Anti-malware on macOS 🙄

[Andropov]

Opening a discussion here since my employer is going to require having an anti-malware tool installed on all company devices and I'm interested in knowing what others think about this practice in general. I've been reading through the marketing materials of the chosen anti-malware provider and I can't shake the feeling that it's a huge pile of BS, that doesn't add anything worthwhile. It just seems absurd to me that a third party can keep up with macOS malware better than Apple can. If it works as advertised, why wouldn't Apple just do the same thing and ship it as part of macOS?

In fact, it seems like for the most part, macOS' XProtect does exactly this. And no matter how deep I dive into their marketing materials (or technical blog!) I see zero mentions on how it improves Apple's XProtect. Their product (like all other businesses in this segment) is either not benchmarked against anything, or benchmarked about other third party competitors. Do they have a track record of responding to threats and exploits faster than Apple? No idea. If they do, they don't advertise it. It's all meaningless security-related words.

Idk. I'm definitely not a security expert. But the lack of evidence gives me snake oil salesman' vibes. As if all they do is provide a credible way for companies to check a box in a legal document. What do you think?

 

[dada_dave]

Like you I’m not expert on this topic but my understanding is that it’s been awhile since third party anti-malware tools have provided meaningfully better protection than the standard built in tools from Apple or Google or Microsoft. And further that one is at greater risk of performance penalties for little gain or even worse spamware from downloading them. But I could be wrong.

 

[Andropov]

And further that one is at greater risk of performance penalties for little gain or even worse spamware from downloading them. But I could be wrong.

Yeah this worries me too. Sampling every running process must take make an impact in performance.

On top of the performance concerns, I wonder if it actually makes the system more exposed to threats. After all, it's a closed-source system extension that is actively retrieving information about all running processes, including those with sensitive information. Endpoint security system extensions get a special entitlement that allows them to retrieve information of system events that regular processes (even those with root access) can't retrieve.

How's that information being handled afterwards? I know that at least some data is sent over the internet. How do users know that no sensitive data is being sent over the network? Even if I were to trust that the data was handled securely on their end, what guarantees do they have that data is being sent securely? It's unlikely that the anti-malware is written by people dumb enough to send that information in plain text over the internet, but what about more subtle security issues?

 

[Yoused]

Can you surreptitiously disable it, so that you can say yeah, I have it on my computer (but it is not causing any actual problems) ?

 

[Andropov]

Can you surreptitiously disable it, so that you can say yeah, I have it on my computer (but it is not causing any actual problems) ?

Hard to say without knowing what the software is tracking exactly. I could probably have it in the computer but with the system extension disabled. But I don't think that's something I'd want to do, after all they have the rights to require installing it. It's just that, as this is not a field I'm an expert on, I wondered if at least there will be some benefits to having this installed.

 

[Nycturne]

Hard to say without knowing what the software is tracking exactly. I could probably have it in the computer but with the system extension disabled. But I don't think that's something I'd want to do, after all they have the rights to require installing it. It's just that, as this is not a field I'm an expert on, I wondered if at least there will be some benefits to having this installed.

Depends. Endpoint clients can do some things to block malicious activity, and we don’t exactly have good data on what XProtect will actually do in these situations. MS Defender in particular has features that effectively cripple the ability to browse to web pages that are actively serving malware, which Apple tends not to do. A big chunk of the reason why someone would install third party in the first place is more about auditing and tracing from the IT side to keep bosses happy, which XProtect absolutely does not do.

In regard to how data is handled, it depends a lot on which solution is in use. MS Defender likes to do things locally if at all possible, primarily reporting state and scanning hits to the IT admins.

As for performance, it depends. While not a perfect analogy, telemetry has a lot of the same issues. We want to instrument our code so that we can catch errors, but at the same time, handling telemetry is overhead. However, if you can “fire and forget” events, the overhead can be very small on systems with multiple cores/processors, especially if you have simple, structured content like Event Tracing for Windows demands. For the endpoint security subsystem in macOS, if the events are more “fire and forget” then overhead will be noticeably lower than if the endpoint client is actively doing work to authorize or block certain actions. And it depends on how much effort is put into making sure authorization of activity is fast.

We have seen performance of our 16GB MBPs from 2019 drop over the last couple years, but it’s hard to say if it was just MS Defender as it’s feature set expanded, or if it was the lack of RAM in these machines. We were seeing more and more red in Activity Monitor until we finally replaced them, so there were just too many variables in play.

