Apple is updating XProtect and MRT. Is it enough? ￼
What are XProtect and MRT?
First, a quick intro to macOS security features. Macs come with a few built-in protections against malware:
Gatekeeper makes sure that an app a user is attempting to run a.) comes from a registered Apple developer ID b.) hasn’t been altered and c.) is free of known malware.
XProtect is Apple’s native malware detection tool for macOS. It works by looking for matches between “signatures” of known malware and the files on your Mac.
MRT, which stands for Malware Removal Tool, is — yes, you guessed it — how a Mac removes malware from an infected system.
Are internal Mac security tools enough?
The short answer to this question is “no” — despite what you may hear from snarky Apple fans on Twitter or Reddit.
For one thing, any computing platform, macOS included, is going to have occasional bugs. Sometimes these bugs will impact system security features, leading to exploitable vulnerabilities. For example, a Mac 0-day discovered last year let bad actors create malware that completely bypassed Gatekeeper. A flaw in the App Notarization process resulted in “Apple-approved malware”.
In addition to outright vulnerabilities, there are other limitations to a Mac’s native security features. We discuss these more fully in Is XProtect Enough to Keep You Safe, but the TL;DR version is that Apple only ever intended XProtect to be very basic protection for a Mac. As such, it offers reasonable protection…against well-known threats. But it isn’t updated as frequently as third-party Mac security tools that are backed by dedicated malware research teams proactively hunting for novel threats.
What’s changing in XProtect and MRT?
Mac developer and researcher Howard Oakley has written about what seem to be forthcoming changes to XProtect and MRT. His blog post on MRT is worth reading in full, but we’ll summarize the highlights here:
Oakley notes that in March, Apple added “what appeared to be a new app with a familiar name, XProtect.app.” This was not, he says, an actual app, but rather “a structured suite of executable tools kept in an app bundle”. Apple has been updating XProtect.app and adding new modules to it.
He says that MRT’s malware removal functionality is being rolled into a new tool called XProtect Remediator. This all-in-one Mac security suite seems to signal that Apple is taking malware on macOS more seriously. This conclusion is further supported by the other tools in the XProtect.app bundle, many of which appear to target newer and more sophisticated Mac malware variants.
In short, says Oakely, it looks like “macOS is about to change its anti-malware tools for the better”.
Will it be enough?
It’s certainly a good sign that Apple is taking malware on macOS more seriously.
To begin with, Apple executives are talking about the issue openly now. Senior VP of Software Engineering Craig Federighi admitted last year that there is “a level of malware on the Mac” that the company’s leaders “don’t find acceptable”. Meanwhile, XProtect and MRT are clearly under development, and will almost certainly improve.
But do the coming changes mean that Mac users can finally let their guard down, and run their Macs without any additional protection? That’s far less certain.
Israel Torres, SecureMac’s Principal Malware Research Engineer, points out that “Apple’s anti-malware suite is slowly evolving — but at a glacial pace compared to the threat landscape.”
The problem, Torres says, is that attackers are sure to pounce as Macs grow more prevalent in the enterprise and in government ecosystems:
If we look at the issue historically, through what Microsoft experienced, we can make some safe assumptions about what Apple will encounter in the future. We’ll see malware authors really stepping up their own game to turn a profit and exploit macOS. That will mean more and better Mac malware, including ransomware. The storm is coming.
For everyday Mac users, such a future may seem a frightening prospect. But the silver lining, notes Torres, is that third-party anti-malware companies have been preparing for this future for years now — and have the resources and focus to help keep users safe:
As macOS security and malware researchers, we keep our ears close to the ground (and “the underground”) to see what’s coming down the line — often in time to build updates, tooling, and support systems to respond to the challenges of tomorrow when we hear them trickling in today. But even beyond that, there’s a practical advantage that third-party security teams enjoy. Apple has to worry about an entire ecosystem full of Watches, iPads, iCars and everything else. Whereas we’re 100% focused on securing your Mac. It’s that simple.