> Using eslogger isn’t simple either. That tool has to be left running to gather records of events into a text file, which the user has to monitor and maintain. Using the details I published here previously, I gathered those two event types during my tests using malware samples. Each event generates a substantial quantity of JSON data which appears to be undocumented.
It's a pretty clear dump of the contents of https://developer.apple.com/documentation/endpointsecurity/e..., just like every other endpoint security event. This tool is intended for users who are familiar with the Endpoint Security framework and want quick access to an entitled binary for testing purposes.
The author needs to understand that 1. developer APIs exist and are meant for developers, and 2. the OS is never going to be designed to be introspectable to someone like him and his users, because that would be an incredibly stupid way to design an OS. If you want to peek at what is going on, use the existing APIs and package it up as an app for your users to use. Exposing raw events like the author wants is neither useful or actionable for most users.
You seem to be missing the point of the article, which is this:
> the great majority of users are oblivious of the detection and remediation of malware on their Macs, which occurs in complete secrecy
This is a problem that Apple could solve but chooses not to. Everything the author is doing is admittedly a poor workaround for Apple's lack of user notification.
> They probably also don't want to expose it to users at all because of marketing.
It's incredibly intellectually lazy to suggest 'marketing'.
Apple's ideology has always been that regular, everyday computer users shouldn't have to concern themselves with low-level details of system administration in order to write a book or edit a video or whatever it is they're doing.
In addition, unless they have some breakthrough, elegant or innovative way of addressing stuff, they leave it to 3rd-party developers.
It's also myopic to complain about something as low-level as malware remediation while glossing over the fact that Apple enabled end-to-end encryption for iCloud [1] and gave users who aren't system administrators or security experts the ability to protect themselves if they are the target of a state level attacker [2].
Addressing security/privacy at this level is a very Apple thing to do.
In my opinion, it should be a no-brainer: end-to-end encryption and protection from state-level attackers vs a widget that alerts me the OS zapped a malware download.
As far as malware on macOS goes, having the operating system deal with this unbeknown to the user is actually a good thing for those everyday, regular users, who would probably screw things up worse if they had to play some direct role in this.
BUT for system administrators, developers and power users, the APIs and command line tools are there for them to get into the weeds of malware remediation if they want to.
Being infected with malware is, hopefully, a rare event. I think it's reasonable to alert the user they've got it, even a non techy user knows roughly what those are. If they know about it they may have an idea of how they got it (they may have let someone else use their laptop or maybe received an email from someone new), which can be useful so they don't get more malware.
If you really want an innovative way of doing it is trying to give the user a good track record so they know exactly where that came from.
I'm glad that they don't. Otherwise I would have my 75 year old father-in-law on the phone panicking every five minutes. He insists on having his own computer and after five years of dealing with his constant issues I convinced him to move to a Mac. Now I only get the calls a couple of times a year.
They can stop opening sites and emails that give them malware. If the person who sent it to them in the first place was a friend, they can also tell it to their friend. You don't have to be a seasoned software engineer to understand that.
When asked about that by the colloquial layman my answer is generally :
Virus can self execute, replicate and spread (like biological ones) while malware (layman also refer to troyans) need user actions and unawareness to execute.
Malware also broadly refers to software unwanted by and malicious to the user. So it includes pre-installed auto-executing OEM adware, spyware, and grayware (colloquially also known as bloat).
Interesting so yeah while distinction between virus and trojan can hold, I guess that virus enter the broad malware definition and thus the OP is right.
I don’t appreciate this being called “complete secrecy”. There’s literally API to find out when it happens! If it was just logged somewhere I might agree but this is just not true. Nobody says the system firewall runs in “complete secrecy” either even though it doesn’t warn you when it blocks connections.
I mean, in a perfect world all of this would be perfectly exposed to users and they would know every single action their computer takes. I don’t actually disagree that putting in some effort to better surface how XProtect works could be valuable. But the current situation is generally fine and the accusations that Apple is trying to hide this stuff from you do not seem well supported.
> I don’t appreciate this being called “complete secrecy”. There’s literally API to find out when it happens!
You still seem to be missing the point. This is about end users not developers.
This is a UI problem, not an API problem. You want to make a technical point, because you're a technical person, but you're missing the forest for the trees, because this isn't a particularly technical problem. This is a typical Apple problem of paternalism, Apple believing that Apple should take care of everything, and users shouldn't worry their pretty little heads about anything.
