[HN Gopher] How do you know when macOS detects and remediates ma...
___________________________________________________________________
How do you know when macOS detects and remediates malware?
Author : zdw
Score : 108 points
Date : 2023-01-04 17:59 UTC (5 hours ago)
(HTM) web link (eclecticlight.co)
(TXT) w3m dump (eclecticlight.co)
| post_break wrote:
| It makes me think of the Invincible meme, "that's the neat thing,
| you don't" with an asterisk.
|
| Kidding aside if you're somewhat competent with macs and you can
| read, little snitch should be the first piece of software you
| install on any mac. It's not malware protection but it does at
| least make you aware of stuff wanting to do weird crap on your
| computer.
| FatActor wrote:
| I ran little snitch for about a week years ago and there were
| hundreds of thousands of requests just from typical apple
| services so trying to curate that list was an exercise in
| futility. It's a nice GUI but not a useful tool. Plus the
| knowledge it takes to use LN ends up pointing you to using the
| more effective tcpdump+bintools and modifying your mac's
| packetfilter config file.
| pilsetnieks wrote:
| They have a curated list of rules for builtin system services
| now, so you don't have to bother with that (if you don't want
| to).
|
| Also, I'd argue, there's still a wide gap in knowledge
| requirement, as well as ease of use between LS and some
| homebrew tcpdump based solution.
| eep_social wrote:
| Is Pihole a reasonably friendly tool with an easy on-ramp
| or is LS doing more than that?
| pbhjpbhj wrote:
| _I 've only used OpenSnitch, a Linux equivalent of LS._
|
| Pihole operates at domain/subdomain level. So it won't
| resolve domains that are in your blacklist.
|
| *Snitch operates at packet level, so whilst you can block
| a domain, you can also block an app's access to a
| particular domain but allow another app access, maybe
| only by one user and to a specific port.
|
| Snitch takes much more setup and will annoy you until
| you've worked through all the usual traffic. It reminds
| me of the Proxomitron back in the day
| (https://en.wikipedia.org/wiki/Proxomitron).
| thewataccount wrote:
| Pihole just gives tells you what computer made DNS
| queries and to where.
|
| Littlesnitch/tcpdump/wireshark/glasswire(I
| think?)/opensnitch are system level tools that attempt to
| monitor the individual connections - which processes made
| them, where they were too, and tcpdump/wireshark will
| also show you the content of the connection.
|
| If malware uses ip addresses or it's own dns server then
| Pihole will never see it.
|
| Snort and Suricata are more likely what you're looking
| for as an IDS for something network wide, they analyze
| network wide the individual connections and can do
| pattern matching with known malware lists. They can't
| tell you what process made the request.
|
| A pihole certainly wouldn't hurt and is very easy to use,
| it's not really made to be an IDS AFAIK.
| cirrus3 wrote:
| I would be totally fine if would just remediate silently
| always... and I certainly don't care what name it gives the
| malware, I'm surprised they show a name at all.
|
| If you are a security researcher, it seems like you have other
| tools at your disposal.
| happyopossum wrote:
| It feels like if Apple went far enough to make this all visible
| and great, they'd start getting scrutiny for being imperfect, and
| missing malware.
|
| Kinda feels like they want to make a best-effort at preventing
| malware without making a big deal of it.
| highwaylights wrote:
| Settings > Malware Remediation > Notify on Detection?
|
| Settings > Malware Remediation > Events
|
| Not a complicated UI to design.
|
| I suspect the other reply that pointed to Apple wanting to
| sweep Mac malware under the rug is far more likely.
| daveidol wrote:
| But if you open an app whose developer didn't pay Apple $100/year
| you will be SURE to know how risky that is and that macOS blocked
| it for you!
| ubermonkey wrote:
| No?
| 100721 wrote:
| Yes: https://support.apple.com/en-ca/guide/mac-
| help/mh40616/mac
|
| > If you try to open an app that isn't registered with Apple
| by an identified developer, you get a warning dialog.
