[HN Gopher] Why macOS anti-malware scans can behave oddly
___________________________________________________________________
Why macOS anti-malware scans can behave oddly
Author : janandonly
Score : 63 points
Date : 2023-08-13 15:39 UTC (7 hours ago)
(HTM) web link (eclecticlight.co)
(TXT) w3m dump (eclecticlight.co)
| hunters_laptop wrote:
| "Instead it records those events in the log, and in Ventura and
| later makes them available to third-party software through
| Endpoint Security events."
|
| Sounds like what malware did for decades
| dotty- wrote:
| What are you trying to say by this comment? Odd comparison.
| jasoneckert wrote:
| In this case, it's for enterprise MDM and MDR software agents
| that have device-level trust after the device has been enrolled
| (e.g., Apple Business Manager, Microsoft Intune, Kandji, Jamf).
| paradox460 wrote:
| I would say the line between malware and most mdm packages is
| up for debate
| andrekandre wrote:
| thats interesting, i'm guessing it means slowly third-party
| scanning will become more and more rare?
|
| currently my battery-life really suffers with third-party
| scanning burning through my m1 cores after a build...
| [deleted]
| Kognito wrote:
| I've always found it interesting that XProtect is completely
| invisible to the average user, whereas MS Defender is very much
| in your face (at least it was last time I used Windows). I
| suppose it's to quietly reinforce the narrative that Macs "don't
| get malware".
|
| If they do, but you never know about it before its dealt with, to
| the average user it's as good as it never having happened. Unless
| of course, damage has been done/data stolen/etc - in which case I
| suppose the user never finds out?
|
| I really wouldn't mind a UI for XProtect buried somewhere deep in
| the settings.
| FirmwareBurner wrote:
| _" Malware on Macs does not exist" - 'waving Jedi hand'_
| intelVISA wrote:
| Well, technically the kernel is the malware (non-free) in
| this case...
| MBCook wrote:
| I would put it more towards Apple's general philosophy of "the
| user shouldn't have to care about that" than trying to uphold
| an image from a (extremely popular) 15 year old ad campaign.
|
| That said I agree it's great that it's there and I like that it
| doesn't bother if I don't need to be involved.
| JadeNB wrote:
| > I would put it more towards Apple's general philosophy of
| "the user shouldn't have to care about that" than trying to
| uphold an image from a (extremely popular) 15 year old ad
| campaign.
|
| Apple's general philosophy has always been "the user
| shouldn't have to care about that", but they've moved more
| and more recently to "the user shouldn't even be _able_ to do
| anything about that " (I feel betraying their BSD roots along
| the way), and this seems to be an instance of that.
| TillE wrote:
| I think maybe this was changed quite recently, but for a long
| time Windows 10/11 would send you periodic notifications that
| Defender had done a scan and found no threats. Pointless and
| briefly alarming; I do not expect to get AV notifications
| unless there's a problem.
|
| I'm glad there's a GUI though, which lets you do a deep scan on
| boot and other stuff.
| easton wrote:
| I'm on 11 Insider Preview on my work machine and about once a
| week I get a notification that says something to the effect
| of Defender not finding anything after scanning five times.
| giuliomagnifico wrote:
| I would have preferred if the scan was also performed when in
| sleep (I mean by wake up the system silently) but know that macOS
| keep itself a bit more secure is a good thing.
| mschuster91 wrote:
| > I would have preferred if the scan was also performed when in
| sleep (I mean by wake up the system silently)
|
| Bad, bad idea. It's really bad if the system decides to wake up
| for _any_ reason on its own - my AirPods used to be really bad
| for a while, despite setting them to "connect with last
| device" they'd connect to my work MacBook spontaneously instead
| of my tablet, wake up the laptop, something would prevent it
| from going back to sleep and since it was stored in my bag it
| would heat up until the overtemperature safety shutoff _and_
| drain the battery in the process.
| giuliomagnifico wrote:
| macOS already wake up itself lots of time but keeping the
| display and other services off, it's called PowerNap. It
| downloads mails and updates, so the same for the malware
| protection would not be a bad idea.
| tinus_hn wrote:
| In addition to this, this feature is optional, there is a
| clearly labeled switch in the settings to turn this on or
| off if for some reason people have strong feelings against
| it.
| nickpeterson wrote:
| People are used to the old days when a computer would
| come on in a bag and overheat itself.
| kibwen wrote:
| The old days of last year, when my MacBook did exactly
| this. "Smart sleep" is a shambles, give me a real
| hibernate option please.
| jwells89 wrote:
| In my experience, Power Nap probably isn't the problem,
| because turning off wake on LAN eliminates bag-waking
| entirely on macOS and greatly mitigates it under Windows.