> I mean, in a perfect world all of this would be perfectly exposed to users and they would know every single action their computer takes.
We're not talking about "every single action", we're talking about the OS detecting malware on an end user's Mac and then... not bothering to tell them about this fact. Imagine if you went to the doctor for a physical, took some tests, the tests indicated you had an STD, and then... the doctor just gave you some drugs and didn't bother to tell you that you had an STD. That would be malpractice. You'd want to know. You'd need to know. Because one doesn't just "randomly get" either an STD or malware. How you got it (and especially who you got it from) is just as important as that you got it.
> Nobody says the system firewall runs in “complete secrecy” either even though it doesn’t warn you when it blocks connections.
1) You have to manually enable the firewall. It's disabled by default on macOS.
2) Unlike malware, you can just "randomly get" connection attempts from the internet. Attackers are probing everything. I can see that in my web server logs.
I make a simple claim: if macOS takes action to remediate malware then it ought to tell the user. Simple question: Do you agree or disagree with that claim?
All of the discussion about logging and endpoint security is because the author has determined in testing that macOS actually fails to tell the user when it remediates malware.
To follow my earlier analogy, this is like talking about how to do your own STD tests when your doctor neglects to tell you whether you got an STD. But you doctor should really tell you, and then you wouldn't need your own tests. But you seem overly focused on the tests rather than the telling.
> I make a simple claim: if macOS takes action to remediate malware then it ought to tell the user. Simple question: Do you agree or disagree with that claim?
I am fully supportive of keeping users informed of how their systems work, and I always will be. Many parts of Apple, and the software industry in general, don't care for this very much, so this is unfortunately not as universal as I would like it to be. There's a lot of places in their OS that Apple chooses to not prioritize this effort, or does a poor job.
It's important to note that "tell the user" is not actually all that simple, just like being the person who tells you your medical results doesn't just read out your blood test. Throwing up a "we detected 10 threats" notification is not relevant to most users. When a doctor sits down with you they are obligated (I believe legally?) to make sure you understand what the results mean, how confident they are of the conclusions, your risk factors that might have influenced what they found, and what your next steps are. The same applies to malware detection and remediation, except with "medicine" swapped with "computers" for things people don't really understand.
I work in this space on another platform, and the problems we regularly run into include things like:
* We aren't 100% confident that we've detected malware
* Users sometimes actually find malware to have some helpful functionality (e.g. photo filter app that uploads all your photos, not just the ones you hand it)
* Malware authors target mechanisms that we can provide feedback to users
* Saying you didn't find any malware can lead users to think there is no malware
* Users don't really know to do with "oh we found malware and fixed it for you"
…
There aren't impossible problems to solve (at least, I hope they aren't…) but they definitely require some thought. I don't quite know how Apple does malware scanning; my understanding was that they do a lot of signature matches which should help with "we are confident this is malware", but considering some of the behaviors described in the article ("macOS detected malware and didn't do anything?!") I suspect some of these are less reliable. In any case, I get the feeling that Apple has not prioritized notifying the user of this because they don't want to spent the time on it for whatever reason. They don't really want to keep it secret, hence the API for third parties to perhaps solve the problem for them, but they aren't doing it themselves. Perhaps they really should; I think it's fine to be upset about this. The specific complaint I had was that the author seemed to imply that Apple purposefully underdocumented the API and made it hard to use for normal people, when that wasn't the purpose of it at all.
Would you like Mac OS to work like your average Windows antivirus which keeps bombarding you with notifications that FIFTY THREATS HAVE BEEN DETECTED! BE AFRAID! ?
It looks like HN's URL truncation is mangling the link in the post above. I think it's meant to go to https://is.gd/hneoxB (using a URL shortener to work around the bug), but when the full URL is posted, (https://developer.apple.com/documentation/endpointsecurity/e...), it gets truncated after the first letter of the last path segment.
EDIT: For some reason, when you put the URL in parentheses, it's correctly handled once again.
Just had a thought - I’d imagine more people are scammed by “You have 3 viruses on computer” pop-ups than would be better off with a visible warning from macOS for background detections.
Perhaps apple made the (reasonable) decision to not alert people to background detection/remediations so as to not get users used to such alerts?
How about this alternative explanation: Apple is very concerned about its perception in public and doesn't want user to see that their OS has quite a malware issue.