| nexus7556 wrote:
| A warning dialog is different than being "blocked" as OP
| suggested
| jcelerier wrote:
| > A warning dialog is different than being "blocked" as
| OP suggested
|
| you'd see how many times I've seen users blocked with the
| "default" dialog you get on first download when things
| are correctly signed and notarized ... and let's not even
| talk about the one you get when notarization failed or
| it's not signed, elderly users really don't know that
| they have to right-click
| ketralnis wrote:
| It is actually blocked. The program is prevented from
| launching. You can go into the security settings and
| approve it and then relaunch it (which last I saw, the
| error message didn't even tell you how to do anymore),
| but it's not just a "approve/deny?" skippable screen.
| judge2020 wrote:
| By that same logic, non-hsts SSL certificate expiration
| warnings are browsers "blocking" you from visiting a
| website, despite the buttons that allow you to bypass it.
| acchow wrote:
| They are blocking you.
|
| In Chrome, it's even more complicated. You have to click
| the very small "More/Advanced Settings" text which
| doesn't even really look like a button. After that, a
| button allowing you to proceed appears, but upon clicking
| you are given a very scary warning.
| dpkirchner wrote:
| Sometimes you have to type "thisisunsafe" to bypass the
| block. Not in any field, just type it with the tab
| focused.
| ketralnis wrote:
| Yeah sure. It seems we're arguing about vocabulary, not
| functionality
| nighthawk454 wrote:
| It's not the same. In the SSL case the browser gives you
| a bypass button, which is fine (if hidden). Here, there
| is no bypass button unless you have the secret knowledge
| to open the app in a certain way.
|
| Otherwise the OS entirely refuses to open the app with no
| bypass button or hint as to how to get around it, while
| implying "security issues" and "untrustworthiness"
| nicky0 wrote:
| Pro tip, right click the app and click "Open" in the menu
| to get a version of the dialog with an approve button. No
| need to go into settings.
| [deleted]
| nighthawk454 wrote:
| It's not really a "warning". It's an alert that says
| macOS will not open this app. You _have_ to open it via
| Finder and Control-click + Open or there's no way to get
| into the program. The first alert does not tell you how
| to do this, and other methods of launching (e.g.
| Launchpad) cannot be made to work.
|
| So unless you know Apple's secret knock, it's
| functionally blocked.
| tpmoney wrote:
| It's hardly a secret knock. Both the linked help article
| and the system help both tell you step by step what to do
| and I don't have an app handy to trigger the dialog, but
| last I looked the dialog while it didn't give you the
| steps there has a link directly to the system help with
| the instructions.
| daveidol wrote:
| Trust me - outside of the HN technical crowd - people get
| very confused or scared by this and do not know how to
| proceed. It's a non-starter for most software aimed at
| the 'everyday user' crowd (I've seen the bug reports and
| customer complaints first hand).
| salawat wrote:
| Which no non-techie user will check, which means you will
| not be able to write software for that platform.
|
| Unless, of course, you use a dowmload method that won't
| set the quarantine bit on MacOSX. wget, for instance.
| Gatekeeper can go sod itself.
| gumby wrote:
| is this actually happening? I download directly whenever
| possible so the dev doesn't have to pay commission to Apple and
| I've never had a download blocked.
|
| EDIT: I see from the comments I wasn't adequately clear: yes, I
| get the notification but it's hardly a "block" as the the
| comment I was replying to said. It is by design trivial to
| bypass.
| knolan wrote:
| You should get a pop up asking if you want to launch the app
| or need to go into system settings to approve it. It's a
| minor speed bump and is probably for the best for non-savvy
| users.
| nexus7556 wrote:
| If you right click then click open you can skip going into
| system settings.
| [deleted]
| [deleted]
| ceejayoz wrote:
| The Gatekeeper checks still apply to direct downloads. If you
| don't get a warning (that's intentionally a little difficult
| to bypass), the dev still signed and notarized the binary via
| Apple.
|
| https://support.apple.com/en-
| au/guide/security/sec5599b66df/...
| SnowflakeOnIce wrote:
| You get a warning popup and the application is blocked from
| running if it is not signed by an Apple Developer Account
| ($100/yr) and countersigned (i.e., notarized) by Apple.
|
| This is separate from the 30% App Store commission.