Can you surreptitiously disable it, so that you can say yeah, I have it on my computer (but it is not causing any actual problems) ?

Depends. If it’s integrated into the device management solution, they can disable access to corporate resources based on if it is active or not. At least where I work, if I disable MS Defender, it puts the machine “out of compliance” and blocks access to corporate resources until I re-enable it.

EDIT: Have I said “it depends” enough here yet?

 

[Roller]

Hard to say without knowing what the software is tracking exactly. I could probably have it in the computer but with the system extension disabled. But I don't think that's something I'd want to do, after all they have the rights to require installing it. It's just that, as this is not a field I'm an expert on, I wondered if at least there will be some benefits to having this installed.

In my work, I don't know if the information security group would be able to tell if I disabled their required software or if they would do some type of audit, but I don't think they'd take kindly to me doing it.

 

[Andropov]

MS Defender in particular has features that effectively cripple the ability to browse to web pages that are actively serving malware, which Apple tends not to do.

I think that's a good thing, it's a slippery slope, depending on which websites are blocked. I've built some legitimate pieces of software (ie a backtracer) for which the most useful resources were on websites related to hacking, jailbreaking... Not sure if they'd have been blocked, but it'd have seriously impacted my ability to do the work.

A big chunk of the reason why someone would install third party in the first place is more about auditing and tracing from the IT side to keep bosses happy, which XProtect absolutely does not do.

This is the only thing that sounded like a legitimate reason to have this software installed. Ironically, this wasn't mentioned at all! Even though (if the software ends up being not too intrusive) it's the one thing I could find that was (maybe) worth the hassle. Still not sure how useful this will be in practice. What does one do once a system reports a hit? How many false positives will there be? Idk, I have the feeling that it's going to be mostly noise, unless there's a real breach of company data, in which case I doubt that it's going to provide nowhere near enough information. I wish Apple provided this kind of information from XProtect though, maybe that'd be enough to avoid the need of installing this software.

In regard to how data is handled, it depends a lot on which solution is in use. MS Defender likes to do things locally if at all possible, primarily reporting state and scanning hits to the IT admins.

This software in particular features "Cloud AI detection" heavily, so I'm not holding my breath for a mostly on-device detection. It states that it works offline as well though, so who knows. I'll set up a proxy to see what data is being sent exactly, out of curiosity.

Depends. If it’s integrated into the device management solution, they can disable access to corporate resources based on if it is active or not. At least where I work, if I disable MS Defender, it puts the machine “out of compliance” and blocks access to corporate resources until I re-enable it.

Is this what Microsoft calls Conditional Access? God I find Microsoft's naming scheme for their products so confusing.

In my work, I don't know if the information security group would be able to tell if I disabled their required software or if they would do some type of audit, but I don't think they'd take kindly to me doing it.

Precisely. I wouldn't risk it either.

 

[MEJHarrison]

I don't know much about security stuff, but I do know about personal vs business devices. If I'm using their hardware and they want something installed, that's fine (plus they'll just install it anyway). When it's my hardware, I'm the one in control. Thankfully I've not been put in the situation you're in. But I used to have access to my email and calendar on my phone. Then they said "if you want to do that, you need to install this profile that gives us access to your device". My reply was basically "" and now I don't have access to my work email and calendar on my phone.

If they said I had to do that to my Mac, I'd probably request that they provide me alternative hardware since I'm not interested in handing over that level of control. I like logging in from my Mac to work. But I'd give that option up if they started telling me what I can and can't have installed on MY computer. That's my personal line in the sand. My stuff is my stuff, not theirs. If they don't like my stuff, then they need to be prepared to give me an alternative. I'm under no obligations to modify MY hardware to make them happy. And they have no right to demand that of me.

That's my take.

 

[Andropov]

I don't know much about security stuff, but I do know about personal vs business devices. If I'm using their hardware and they want something installed, that's fine (plus they'll just install it anyway). When it's my hardware, I'm the one in control. Thankfully I've not been put in the situation you're in. But I used to have access to my email and calendar on my phone. Then they said "if you want to do that, you need to install this profile that gives us access to your device". My reply was basically "" and now I don't have access to my work email and calendar on my phone.

If they said I had to do that to my Mac, I'd probably request that they provide me alternative hardware since I'm not interested in handing over that level of control. I like logging in from my Mac to work. But I'd give that option up if they started telling me what I can and can't have installed on MY computer. That's my personal line in the sand. My stuff is my stuff, not theirs. If they don't like my stuff, then they need to be prepared to give me an alternative. I'm under no obligations to modify MY hardware to make them happy. And they have no right to demand that of me.

