any more. Without them, Apple’s three
layers start looking alarmingly empty.