A lot of Apple users still believe that macOS is superiors when it comes to security. But reality looks more like:
They often show a "Mac version" of those for MacOS users. It doesn't matter much that the warning doesn't exist in the system. They're not targeting people who know that.
> "As a result, the great majority of users are oblivious of the detection and remediation of malware on their Macs, which occurs in complete secrecy."
Great! This is how consumer products should work. If I were to see "hey a thing happened but I resolved it" alerts from the 500+ currently-running processes on my computer, I'd throw it out the window.
Eehh... This is more like "you drove through a red light but luckily no one T-boned you;" a cop will rightfully pull you over to let you know "nothing happened." I'd say the driver definitely should be alerted that that PDF they opened was infected. At minimum to alert them to the fact that they should keep their guard up, and that further investigation of potential compromise could be necessary depending on your threat model.
Virus almost running on your PC is not a routine product feature that should be swept under the rug - at best it's bad security hygiene, at worst it's symptomatic of a targeted/ongoing compromise.
Hasty example on my part but point stands when scenario is replaced by "background virus" (i.e. detected by Remediator as an active threat, instead of being preemptively blocked when opening a file).
Could be the PDF example still too, if XProtect misses it on initial file scan, but then Remediator picks it up later. Not sure if they use different detection engines (database matching on the file vs active process heuristics)?
> This is more like "you drove through a red light but luckily no one T-boned you;"
Huh? The malware getting removed is not evidence that no harm occurred. Perhaps the malware stole something of importance. If that something was just power and network (e.g., for a DDoS farm), then it's of little importance, but if that something was keystrokes, then it could be a major importance. The user not knowing is a real problem.
It is typical apple dumbness - form over function.
The same dumbness exists on windows where it would silently remove files like keygens with its 'antivirus' making it a mandatory drill to disable it completely (no easy task too) on any new installation. Even worse you would sometimes forget that it does that and then be dumbfounded for about 30 minutes as to why the file is in the archive but not on the filesystem after its extraction.
Enjoy the data loss introduced by randomly mis-identified files not being reported then. Yes, I've had it happen before that data files (not executables) that I fully intentionally stored on my computer were recognized as malware. If I hadn't been alerted about that fact, I would probably have wondered days or weeks later where the file went, with no way of restoring it. I'd never want an operating system to automatically, without notifying me, remove files, no matter how malicious it thinks they are.
Meanwhile every few weeks Windows Defender interrupts me with an alert that I have no malware. That drove me up the wall before I switched to Linux. I understand why Norton Antivirus etc do this, since they have a product to sell. But why Windows Defender?
I think Windows Defender wants you to know it's there so that you don't feel the need to install Norton, because Norton will make your computing experience worse and you might blame Windows for that.
This is pretty much it. The reason Defender / Security Essentials was invented was to reduce Microsoft's own support workload, because a substantial proportion of that is caused by other overly aggressive anti-malware programs blocking everything and blaring loudly about it.
Just because the malware has been removed (or not), does not mean the problem was resolved.
If a keylogger already got your passwords and you'll never find that out then the fact it's no longer logging keystrokes is not much comfort to you as a victim.
Having one piece of detected malware means you probably have more that aren't detected and not having someone take a look at that machine or reinstall the OS means you're probably running a system with active malware.
If you're seeing 500+ alerts then you have a different problem on your hands. Personally something as relatively infrequent as malware detection should absolutely not be swept under the rug.
There's no way for a user to be able to correct her behavior or even be aware of problems without some kind of notification.
As far as I know this is just a convenience thing so that various apps can query the preferred language - Mac OS itself only supports about 40 or so languages for system translations and third party apps will mostly only support only a few (and one of those will invariably be English). Perhaps it does a few other quality of life things like sets reading order correctly (i.e. RTL or LTR) but your menus won't be in some language that only 2500 people speak.
> macOS has some really exceptional internationalization.
Ubuntu is pretty good on that aspect as well, that's why I prefer it for my parents compared to Windows which is spotty in a lot of places. As an example "Windows Update" isn't translated and does not mean anything in a foreign language.
After reading this I decided to scroll through the available languages and honestly can't believe it has Kernewek (Cornish), a language from the British county of Cornwall. Reading around, estimates put the number of fluent speakers at around 400 and those with basic language skills at around 5,000.
It makes me think of the Invincible meme, "that's the neat thing, you don't" with an asterisk.