That's my take.

Oh I fully agree. In my case, it's their device, so it's not like I'm worried about privacy concerns about my data in particular. I'll be fine, I have another MacBook. It's more like... is this a useful policy and I'm missing something? Or is this a bureaucracy-imposed policy?

Your posted reminded me that there's people who bring their own device. I wonder what'll happen to them.

 

[Roller]

I don't know much about security stuff, but I do know about personal vs business devices. If I'm using their hardware and they want something installed, that's fine (plus they'll just install it anyway). When it's my hardware, I'm the one in control. Thankfully I've not been put in the situation you're in. But I used to have access to my email and calendar on my phone. Then they said "if you want to do that, you need to install this profile that gives us access to your device". My reply was basically "" and now I don't have access to my work email and calendar on my phone.

If they said I had to do that to my Mac, I'd probably request that they provide me alternative hardware since I'm not interested in handing over that level of control. I like logging in from my Mac to work. But I'd give that option up if they started telling me what I can and can't have installed on MY computer. That's my personal line in the sand. My stuff is my stuff, not theirs. If they don't like my stuff, then they need to be prepared to give me an alternative. I'm under no obligations to modify MY hardware to make them happy. And they have no right to demand that of me.

That's my take.

At my workplace, personally-owned devices aren't permitted on the corporate network. Phones are a notable exception, though mobile device management software is mandatory to access email and other resources, regardless of location.

It's muddier for employees who are working remotely using their own equipment. There are guidelines for what to do and what not to do, but people aren't required to install security software or hardware. However, if that were required to use one's personal equipment, I think the employer could tell the employee to comply or work onsite, or they could provide a computer.

 

[MEJHarrison]

I'm sitting at home, on my Mac. From there I VMware Horizon to get to my work computers. Then from my work computer, I use Remote Desktop to get to my developer machine. But it works really well. Going in on a permanent basis is no longer an option. We're no longer renting the space I used to be in. I'm sure they could find a place elsewhere for me to sit, but the goal is to move out of that building altogether. So if they get concerned about security, I'd request one of the devices they give to others in the company (since outside of IS, not everyone has fancy computers at home to use).

It's more like... is this a useful policy and I'm missing something? Or is this a bureaucracy-imposed policy?

I find myself asking that question almost weekly. I'm fine either way. I just like knowing if I'm doing something useful for our customers or something useful for the company (bureaucratic bs). Just this week we had a major deployment to production. We had everything covered. Then we reached out to the project manager and said "is this message ok to put up to let users know that some features will be down". She kicked that up the chain to the director of my department. He kicked it over to the Marketing department. And then a whole afternoon was wasted in email hell with big wigs from all over the company. It's been a day and a half now with no tickets. So a bunch of people got excited about nothing. And I'm on cloud 9 since this was considerably more complex than our normal web deployments and we nailed it.

They're paying my salary, so if they want me spending my afternoon soothing executives instead of doing my job, that's on them. Seems like a waste of money to me, but happy bosses make for a better day. I'm just a paid monkey and will do whatever dance they ask of me. In a few years, we'll get new management and they'll have me do a completely different dance. But at least I get to do it at home in my pajamas.

 

[Nycturne]

Oh I fully agree. In my case, it's their device, so it's not like I'm worried about privacy concerns about my data in particular. I'll be fine, I have another MacBook. It's more like... is this a useful policy and I'm missing something? Or is this a bureaucracy-imposed policy?

It's both. Is the Mac a common target? No. But are they part of the resources that need securing in a mixed-compute environment? Yes. Keep in mind XProtect only really helps you with Mac malware trying to run on that Mac.

At the end of the day, the folks higher up in my experience want:
- The ability to protect business data through as many attack vectors as possible.
- The ability to measure compliance.

XProtect provides neither, despite it being just fine for a personal device.

And if you are in a mixed-compute environment, which is very likely these days, then the Mac users won't get a pass on compliance.

One thing to keep in mind is that a lot of these sorts of policies are not aimed at the technically savvy. While engineering has to put up with them, it's not about you. Yes, it does involve some security theater, but at the same time, the damage a single failure presents is generally enough to make companies paranoid.

Your posted reminded me that there's people who bring their own device. I wonder what'll happen to them.

It depends. Apple supports two different types of MDM on Mac and iOS, company owned and personal owned. Company owned allows a lot more control, but personal owned still allows for a lot of "well, if you don't comply with policy, we just cut you off from business data", while still giving the owner control of the machine. Up until recently, all our Mac engineering devices were treated as BYOD.

