Malware defences on an Apple Mac

Skip to first unread message

David Brooks

Nov 28, 2021, 3:52:25 AM11/28/21
hoakley November 28, 2021 Macs, Technology
Last Week on My Mac: Are malware defences changing again?


According to the Apple Platform Security guide, the three layers of
malware defences in macOS consist of:

The App Store, or the combination of Gatekeeper and Notarization, to
prevent the launch or execution of malware.
Gatekeeper, Notarization and XProtect, to block malware from running.
MRT, to “remediate” malware that has already run.
Gatekeeper and notarization checks are built into macOS, but XProtect
and MRT are dependent on their own pushed updates. As Apple explains:

For XProtect, “Apple monitors for new malware infections and strains,
and updates signatures automatically — independent from system updates —
to help defend a Mac from malware infections.”
“The Malware Removal Tool (MRT) is an engine in macOS that remediates
infections based on updates automatically delivered from Apple (as part
of automatic updates of system data files and security updates).”
XProtect and MRT are unusual among Apple’s security tools, in that
they’re almost independent of the version of macOS that you’re running.
Current data for XProtect and the MRT tool itself still appear to be
fully functional in all versions going right back to El Capitan. This is
important for users of those older systems, whose Gatekeeper is far less
stringent and easily bypassed, and which are ignorant of notarization
and unable to check it.

Although updates to XProtect’s data files and to MRT always have been
irregular, a year ago they occurred quite frequently, with XProtect
updates every 7-21 days, and MRT every month or so. As of today, the
last XProtect update was pushed on 24 September (version 2151), and
there has only been one very minor update to MRT (1.85) since 13
September – a period of over two months.

The last time that there were such long intervals between security data
updates was with the release of Mojave in 2018, when XProtect went
without updates for nine months, and MRT was left for six months. At
that time, I questioned whether macOS security was in the process of
change, which might have accounted for that long pause.

Sure enough, it appears that later in Mojave’s cycle, and before July
2019, Apple had changed checks made by macOS on code signatures,
extending online revocation checks using OCSP to apps which had already
cleared quarantine. Later that year in Catalina it introduced
notarization, involving “checks for new revocation tickets so that
Gatekeeper has the latest information and can block the launch of such
files.” The latter takes place using frequent “CloudKit sync”, according
to the Platform Security guide.

Another factor is the discovery of new malware affecting Macs. Earlier
this year, XProtect was engaged in a prolonged cat-and-mouse engagement
with a succession of Adload, XCSSET and Bundlore/Shlayer variants, with
frequent tweaking of its signatures. Despite Apple’s diligent pursuit of
those rodents, just like Tom and Jerry, the mice always seemed to be
able to outmanoeuvre the cat in pursuit. Perhaps Apple reappraised the
situation at the end of the summer and decided on a different strategy.

Apple’s declared response to malware, though, still places XProtect and
MRT in important roles. According to the Platform Security guide:
“When new malware is discovered, a number of steps may be performed:

Any associated Developer ID certificates are revoked.
Notarisation revocation tickets are issued for all files (apps and
associated files).
XProtect signatures are developed and released.
MRT signatures are developed and released.
These signatures are also applied retroactively to previously notarised
software, and any new detections can result in one or more of the
previous actions occurring.
Ultimately, a malware detection launches a series of steps over the next
seconds, hours and days that follow to propagate the best protections
possible to Mac users.”

Whatever is happening, this can only worry those using earlier versions
of macOS. For all their limitations, XProtect and MRT have still been
providing Macs with valuable malware detection and removal. If malware
defences in Monterey are moving away from those tools, and Apple has cut
back their maintenance, that leaves Big Sur and earlier worryingly
exposed. Thankfully, third-party malware protection typically still
supports macOS back to Sierra (10.12), but Apple has always maintained
that Mac users have no need for anything other than what’s provided in

With Thanksgiving and the start of the long holiday season, and the next
round of macOS updates and security updates due any week now, it will be
interesting to see whether XProtect and MRT receive any further updates
before next year. If I were still reliant on Big Sur or any previous
version of macOS, I think I’d use that time to try out some third-party
protection, just in case these key players in my malware defences
weren’t going to be the same any more. Without them, Apple’s three
layers start looking alarmingly empty.

Petruzzellis Kids

Nov 28, 2021, 4:09:52 AM11/28/21
Once Glasser Michael Snit realized how effective William Poaster is at playing
'victim' he has figured out this isn't quite as outta whack as it sounded.
We're all sorry William Poaster's a paranoid, narcissistic, delusional liar
but that's not gonna change anything ¯\_(ツ)_/¯. I am about to plonk him,
myself. Like all jerks, he is continually looking for some way to criticize,
no matter how fantastic the charge. I will not see his response to this post.
He's embarrassed, wants to blame others, and will vilify. Most likely beginning
with a cocky "*plonk*", as if what I have written is SO crazy. That BADish
"response" was it, for me.

One Smart Penny!!
Narcissistic Bigot Steve Carroll


Nov 28, 2021, 11:31:17 AM11/28/21
On Sun, 28 Nov 2021 08:52:22 +0000, David Brooks <Dav...@invalid.E-S>

>Are malware defences changing again?

I have no idea, and to be honest, no interest at all. Also,
most of the regulars in ACW use Windows and or Linux.
Why did you cross-post commercial SPAM to ACW?
It's one of the "bad" things you do?
You never change.

BD: I want people to "get to know me better. I have nothing to
I'm always here to help, this page was put up at BD's request,
rather, he said "Do it *NOW*!":


99 confirmed #FAKE_NYMS, most used in cybercrimes!
Google "David Brooks Devon".
Don't be evil - Google 2004
We have a new policy - Google 2012
Google Fuchsia - 2021

Steve Carroll

Nov 28, 2021, 11:53:07 AM11/28/21
He upsets multiple groups of people who become collateral damage, but that's
a conceited fool for you. What Snit and you care about isn't a factor. Just
bullshit from him. But Chris has completely left objectivity behind and
is simply holding me responsible for the deeds of himself. I won't ask Chris
how any part of Snit's anatomy tastes no matter how habitually Chris licks
it. Already moved on from that. You are too slow! How much more time does
Chris's dumb arse (a brick knows more than Chris and is useful) need to
prove their Snit doxing accusation with support?

Do not click this link!
Dustin Cook the functional illiterate fraud

Dustin Kook

Nov 28, 2021, 1:44:49 PM11/28/21
On Sunday, November 28, 2021 at 1:52:25 AM UTC-7, David Brooks wrote:
Open source is only inexpensive if your time has no value. I'd help Wolffan
honestly but he is a fool who screws around to effect his craving to call
everyone a shill.

I'm not irked, just the opposite I am in stitches because Wolffan's lying
is so absurd. He purposefully didn't speak of all the details that he would
quickly insist are needed... and we all know why. At least he has other
trolls to back him ;) Generally, I don't call something like Wolffan's comments
a fantasy right up until you disprove it and he responds with the nothing
but repetition ignoring what you said.

I think the point is far from just to get FromTheRafters to listen to him.
The point is likely to piss FromTheRafters off for spraying outside groups
he knows I frequent.

Eight things to never feed your dog!

HHI the imaginary friend

Nov 28, 2021, 4:58:42 PM11/28/21
Where did -hh find your scripts? Don't look now, but I think -hh has a serious
fascination with Peeler. Amusingly, -hh virtually asked Peeler for his phone
number to be Google seeded. It was -hh who was openly asking how better to
better his forgeries. -hh can not help but know everyone knows he is just

Live on Kickstarter
Steve Carroll the Narcissistic Bigot
Reply all
Reply to author
0 new messages