Kidding aside if you're somewhat competent with macs and you can read, little snitch should be the first piece of software you install on any mac. It's not malware protection but it does at least make you aware of stuff wanting to do weird crap on your computer.
I ran little snitch for about a week years ago and there were hundreds of thousands of requests just from typical apple services so trying to curate that list was an exercise in futility. It's a nice GUI but not a useful tool. Plus the knowledge it takes to use LN ends up pointing you to using the more effective tcpdump+bintools and modifying your mac's packetfilter config file.
I've only used OpenSnitch, a Linux equivalent of LS.
Pihole operates at domain/subdomain level. So it won't resolve domains that are in your blacklist.
*Snitch operates at packet level, so whilst you can block a domain, you can also block an app's access to a particular domain but allow another app access, maybe only by one user and to a specific port.
Snitch takes much more setup and will annoy you until you've worked through all the usual traffic. It reminds me of the Proxomitron back in the day (https://en.wikipedia.org/wiki/Proxomitron).
Pihole just gives tells you what computer made DNS queries and to where.
Littlesnitch/tcpdump/wireshark/glasswire(I think?)/opensnitch are system level tools that attempt to monitor the individual connections - which processes made them, where they were too, and tcpdump/wireshark will also show you the content of the connection.
If malware uses ip addresses or it's own dns server then Pihole will never see it.
Snort and Suricata are more likely what you're looking for as an IDS for something network wide, they analyze network wide the individual connections and can do pattern matching with known malware lists. They can't tell you what process made the request.
A pihole certainly wouldn't hurt and is very easy to use, it's not really made to be an IDS AFAIK.
> I ran little snitch for about a week years ago and there were hundreds of thousands of requests just from typical apple services so trying to curate that list was an exercise in futility.
It is difficult to set up, but it's still possible. One of the main reasons I use Little Snitch is to stop Apple from phoning home to Cupertino so much, to take some control back for myself.
There are a ton of background processes on the Mac that can be blocked with no negative consequences AFAICT. Occasionally I trip myself up, but I'm willing to accept that consequence.
I've sometimes thought of publishing my Little Snitch setup, but the problem is that I'm typically 1 major macOS version behind, including now. A lot tends to change from version to version.
I've actually been having all sorts of weird issues with LittleSnitch after upgrading to Ventura.
For instance it was blocking requests from Python started by Sublime Text without prompting me about it (and there was no reject/drop rule in place that matched, it just didn't prompt), really annoying.
Anyone experienced similar problems using LS on Ventura?
We’re a macOS house that uses Jamf for management and Microsoft Defender ATP for Anti-Malware.
Defender ATP gives great reporting but the performance impact on endpoints is obscene. During onboarding for Developers we go through the Xcode Command Line Tools and Homebrew installation, if ATP has already been installed it adds somewhere between 20 and 40 minutes to the installation time.
I’ll get some pricing for Jamf Protect and if it’s competitively priced I’ll see about moving us over. I’d much rather be using something built-in than a poorly optimised solution.
As an aside, I've been pleasantly surprised by Firefox's latest privacy additions. Earlier today, while clicking around looking monitors on various sites, I kept running into what looked like a malware alert, suggesting I was being redirected to a possibly malicious website. Turns out that was true, but it wasn't the traditional reason that you'd see in older version of windows, and in rare cases on macOS, where some download would hijack your browser configuration and redirect you to god knows where. Nope, it was just regular ad tracking bs, even on seemingly non-malicious links, such as those that link to Dell's product page from Macrumors. Inspect the link, and it seems to link directly to where the hover effect would have you believe. Right-click and click "copy link" however, and you'd paste into the address bar the obscured redirect url. Since I'd been using a blocker for some time on my other computer, I didn't even realize it had got this bad. Thanks Firefox for enabling this by default, and revealing standard Google search ads to be the malicious crap they are.
I would be totally fine if would just remediate silently always... and I certainly don't care what name it gives the malware, I'm surprised they show a name at all.
If you are a security researcher, it seems like you have other tools at your disposal.
What the poster you're replying to means is, "You know what Apple allows you to know, but you don't have the source, so you can't verify that Apple isn't lying to you."
The article seems to definitively answer that you can. But yes — if the theory is that Apple is pretending to log malware detection and remediation, one would have to disassemble the relevant parts of the OS to prove that.