This is the only thing that sounded like a legitimate reason to have this software installed. Ironically, this wasn't mentioned at all! Even though (if the software ends up being not too intrusive) it's the one thing I could find that was (maybe) worth the hassle. Still not sure how useful this will be in practice.

Ensuring compliance is considered an axiom when it comes to IT. Has been for decades. If you've been in the Mac side of things for a while, then it's not too surprising that you haven't hit this yet, but when I started my career it was no different on Windows XP/Vista/7. Switching to an Apple-facing team got me out of that world for a bit, but now that there's more MDM stuff happening on Mac, it feels a lot like those years again.

With the level of security threats out there, and how companies that pour massive budgets into security get pwned anyways, I'm not surprised to be honest.

What does one do once a system reports a hit? How many false positives will there be? Idk, I have the feeling that it's going to be mostly noise, unless there's a real breach of company data, in which case I doubt that it's going to provide nowhere near enough information. I wish Apple provided this kind of information from XProtect though, maybe that'd be enough to avoid the need of installing this software.

Again, it depends. These policies are supposed to be set by IT, enforced by the software. For malware, it's generally sufficient to quarantine things and move on. If there's a real risk, or a history of non-compliance/risk, IT will reach out.

In my case, there apparently was a recent case of certain platforms hosting malware being risky enough that they got added to the block list for a period of time. Because I don't have ad blockers installed on my corporate machine, I got a good day or so of "We blocked XXXXX" from Defender as push notifications on my Mac. The funny thing is, nothing I actually wanted to see got blocked, and had to go see what was going on to realize it was ad networks being used for pushing malware again.

Was this Malware aimed at Macs? Not likely, but in a mixed environment, I get that block lists and the like will be the superset of threats to the platforms in use.

This software in particular features "Cloud AI detection" heavily, so I'm not holding my breath for a mostly on-device detection. It states that it works offline as well though, so who knows. I'll set up a proxy to see what data is being sent exactly, out of curiosity.

Again, depends. For stuff like this, you can still do things like: quarantine on local possible detection (heuristics which have been common for a while), send up a copy of the file to the cloud, and then decide what to do with with the quarantined file based on the server side analysis of the file. So it's not like your machine must wait on a remote server in order to decide what to do with a file.

Is this what Microsoft calls Conditional Access? God I find Microsoft's naming scheme for their products so confusing.

It's one aspect of it. Individual services and apps can provide some rather fine-grained control on top of more broad conditions like this.

Microsoft's penchant for naming things has never been terribly good.

 

[Andropov]

It's both. Is the Mac a common target? No. But are they part of the resources that need securing in a mixed-compute environment? Yes. Keep in mind XProtect only really helps you with Mac malware trying to run on that Mac.

At the end of the day, the folks higher up in my experience want:
- The ability to protect business data through as many attack vectors as possible.
- The ability to measure compliance.

What does ability to measure compliance mean in this context?

One thing to keep in mind is that a lot of these sorts of policies are not aimed at the technically savvy. While engineering has to put up with them, it's not about you. Yes, it does involve some security theater, but at the same time, the damage a single failure presents is generally enough to make companies paranoid.

That is very true, and a point I had missed. My counterpoint here is that noisy security software can result in less technically savvy people getting used to ignore warnings and alerts and type passwords in a thousand different places, which paves the way for phishing. Which IMHO is orders of magnitude easier way in than malware that exploits macOS.

One of my first employers was more paranoid about security (not unreasonably so, as even their analytics data would be valuable information for competitors). We needed to connect through a VPN, and both the VPN password and the password for our Single Sign-On (used for many company services) was rotated every couple months. I know this is now widely considered like a bad security practice (it was already a bad security practice back then...), but serves as a prime example for my point: even I ended up *very close* to just writing the passwords in a post-it and putting it in my desk. Neither the VPN password dialog nor the SSO login page worked with a password manager, and the friction of having to go to the Keychain Access -> Search for the password -> Unlock -> Copy to clipboard -> Paste dozens of times a day was extremely annoying. I'm sure many people either relied on weak passwords or had them stored insecurely.

With the level of security threats out there, and how companies that pour massive budgets into security get pwned anyways, I'm not surprised to be honest.

True, but I'm under the impression that many of the policies that are commonly enforced are not backed by evidence of their effectiveness. Like the example above of rotating passwords frequently. All policies, particularly those that are annoying to deal with, should be evidence based. No evidence, no policy.

