Defeating The Virus Mac OS
Defeating The Virus Mac OS
- How To Check For Virus On Mac
- Scan Mac For Virus
- How To Get Virus Off Mac
- Defeating The Virus Mac Os Download
- Defeating The Virus Mac Os 11
Malwarebytes said there was a 400 percent increase in threats on Mac devices from 2018 to 2019, and found an average of 11 threats per Mac devices, which about twice the 5.8 average on Windows. OSX.Dok malware is distributed via a phishing campaign and is able to compromise all the victim’s internet traffic, even if it’s SSL encrypted. Unfortunately, too many macOS users fall under the illusion that Macs are immune to malware. Sample: c9841ae4a6edfdfb451aee1f2f078a7eacfd7e5e26fb3b2298f55255cb0b56a3.
It was once a widely held belief among Apple enthusiasts that macOS (or OSX as it was then known) was a far more secure system than its Windows or Linux counterparts. Malware outbreaks were rarely heard of, and most legacy AV solutions were known more for their high rate of false positives and greedy consumption of resources than they were for preventing any real adversaries. Asked “do you really need antivirus software for macOS”? about the only reason Mac users would say “yes” would be to catch Windows-based malware in email attachments. Why? In the words of this forum poster, as a public service to the unfortunate!
macOS Security By Design?
All that began to change from 2011 onwards, a fact reflected by Apple’s increasing hardening of the OS. In every release of macOS since then, we’ve seen the introduction of more security technologies and a locking down of the system: Gatekeeper, codesigning, Xprotect, Malware Removal Tools and more. With the release of macOS Mojave this year, Apple once again introduced new security features in response to the evolving threatscape facing the platform, restricting Apple Events and hardening user data protections.
Apple, of course, should be commended for taking security seriously, something even they are aware that their users often do not. Apple says that macOS “provides security by design” and
includes the key security technologies that an IT professional needs to protect corporate data and integrate within secure enterprise networking environments
The company are proud of their security posture, and are keen for customers to feel reassured that safety is a top concern:
macOS system security is designed so that both software and hardware are secure across all core components of every Mac. This architecture is central to security in macOS, and never gets in the way of device usability.
Fantastic. It’s just what you want to hear from your OS vendor.
Except, it’s all a bit of a myth.
As it turns out, malware can easily defeat macOS security protections. Let’s take a quick look at the main reasons why relying solely on Apple’s built-in protections is dangerous for your business.
Application Security
You’ve probably got Gatekeeper turned on even if you don’t know it. It comes enabled by default to allow you to download and run applications that are either from Apple’s App Store or Identified Developers (in other words, developers who are part of Apple’s Developer program).
Gatekeeper is great, except for one thing: it’s only protecting one gate: downloads that come in through GUI apps like Safari, Mail and so on. But there’s a few other gates that malware can use that Gatekeeper is blind to, like curl
, ssh
, and package managers such as brew
. Download something through these channels, and Gatekeeper will never know. Note line 13 in this typical adware installer script, which bypasses Gatekeeper with ease:
You have likely heard of XProtect, and some may think that XProtect will plug the holes left open by Gatekeeper, but that’s not the case. XProtect relies on Gatekeeper to tag downloads with a special attribute or “quarantine bit” which effectively says to XProtect: “be sure to check this against your malware signatures”. Without that attribute, XProtect doesn’t kick in. What’s worse, even software that is tagged with this special quarantine bit can be unquarantined by any other process without elevated permissions. In short, one piece of malware can let in any other piece of malware, too. Even if Apple have revoked a rogue Developer ID, such as occurs when malware strikes from the App Store, removing the quarantine bit will still allow that malware to run.
And then there’s the paucity of XProtect’s “Yara” based rules. At last count, XProtect had less than 100 malware signatures. Although there was a minor bump in October of 2018, it hasn’t had a significant update since March 2018.
How To Check For Virus On Mac
There’s also the transparency of XProtect’s “Yara” based rules. Any malware author can see exactly how Apple are detecting their binary and change it accordingly, so the rules can become invalid as soon as they are pushed out to users.
There’s a third level of App Security built-in to macOS that is not so widely known called MRT, the Malware Removal Tool. According to Apple, in the event that malware should
make its way onto a Mac, macOS also includes technology to remediate infections
But there’s two problems with Apple’s malware removal tool which make malware unafraid of it: first, it’s based on hard-coded paths, and most malware will use random or changing path names; second, it only runs once each boot.
By that time, a malware infection may have come and gone, taking your data with it, or encrypting it and leaving you a nice ransom note.
Access Control
Central to access control on modern Macs is System Integrity Protection or “SIP”, aka “rootless”, which prevents malware from attacking system files. SIP is enabled by default, and it means that even the root user cannot modify or delete any files under its protection. In macOS Mojave, SIP can even be extended to 3rd party apps if they opt-in to the new hardened runtime.
