> Using eslogger isn’t simple either. That tool has to be left running to gather records of events into a text file, which the user has to monitor and maintain. Using the details I published here previously, I gathered those two event types during my tests using malware samples. Each event generates a substantial quantity of JSON data which appears to be undocumented.
It's a pretty clear dump of the contents of https://developer.apple.com/documentation/endpointsecurity/e..., just like every other endpoint security event. This tool is intended for users who are familiar with the Endpoint Security framework and want quick access to an entitled binary for testing purposes.
The author needs to understand that 1. developer APIs exist and are meant for developers, and 2. the OS is never going to be designed to be introspectable to someone like him and his users, because that would be an incredibly stupid way to design an OS. If you want to peek at what is going on, use the existing APIs and package it up as an app for your users to use. Exposing raw events like the author wants is neither useful or actionable for most users.
You seem to be missing the point of the article, which is this:
> the great majority of users are oblivious of the detection and remediation of malware on their Macs, which occurs in complete secrecy
This is a problem that Apple could solve but chooses not to. Everything the author is doing is admittedly a poor workaround for Apple's lack of user notification.
> They probably also don't want to expose it to users at all because of marketing.
It's incredibly intellectually lazy to suggest 'marketing'.
Apple's ideology has always been that regular, everyday computer users shouldn't have to concern themselves with low-level details of system administration in order to write a book or edit a video or whatever it is they're doing.
In addition, unless they have some breakthrough, elegant or innovative way of addressing stuff, they leave it to 3rd-party developers.
It's also myopic to complain about something as low-level as malware remediation while glossing over the fact that Apple enabled end-to-end encryption for iCloud [1] and gave users who aren't system administrators or security experts the ability to protect themselves if they are the target of a state level attacker [2].
Addressing security/privacy at this level is a very Apple thing to do.
In my opinion, it should be a no-brainer: end-to-end encryption and protection from state-level attackers vs a widget that alerts me the OS zapped a malware download.
As far as malware on macOS goes, having the operating system deal with this unbeknown to the user is actually a good thing for those everyday, regular users, who would probably screw things up worse if they had to play some direct role in this.
BUT for system administrators, developers and power users, the APIs and command line tools are there for them to get into the weeds of malware remediation if they want to.
Being infected with malware is, hopefully, a rare event. I think it's reasonable to alert the user they've got it, even a non techy user knows roughly what those are. If they know about it they may have an idea of how they got it (they may have let someone else use their laptop or maybe received an email from someone new), which can be useful so they don't get more malware.
If you really want an innovative way of doing it is trying to give the user a good track record so they know exactly where that came from.
I'm glad that they don't. Otherwise I would have my 75 year old father-in-law on the phone panicking every five minutes. He insists on having his own computer and after five years of dealing with his constant issues I convinced him to move to a Mac. Now I only get the calls a couple of times a year.
They can stop opening sites and emails that give them malware. If the person who sent it to them in the first place was a friend, they can also tell it to their friend. You don't have to be a seasoned software engineer to understand that.
When asked about that by the colloquial layman my answer is generally :
Virus can self execute, replicate and spread (like biological ones) while malware (layman also refer to troyans) need user actions and unawareness to execute.
Malware also broadly refers to software unwanted by and malicious to the user. So it includes pre-installed auto-executing OEM adware, spyware, and grayware (colloquially also known as bloat).
Interesting so yeah while distinction between virus and trojan can hold, I guess that virus enter the broad malware definition and thus the OP is right.
I don’t appreciate this being called “complete secrecy”. There’s literally API to find out when it happens! If it was just logged somewhere I might agree but this is just not true. Nobody says the system firewall runs in “complete secrecy” either even though it doesn’t warn you when it blocks connections.
I mean, in a perfect world all of this would be perfectly exposed to users and they would know every single action their computer takes. I don’t actually disagree that putting in some effort to better surface how XProtect works could be valuable. But the current situation is generally fine and the accusations that Apple is trying to hide this stuff from you do not seem well supported.
> I don’t appreciate this being called “complete secrecy”. There’s literally API to find out when it happens!
You still seem to be missing the point. This is about end users not developers.
This is a UI problem, not an API problem. You want to make a technical point, because you're a technical person, but you're missing the forest for the trees, because this isn't a particularly technical problem. This is a typical Apple problem of paternalism, Apple believing that Apple should take care of everything, and users shouldn't worry their pretty little heads about anything.