Again, depends. For stuff like this, you can still do things like: quarantine on local possible detection (heuristics which have been common for a while), send up a copy of the file to the cloud, and then decide what to do with with the quarantined file based on the server side analysis of the file. So it's not like your machine must wait on a remote server in order to decide what to do with a file.

I'm very curious to know how those heuristics work in practice, and whether some of the software I've written triggers it. Will my program that computes the ASLR slide for all dylibs get flagged? That's something very common in all sorts of malware, and uncommon in legitimate apps. My backtracker? It suspends other running threads and inspects the state of their registers. Both things look suspicious, I'm kinda curious to see if the anti-malware tool will flag them.

It's one aspect of it. Individual services and apps can provide some rather fine-grained control on top of more broad conditions like this.

Microsoft's penchant for naming things has never been terribly good.

Ah, I have a funny story about Conditional Access. Microsoft's library for authentication (MSAL) on Apple platforms (which is the recommended way to authenticate a Microsoft account everywhere in their documentation) is not supported on Catalyst because they somehow can't get Conditional Access working. It works on iOS, and it works on macOS, but they have stated that having it work on Catalyst is an unsolvable problem. Can't be done. And even though only a minuscule fraction of all Microsoft accounts have Conditional Access enabled for anything, they explicitly removed support for Catalyst so no one can use their authentication library on Catalyst, regardless of whether they have Conditional Access requirements or not. What a bizarre situation.

 

[Nycturne]

What does ability to measure compliance mean in this context?

Say I have 1000 employees with 2000 devices (work machine and a smart device of some kind). I want to know how many don’t meet the policy requirements, how long it takes for machines to come back into compliance when they fall out, etc. In some cases, I might even care about who doesn’t meet the requirements (nag e-mails or the like for chronic issues).

This says nothing about the quality of the policies, but rather the ability to tell if they are actually being enforced or not.

That is very true, and a point I had missed. My counterpoint here is that noisy security software can result in less technically savvy people getting used to ignore warnings and alerts and type passwords in a thousand different places, which paves the way for phishing. Which IMHO is orders of magnitude easier way in than malware that exploits macOS.

Why do you assume that the end user is the one that needs to see noise? It is my IT department that gets to deal with that particular headache. The only time I’m aware the software is even installed is when stuff is actively being blocked. And that’s been something like 3 days over 3 years.

So I think the impact depends a lot on the quality of the tools being used. I know the Symantecs and MacAfees of the world have a well-deserved reputation, but it doesn’t have to be that way. If your stuff is getting noisy, maybe give the word on how there are less disruptive options out there?

In terms of noise I get, it more has to do with patches not getting applied to machines quickly enough, especially ones that have access to production systems. Stuff like Defender is absolutely nothing compared to that noise.

One of my first employers was more paranoid about security (not unreasonably so, as even their analytics data would be valuable information for competitors). We needed to connect through a VPN, and both the VPN password and the password for our Single Sign-On (used for many company services) was rotated every couple months. I know this is now widely considered like a bad security practice (it was already a bad security practice back then...), but serves as a prime example for my point: even I ended up *very close* to just writing the passwords in a post-it and putting it in my desk. Neither the VPN password dialog nor the SSO login page worked with a password manager, and the friction of having to go to the Keychain Access -> Search for the password -> Unlock -> Copy to clipboard -> Paste dozens of times a day was extremely annoying. I'm sure many people either relied on weak passwords or had them stored insecurely.


True, but I'm under the impression that many of the policies that are commonly enforced are not backed by evidence of their effectiveness. Like the example above of rotating passwords frequently. All policies, particularly those that are annoying to deal with, should be evidence based. No evidence, no policy.

This seems like a failure of the employer rather than the tools available, no? I don’t disagree with the issues there, but they seem somewhat out of scope of malware scanners?

That said, our team is actively dealing with a push away from passwords entirely for service credentials, rather than demand more frequent rotations.

I'm very curious to know how those heuristics work in practice, and whether some of the software I've written triggers it. Will my program that computes the ASLR slide for all dylibs get flagged? That's something very common in all sorts of malware, and uncommon in legitimate apps. My backtracker? It suspends other running threads and inspects the state of their registers. Both things look suspicious, I'm kinda curious to see if the anti-malware tool will flag them.

That’s not something I’ve spent time on. But it depends on what the heuristics are actually looking for (theme of the week, I swear).