SIP is an essential technology, but SIP bypasses are not unknown. It’s also worth noting that if you have legacy AV software that simply whitelists everything in the /System/Library
folder, you could be in for a shock, since not everything in there is actually protected by SIP. The following are all excluded from “rootless” protection:
Another core aspect of access control is kernel security. As Apple have themselves noted, kernel security is essential to the security of the entire operating system. Unfortunately, their recognition of that is undermined by the fact that any unprivileged user can approve installing new kernel extensions. Combined with security holes that allow processes to simulate user clicks, therein lies an open door for malware. Apple have made several attempts to lock down simulated user clicking in the past, only for new 0day exploits to appear that have bypassed them.
If you’re using a Mac that’s enrolled in Apple’s Device Enrollment Program, you will be familiar with MDM and Config profiles as a means of controlling access to applications, services and preferences. Malware authors are also aware of them, and have taken to slipping managed preferences onto user’s machines to control and reset things like Safari preferences. Adware like Chill Tab and MyShopcoupon have been plaguing macOS users since mid-2017 through this same mechanism.
Apple Bugs
Arguably, these are becoming more common, or at least more widely publicised, as Apple pushes the limits of quality assurance in trying to keep up with its self-imposed annual update cycle. First, High Sierra and then Mojave introduced embarrassing bugs that could have given malware open season to infect and exploit macOS users.
Do You Really Need AV software on macOS?
We hope that the answer to this is self-evident by now. The built-in protections are “nice to have”, but they do not really address the complexity or sophistication of modern malware, especially when combined with Apple’s determination to rush out a minimally-tested new version of the entire OS every 12 months.
If you have endpoints running macOS, you need a security solution that does more than scan a few static signatures and prevent downloads from one or two different sources. You need a solution that has defence in-depth: a modern Next-Gen solution like SentinelOne that uses machine learning to automate detection across your entire network, regardless of whether the endpoint is running macOS, Windows or Linux.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.
Read more about Cyber Security?
You’ve got a Mac and, from what you’ve heard, there’s no evil that can touch you.
No viruses.
A Mac App Store with guaranteed clean applications.
Scan Mac For Virus
No worries whatsoever.
And then…your favorite web browser suddenly seems to have a mind of its own; taking you places you have no interest in going and warning you of evils on your Mac that don’t actually exist.
Over the last several months I’ve had several people report that their computers have been hijacked. This hijacking takes a variety of forms, but most often it’s an inescapable barrage of ads or warnings of impending doom. In many cases these result in pop-up windows loading that can’t be closed or navigated past. The screen shot in the upper right and the one below were taken from a client’s computer in such a state:
This kind of browser hijacking attempts to create fear about an existing or impending problem on your computer and then offers a solution that consists of calling a toll-free number to get that problem resolved. At worst this is a phishing attempt or ransomware and at best it’s an attempt to sell you software of dubious value that is supposed to “remove” the software causing the problem. In every case it’s a pain in the arse.
(For an in-depth look at how these scams work, check out Lenny Zeltser’s excellent Conversation With a Tech Support Scammer, which includes audio of conversations he had with “tech support” when calling one of these toll free numbers.)
Avoiding adware and malware is pretty simple:
- Make sure your Mac’s Security & Privacy settings (System Preferences > Security & Privacy) are set to Allow apps downloaded from the Mac App Store or the Mac App Store and identified developers. Anywhere should NOT be selected.
- Don’t install software when you’re unsure of its origin. I know this seems obvious but, when you see a warning about software downloaded from the Internet, don’t open it unless you know what it is.
- Avoid sketchy sites for downloading software.
- App developer’s site? Check!
- Mac App Store? Check!
- Softonic? Download.com? Fred’s Undeniably Adware Free File Downloads? Nope, nope, nope!
- Avoid other equally sketchy sites, such as torrent hosting services and… oh… you know you know what I’m talking about…
Adware Medic
If you find that your Mac has been hijacked by Adware, not to worry, we’ve got a fix for you. The Safe Mac’s Adware Medic. (The Safe Mac also has an excellent website and Twitter feed if you want the latest, up-to-date info on Mac Adware, Malware, and security concerns.)
How To Get Virus Off Mac
Using the app is as simple as it gets.
Defeating The Virus Mac Os Download
- Download Adware Medic.
- Open the Adware Medic disk image and drag the app to your Applications folder. Then Open Adware Medic. You should see a message stating that this is an app you’ve just downloaded from the Internet. Go ahead and click Open if it appears, but if you don’t see the message, head on over to System Preferences, open Security & Privacy and change the setting to “Mac App Store and identified developers.”
- Adware Medic is Donationware, which, as the donationware window states, makes the app free for as long as you want it to be. But if it solves your Adware issues, send some cash their way. Seriously!
- Click the “Scan for Adware” button.
- Follow any further instructions you see after the scan is complete.
Adware Medic can usually remove adware without requiring a restart of your Mac, but in some cases a restart will be required to fully remove any adware that was installed.
Defeating The Virus Mac Os 11
If Adware Medic doesn’t resolve everything that ails your Mac, you can take additional steps to resolve these issues. In many cases these fixes may be as simple as avoiding certain websites, changing your broswer’s home page and search settings, or looking at removing browser extensions you may have installed.
Defeating The Virus Mac OS