This is an entirely separate system that tracks known malware and enforces a deny list policy. You're thinking of notarization and code signing, which is an allow list policy that you're allowed to circumvent. If you don't get your app signed and notarized you at least can still run it if your users are willing to trust you. It's annoying for technical users but fine for the average folk that really shouldn't be installing random FOSS tools they've never heard of before.
Why shouldn't average folk be installing random FOSS tools they've never heard of before? Some are great. It's ridiculous that anything can be installed from the Mac App Store by anyone where there are apps a plenty trying to trick you into some horrid weekly $60 subscription to even use the "free" app but actually useful, trusted and free FOSS apps are positioned as harmful. But hey, Apple gets their cut...
is this actually happening? I download directly whenever possible so the dev doesn't have to pay commission to Apple and I've never had a download blocked.
EDIT: I see from the comments I wasn't adequately clear: yes, I get the notification but it's hardly a "block" as the the comment I was replying to said. It is by design trivial to bypass.
The Gatekeeper checks still apply to direct downloads. If you don't get a warning (that's intentionally a little difficult to bypass), the dev still signed and notarized the binary via Apple.
You get a warning popup and the application is blocked from running if it is not signed by an Apple Developer Account ($100/yr) and countersigned (i.e., notarized) by Apple.
This is separate from the 30% App Store commission.
I edited my comment to point out that Apple made it pretty trivial to run such an app. It just calls your attention to a drive by download of an executable (though I do wonder how many people try to run such things)
You should get a pop up asking if you want to launch the app or need to go into system settings to approve it. It’s a minor speed bump and is probably for the best for non-savvy users.
I get various degrees of warning for reasons I don't know: "the developer cannot be identified" can be bypassed via right-click open but some app get a worse warning like "this app is malware" or "this app is damaged and cannot be opened". For those I need to de-quarantine them with a xattr command.
For example, try installing librewolf via homebrew.
It's not really a "warning". It's an alert that says macOS will not open this app. You _have_ to open it via Finder and Control-click + Open or there's no way to get into the program. The first alert does not tell you how to do this, and other methods of launching (e.g. Launchpad) cannot be made to work.
So unless you know Apple's secret knock, it's functionally blocked.
It's hardly a secret knock. Both the linked help article and the system help both tell you step by step what to do and I don't have an app handy to trigger the dialog, but last I looked the dialog while it didn't give you the steps there has a link directly to the system help with the instructions.
Trust me - outside of the HN technical crowd - people get very confused or scared by this and do not know how to proceed. It's a non-starter for most software aimed at the 'everyday user' crowd (I've seen the bug reports and customer complaints first hand).
It is actually blocked. The program is prevented from launching. You can go into the security settings and approve it and then relaunch it (which last I saw, the error message didn't even tell you how to do anymore), but it's not just a "approve/deny?" skippable screen.
By that same logic, non-hsts SSL certificate expiration warnings are browsers "blocking" you from visiting a website, despite the buttons that allow you to bypass it.
In Chrome, it's even more complicated. You have to click the very small "More/Advanced Settings" text which doesn't even really look like a button. After that, a button allowing you to proceed appears, but upon clicking you are given a very scary warning.
It's not the same. In the SSL case the browser gives you a bypass button, which is fine (if hidden). Here, there is no bypass button unless you have the secret knowledge to open the app in a certain way.
Otherwise the OS entirely refuses to open the app with no bypass button or hint as to how to get around it, while implying "security issues" and "untrustworthiness"
For certain cert errors in Chrome, there is no button/link to ignore and continue. You actually have to type "thisisunsafe" into the tab. There is no feedback when you are typing this. It will just navigate to the page you were trying to reach as soon as you finish typing.
> A warning dialog is different than being "blocked" as OP suggested
you'd see how many times I've seen users blocked with the "default" dialog you get on first download when things are correctly signed and notarized ... and let's not even talk about the one you get when notarization failed or it's not signed, elderly users really don't know that they have to right-click
It's a pretty clear dump of the contents of https://developer.apple.com/documentation/endpointsecurity/e..., just like every other endpoint security event. This tool is intended for users who are familiar with the Endpoint Security framework and want quick access to an entitled binary for testing purposes.
The author needs to understand that 1. developer APIs exist and are meant for developers, and 2. the OS is never going to be designed to be introspectable to someone like him and his users, because that would be an incredibly stupid way to design an OS. If you want to peek at what is going on, use the existing APIs and package it up as an app for your users to use. Exposing raw events like the author wants is neither useful or actionable for most users.