|
| Really, it's rather strange that laptops have wake on LAN
| enabled by default. It makes some sense on desktops
| (though I disable it there too so my gaming PC doesn't
| randomly rouse itself from hibernation at 3AM), but not
| at all on laptops.
| wila wrote:
| On top of this the default for PowerNap is to not run when
| on battery, only when plugged in.
| MaxikCZ wrote:
| In this case its the execution that was bad. If the MacOS
| would wake silently knowing the purpose is to scan and do
| nothing else, all the useless stuff for it could (and should)
| be kept off. Then such thing could not happen.
| tedunangst wrote:
| Why don't they write the rest of the OS in this guaranteed
| bugfree way too?
| mschuster91 wrote:
| No OS supports just waking up "specific" processes only
| after a resume from standby. IIRC Apple does but in a fake
| way - they just wake up the T2 chip and its dedicated OS,
| which is a ton of work to get right (as state of hardware
| must be coordinated between macOS and bridgeOS), and only
| Apple can do this because (other than servers with
| iLO/equivalent) no x86 machine has a similarly capable
| coprocessor.
|
| Edit: never mind, I must have gotten something wrong, T2 is
| not capable of that.
| arghwhat wrote:
| There is no technical limitation, the kernel is free to
| schedule whatever it wants. The appearance that
| everything never stopped running is an illusion the
| kernel does active work to implement - heck, in the case
| of hibernation it is even after a normal cold boot like
| any other.
|
| Resuming to only run specific processes - or resuming to
| run an entirely different, temporary userspace - is
| trivial from a kernel perspective.
| jonhohle wrote:
| In a sleep state there is no kernel running, it's a
| hardware feature that stops CPU execution and possibly
| more depending on the sleep state.
| rcxdude wrote:
| The kernel is still heavily involved in the process of
| going to sleep: it needs to coordinate the process, which
| includes freezing userspace execution. So it can quite
| easily unfreeze only a portion of the userspace. The main
| trick is making sure that the unfrozen bits aren't
| depending on the frozen bits, which is probably hard in
| general thanks to locks.
| arghwhat wrote:
| Userspace locks are generally per process (or process
| group), so it shouldn't matter. There can be IPC
| dependencies and file locks and what not, but none of
| that matters if you only run something you control and
| therefore can ensure have no odd dependencies.
| arghwhat wrote:
| Sleep states are not a switch you just flick - that be
| equivalent to you pulling the power cord.
|
| Even in the highest, most power hungry sleep states the
| kernel has to pause everything first, power down all the
| other hardware (otherwise you'd still have you WiFi card
| and GPU running full tilt), configure what will interrupt
| the CPU sleep and finally start it. On the other end it
| has to set everything back up, reinitialize all the other
| hardware to be in the same state as before, and finally
| start running user space again - pretending nothing
| happened even though the foundation was removed and
| rebuilt.
|
| The only real difference to full hibernation - where the
| machine is powered off entirely and the kernel restores
| system state from a snapshot it wrote to disk - is that
| the RAM state sticks around and that the CPU executes the
| kernel again on wake instead of dropping to the firmware
| boot sequence.
|
| Without that boot sequence, hibernate would basically be
| indistinguishable from suspend - an Phoronix article some
| years back talked about how Intel tuned the kernel to get
| from cold boot to full interactive UI in 300ms for
| automotive usecases.
| kergonath wrote:
| > No OS supports just waking up "specific" processes only
| after a resume from standby.
|
| PowerNap does something like this, actually, and had been
| doing it for years when the T2 was introduced (since
| Mountain Lion, IIRC, on bog standard Intel cores).
| kome wrote:
| this is a really terrible idea.
| derefr wrote:
| Macs already do this for other things, e.g. downloading
| updates. The feature is internally called "DarkWake" and
| exposed to the user as "Power Nap"
| (https://support.apple.com/en-ca/guide/mac-help/mh40773/mac).
|
| I would note that there's definitely a reason that macOS
| hasn't attached anti-malware scanning (or similar things,
| e.g. Spotlight indexing) to DarkWake wakeups, though.
|
| The other things DarkWake does are all IO-bound (network
| activity, disk activity) with a bounded workload size (the
| size of the update); while anti-malware scans would be CPU-
| bound (lots of hashing for signature checking) with an
| unbounded workload size (however much stuff you have on your
| HD.)
|
| Doing IO-bound activity, just on some efficiency cores, in
| their base power state, for a minute or two, is fine; even if
| the laptop is in your bag, it won't heat up, any more than
| your phone heats up in your pocket. Doing "real work" in the
| same situation is not fine.
| logdap wrote:
| [dead]
| [deleted]
___________________________________________________________________
(page generated 2023-08-13 23:01 UTC)