> I mean, in a perfect world all of this would be perfectly exposed to users and they would know every single action their computer takes.
We're not talking about "every single action", we're talking about the OS detecting malware on an end user's Mac and then... not bothering to tell them about this fact. Imagine if you went to the doctor for a physical, took some tests, the tests indicated you had an STD, and then... the doctor just gave you some drugs and didn't bother to tell you that you had an STD. That would be malpractice. You'd want to know. You'd need to know. Because one doesn't just "randomly get" either an STD or malware. How you got it (and especially who you got it from) is just as important as that you got it.
> Nobody says the system firewall runs in “complete secrecy” either even though it doesn’t warn you when it blocks connections.
1) You have to manually enable the firewall. It's disabled by default on macOS.
2) Unlike malware, you can just "randomly get" connection attempts from the internet. Attackers are probing everything. I can see that in my web server logs.
I make a simple claim: if macOS takes action to remediate malware then it ought to tell the user. Simple question: Do you agree or disagree with that claim?
All of the discussion about logging and endpoint security is because the author has determined in testing that macOS actually fails to tell the user when it remediates malware.
To follow my earlier analogy, this is like talking about how to do your own STD tests when your doctor neglects to tell you whether you got an STD. But you doctor should really tell you, and then you wouldn't need your own tests. But you seem overly focused on the tests rather than the telling.
> I make a simple claim: if macOS takes action to remediate malware then it ought to tell the user. Simple question: Do you agree or disagree with that claim?
I am fully supportive of keeping users informed of how their systems work, and I always will be. Many parts of Apple, and the software industry in general, don't care for this very much, so this is unfortunately not as universal as I would like it to be. There's a lot of places in their OS that Apple chooses to not prioritize this effort, or does a poor job.
It's important to note that "tell the user" is not actually all that simple, just like being the person who tells you your medical results doesn't just read out your blood test. Throwing up a "we detected 10 threats" notification is not relevant to most users. When a doctor sits down with you they are obligated (I believe legally?) to make sure you understand what the results mean, how confident they are of the conclusions, your risk factors that might have influenced what they found, and what your next steps are. The same applies to malware detection and remediation, except with "medicine" swapped with "computers" for things people don't really understand.
I work in this space on another platform, and the problems we regularly run into include things like:
* We aren't 100% confident that we've detected malware
* Users sometimes actually find malware to have some helpful functionality (e.g. photo filter app that uploads all your photos, not just the ones you hand it)
* Malware authors target mechanisms that we can provide feedback to users
* Saying you didn't find any malware can lead users to think there is no malware
* Users don't really know to do with "oh we found malware and fixed it for you"
…
There aren't impossible problems to solve (at least, I hope they aren't…) but they definitely require some thought. I don't quite know how Apple does malware scanning; my understanding was that they do a lot of signature matches which should help with "we are confident this is malware", but considering some of the behaviors described in the article ("macOS detected malware and didn't do anything?!") I suspect some of these are less reliable. In any case, I get the feeling that Apple has not prioritized notifying the user of this because they don't want to spent the time on it for whatever reason. They don't really want to keep it secret, hence the API for third parties to perhaps solve the problem for them, but they aren't doing it themselves. Perhaps they really should; I think it's fine to be upset about this. The specific complaint I had was that the author seemed to imply that Apple purposefully underdocumented the API and made it hard to use for normal people, when that wasn't the purpose of it at all.
Would you like Mac OS to work like your average Windows antivirus which keeps bombarding you with notifications that FIFTY THREATS HAVE BEEN DETECTED! BE AFRAID! ?
It looks like HN's URL truncation is mangling the link in the post above. I think it's meant to go to https://is.gd/hneoxB (using a URL shortener to work around the bug), but when the full URL is posted, (https://developer.apple.com/documentation/endpointsecurity/e...), it gets truncated after the first letter of the last path segment.
EDIT: For some reason, when you put the URL in parentheses, it's correctly handled once again.
It's a pretty clear dump of the contents of https://developer.apple.com/documentation/endpointsecurity/e..., just like every other endpoint security event. This tool is intended for users who are familiar with the Endpoint Security framework and want quick access to an entitled binary for testing purposes.
The author needs to understand that 1. developer APIs exist and are meant for developers, and 2. the OS is never going to be designed to be introspectable to someone like him and his users, because that would be an incredibly stupid way to design an OS. If you want to peek at what is going on, use the existing APIs and package it up as an app for your users to use. Exposing raw events like the author wants is neither useful or actionable for most users.