How Apple keeps Mac safe from malware and what admins should know about it

Much is written about the tools and processes used to protect computing devices from the myriad of threats out in the wild. From firewalls to device hardening protections – a quick search will reveal a bevy of best practices related to securing Mac through specific configurations and managed settings. But what about the built-in malware protections that Apple bakes directly into macOS?

These are sometimes given a cursory glance, if not overlooked entirely by admins in lieu of other, more buzz-worthy terms like defense-in-depth and filling the gap. The latter helping to align resources to fortify the former’s strategy. Sadly, the tools mentioned below are quite innocuous and not the most exciting. A reason for this, partly, is because they’re intended to work covertly in the background to secure Mac with little fanfare. Or put another way, “it just works”, as so succinctly stated by the late Steve Jobs.

This blog will touch upon the following native security tools, what they do and how they work together to protect Mac:

• Gatekeeper
• XProtect
• YARA

A watchful guardian

Apple’s Gatekeeper tool, like the mythological Heimdall from Norse lore who stands watch over Asgard, protecting it from invaders by not granting them entrance to its hallowed grounds, prevents software applications from running until they have been verified through code signing enforcement. By enforcing this notarization process (a topic that will be covered in more depth in a future post) for each app prior to being run, the possibility of executing malware is limited, as is that of any such software that may have its integrity compromised by a malicious actor.

By default, macOS is configured to flag apps downloaded with a quarantine flag. This signals to Gatekeeper that it should check if it is blocklisted is code-signed by a developer using a valid certificate, and if the code-signed files match the signature. If either of these verifications fails, the app is not permitted to run. This process is further strengthened in modern versions of macOS through path randomization, which provides a two-prong protection approach:

1. Certifies the integrity of all bundled files to combat attackers infecting apps (or bundled files) and redistributing them.
2. Unverified apps are executed from hidden, randomized paths in the background and restricted from accessing or interacting with external files.

The skilled detective

Believe it or not, Mac hardware has a dedicated crimefighter (ok, malware-fighting) superhero built right in named XProtect. Like the fabled caped crusader – Batman – that tracks down baddie after baddie to defend Gotham City, XProtect provides signature-based detection of malware to identify and block the execution of malicious content to keep Mac running optimally while safeguarding against a never-ending multitude of threats.

On modern versions of macOS, XProtect receives updates to its signature-based detection system and harnesses that intelligence to automatically detect and block known malware whenever the following conditions occur:

• Apps are first launched
• Apps are updated or otherwise modified
• New signatures are added to the system

Upon detection, infected apps are immediately blocked, and users receive a notification to take action, such as moving them to the Trash to remove the threat.

All-knowing oracle

Oracle (noun)
or・a・cle
“a person giving wise or authoritative decisions or opinions”

YARA is the name of a tool that is used by malware researchers to aid in the categorization of malware detected. The language allows for classifying the results into an organized pattern or expression whose description forms a rule. The resulting code or YARA rules are then utilized by numerous security tools worldwide to provide the signature used in identifying known malware threats. Much like the Oracle in the Matrix that aids Neo in his defense – and later eradication – against troublesome programming code, Agent Smith, YARA rules augment Apple’s security frameworks by providing a level of insight into the underlying code of malware threats. Like an all-seeing eye that is used to compare scans performed by security applications using the unique signatures made possible by YARA rules which are contained in the threat database for matches to known malware fingerprints.

Since it is open-source, the YARA platform is available in a number of security applications and appliances and is made possible by the findings of countless security researchers that actively hunt, identify and track malware. These rules add to the richness of the detections in programs like XProtect, which keep Mac safeguarded against the very latest – and worst – malware threats (including their variants) today and tomorrow!

Use the force

Each of the tools listed above works to address a specific need, alone they are strong and perform their task admirably. And yet, when combined, they are like a Jedi Master wielding the Force! The strongest, most powerful ally of the Jedi and one whose strength grows far greater as more and more join along with it.

Apple’s threat protection trinity which leads with Gatekeeper to verify code-signing and hands off to XProtect to eliminate ongoing threats through detection and notarization is supercharged by constantly updated YARA rules that provide the latest guidance on threats. Cyclically, YARA feeds directly into both, and in conjunction with the Malware Removal Tool (MRT) – the engine in macOS that periodically scans for and removes infections from malware – to resolve threats automatically based on detections.

But no OS is perfect…

And even Yoda isn’t infallible. That’s where a solution like Jamf comes in. Jamf bridges the gap between what Apple offers and what the enterprise requires — an enterprise that is adding more Mac and needs streamlined workflows to secure and protect users no matter where they are.