| gumby wrote:
| I edited my comment to point out that Apple made it pretty
| trivial to run such an app. It just calls your attention to
| a drive by download of an executable (though I do wonder
| how many people try to run such things)
| kmeisthax wrote:
| This is an entirely separate system that tracks known malware
| and enforces a deny list policy. You're thinking of
| notarization and code signing, which is an allow list policy
| that you're allowed to circumvent. If you don't get your app
| signed and notarized you at least can still run it if your
| users are willing to trust you. It's _annoying_ for technical
| users but fine for the average folk that really shouldn 't be
| installing random FOSS tools they've never heard of before.
| bobse wrote:
| You don't. It's proprietary software.
| CharlesW wrote:
| According to TFA, you do. Methods are listed at the end, and
| the author created XProCheck1 to make it easier.
|
| 1 https://eclecticlight.co/consolation-t2m2-and-log-utilities/
| msla wrote:
| What the poster you're replying to means is, "You know what
| Apple allows you to know, but you don't have the source, so
| you can't verify that Apple isn't lying to you."
| saagarjha wrote:
| If you are so inclined, which the article author is not but
| many others are, you can look at the binaries and reverse
| them to verify things yourself.
| CharlesW wrote:
| The article seems to definitively answer that you can. But
| yes -- if the theory is that Apple is pretending to log
| malware detection and remediation, one would have to
| disassemble the relevant parts of the OS to prove that.
| fotta wrote:
| Ha, off-topic but I love that macOS properly calls it Bin when
| set to British English
| ChuckNorris89 wrote:
| Do they also call the M1 'micro-crisps'?
| doodpants wrote:
| My first thought was "why would I want to move a piece of
| malware to the /bin directory?"
| reaperducer wrote:
| _I love that macOS properly calls it Bin when set to British
| English_
|
| macOS has some really exceptional internationalization.
|
| I recently discovered that it supports Zuni. There are only a
| few thousand Zuni-speakers in the world.
|
| System Settings - General - Language and Region - Preferred
| Languages - + - scroll..scroll..scroll - Shiwi'ma/Zuni
| pklausler wrote:
| It's System Settings -> Language and Region on my Mac (no
| General).
|
| I may change my Mac to Latin for fun.
| saagarjha wrote:
| > Using eslogger isn't simple either. That tool has to be left
| running to gather records of events into a text file, which the
| user has to monitor and maintain. Using the details I published
| here previously, I gathered those two event types during my tests
| using malware samples. Each event generates a substantial
| quantity of JSON data which appears to be undocumented.
|
| It's a pretty clear dump of the contents of
| https://developer.apple.com/documentation/endpointsecurity/e...,
| just like every other endpoint security event. This tool is
| intended for users who are familiar with the Endpoint Security
| framework and want quick access to an entitled binary for testing
| purposes.
|
| The author needs to understand that 1. developer APIs exist and
| are meant for developers, and 2. the OS is never going to be
| designed to be introspectable to someone like him and his users,
| because that would be an incredibly stupid way to design an OS.
| If you want to peek at what is going on, use the existing APIs
| and package it up as an app for your users to use. Exposing raw
| events like the author wants is neither useful or actionable for
| most users.
| happyopossum wrote:
| Just had a thought - I'd imagine more people are scammed by "You
| have 3 viruses on computer" pop-ups than would be better off with
| a visible warning from macOS for background detections.
|
| Perhaps apple made the (reasonable) decision to not alert people
| to background detection/remediations so as to not get users used
| to such alerts?
| blobster wrote:
| Good point. There is a cottage industry of scams running fake
| Windows virus alerts.
| viraptor wrote:
| They often show a "Mac version" of those for MacOS users. It
| doesn't matter much that the warning doesn't exist in the
| system. They're not targeting people who know that.
| unclekev wrote:
| There's commercial/enterprise software available which hooks into
| XProtect to provide more advanced reporting capabilities.
|
| https://www.jamf.com/products/jamf-protect/
|
| Doesn't help for the average user, but the software does exist.
| CharlesW wrote:
| > _" As a result, the great majority of users are oblivious of
| the detection and remediation of malware on their Macs, which
| occurs in complete secrecy."_
|
| Great! This is how consumer products should work. If I were to
| see "hey a thing happened but I resolved it" alerts from the 500+
| currently-running processes on my computer, I'd throw it out the
| window.
| akersten wrote:
| Eehh... This is more like "you drove through a red light but
| luckily no one T-boned you;" a cop will rightfully pull you
| over to let you know "nothing happened." I'd say the driver
| definitely _should_ be alerted that that PDF they opened was
| infected. At minimum to alert them to the fact that they should
| keep their guard up, and that further investigation of
| potential compromise could be necessary depending on your
| threat model.
|
| Virus almost running on your PC is not a routine product
| feature that should be swept under the rug - at best it's bad
| security hygiene, at worst it's symptomatic of a
| targeted/ongoing compromise.
| gear54rus wrote:
| It is typical apple dumbness - form over function.
|
| The same dumbness exists on windows where it would silently
| remove files like keygens with its 'antivirus' making it a
| mandatory drill to disable it completely (no easy task too)
| on any new installation. Even worse you would sometimes
| forget that it does that and then be dumbfounded for about 30
| minutes as to why the file is in the archive but not on the
| filesystem after its extraction.
| happyopossum wrote:
| > I'd say the driver definitely should be alerted that that
| PDF they opened was infected
|
| When you actively open an infected or malicious file you do
| get alerted - those are the alerts shown in TFA.
| akersten wrote:
| Hasty example on my part but point stands when scenario is
| replaced by "background virus" (i.e. detected by Remediator
| as an active threat, instead of being preemptively blocked
| when opening a file).
|
| Could be the PDF example still too, if XProtect misses it
| on initial file scan, but then Remediator picks it up
| later. Not sure if they use different detection engines
| (database matching on the file vs active process
| heuristics)?
| dylan604 wrote:
| >At minimum to alert them to the fact that they should keep
| their guard up
|
| or to not share it with others!
| britneybitch wrote:
| Meanwhile every few weeks Windows Defender interrupts me with
| an alert that I have no malware. That drove me up the wall
| before I switched to Linux. I understand why Norton Antivirus
| etc do this, since they have a product to sell. But why Windows
| Defender?
|
| https://www.thewindowsclub.com/wp-content/uploads/2018/09/Wi...
| whatisthiseven wrote:
| I can't remember ever seeing those notifications? I must have
| turned them off years ago.
| CharlesW wrote:
| Yes! This is exactly what I mean. It's a distraction at best,
| and creates confusion, anxiety, and even anguish at worst.
| InCityDreams wrote:
| >confusion, anxiety, and even anguish
|
| Ever tried installing a printer?
| burkaman wrote:
| I think Windows Defender wants you to know it's there so that
| you don't feel the need to install Norton, because Norton
| will make your computing experience worse and you might blame
| Windows for that.
| vikingerik wrote:
| This is pretty much it. The reason Defender / Security
| Essentials was invented was to reduce Microsoft's own
| support workload, because a substantial proportion of that
| is caused by other overly aggressive anti-malware programs
| blocking everything and blaring loudly about it.
| teeray wrote:
| I think this also plays to the perception that "Macs don't get
| viruses" that Apple would like to maintain.
| highwaylights wrote:
| This is a very wonky comparison.
|
| Just because the malware has been removed (or not), does not
| mean the problem was resolved.
|
| If a keylogger already got your passwords and you'll never find
| that out then the fact it's no longer logging keystrokes is not
| much comfort to you as a victim.
| throwaway675309 wrote:
| If you're seeing 500+ alerts then you have a different problem
| on your hands. Personally something as relatively infrequent as
| malware detection should absolutely _not_ be swept under the
| rug.
|
| There's no way for a user to be able to correct her behavior or
| even be aware of problems without some kind of notification.
| arsome wrote:
| Having one piece of detected malware means you probably have
| more that aren't detected and not having someone take a look at
| that machine or reinstall the OS means you're probably running
| a system with active malware.
| TonyTrapp wrote:
| Enjoy the data loss introduced by randomly mis-identified files
| not being reported then. Yes, I've had it happen before that
| data files (not executables) that I fully intentionally stored
| on my computer were recognized as malware. If I hadn't been
| alerted about that fact, I would probably have wondered days or
| weeks later where the file went, with no way of restoring it.
| I'd never want an operating system to automatically, without
| notifying me, remove files, no matter how malicious it thinks
| they are.
| sneak wrote:
| I suspect this UI choice is part of Apple's "macs don't get
| malware" brand narrative.
___________________________________________________________________
(page generated 2023-01-04 23:00 UTC)