Ah, I have a funny story about Conditional Access. Microsoft's library for authentication (MSAL) on Apple platforms (which is the recommended way to authenticate a Microsoft account everywhere in their documentation) is not supported on Catalyst because they somehow can't get Conditional Access working. It works on iOS, and it works on macOS, but they have stated that having it work on Catalyst is an unsolvable problem. Can't be done. And even though only a minuscule fraction of all Microsoft accounts have Conditional Access enabled for anything, they explicitly removed support for Catalyst so no one can use their authentication library on Catalyst, regardless of whether they have Conditional Access requirements or not. What a bizarre situation.

Ooof, I just saw your comment on the GitHub issue.

About all I’ll say is that once you are getting into more complex aspects of the platforms, Catalyst does start to fall short. Precisely because it isn’t able to act like a Mac app at lower levels. I don’t have any visibility into why Conditional Access is a deal breaker here.

 

[Andropov]

Why do you assume that the end user is the one that needs to see noise? It is my IT department that gets to deal with that particular headache. The only time I’m aware the software is even installed is when stuff is actively being blocked. And that’s been something like 3 days over 3 years.

Oh, that might be a preconception I had. Hence why I opened this thread This discussion is actually me reevaluate some of the opinions I had on this stuff. And in this case in particular, well, if it’s not noisy to the user, then it’s fine by me (as long as there’s no impactful performance degradation). I thought this kind of tools were going to add notifications / popups and the like, but tbh the only contact I’ve had with anti malware is with Windows antivirus targeted for home use. Maybe (hopefully) things are different and we barely notice the tool is there.

This seems like a failure of the employer rather than the tools available, no? I don’t disagree with the issues there, but they seem somewhat out of scope of malware scanners?

Yes, it was more of an example on how security practices can be applied without adequate evaluation or specific goals in mind. My point was that adding this anti-malware, while looking superficially like a security improvement for the company, might do nothing for the actual threats the company is likely to face. And then making a comparison to how a previous employer rotating passwords every month did nothing to improve security but also seemed (superficially) like something that would improve security, despite likely achieving the opposite.

Not saying that it’s the case for sure, just that it’s possible for this to be mostly ineffective.

Ooof, I just saw your comment on the GitHub issue.

About all I’ll say is that once you are getting into more complex aspects of the platforms, Catalyst does start to fall short. Precisely because it isn’t able to act like a Mac app at lower levels. I don’t have any visibility into why Conditional Access is a deal breaker here.

For my use case it wasn’t a huge issue. I was just hoping to get rid of a few #ifs that were scattered through the codebase, but we weren’t even going to use any Microsoft sign in on the macOS app.

I get that Catalyst falls short in some places, but since the SDK works on iOS, macOS (Designed for iPad) and macOS, claiming that it can’t work on macOS (Catalyst) is bizarre. And while it wasn’t a big deal for my use case, there were people on that GitHub thread saying that a different Microsoft SDK (some sort of cross platform thing IIRC) *only* worked on Catalyst, so the lack of Catalyst support was a huge issue for them. Plus if I actually needed to roll Microsoft sign in on macOS, I wouldn’t be happy about not being able to do so and having to recreate a custom solution.

 

[Nycturne]

Oh, that might be a preconception I had. Hence why I opened this thread This discussion is actually me reevaluate some of the opinions I had on this stuff. And in this case in particular, well, if it’s not noisy to the user, then it’s fine by me (as long as there’s no impactful performance degradation). I thought this kind of tools were going to add notifications / popups and the like, but tbh the only contact I’ve had with anti malware is with Windows antivirus targeted for home use. Maybe (hopefully) things are different and we barely notice the tool is there.

I'll just say, there are noisy malware scanners out there. So it really does depend on what exactly your IT department wants to roll out.

Until MS Defender was available for Mac, there was a short stint where Symantec was required, and I can't say I miss it.

Yes, it was more of an example on how security practices can be applied without adequate evaluation or specific goals in mind. My point was that adding this anti-malware, while looking superficially like a security improvement for the company, might do nothing for the actual threats the company is likely to face. And then making a comparison to how a previous employer rotating passwords every month did nothing to improve security but also seemed (superficially) like something that would improve security, despite likely achieving the opposite.

Not saying that it’s the case for sure, just that it’s possible for this to be mostly ineffective.

Yeah, so my general take is that pushing scanners onto Macs for corporate isn't doing much to protect that specific Mac that XProtect can't. However, it does help put management's mind at ease by trying to remove those Macs as entry points for other malware that can make it onto file shares, into code repositories, etc, and being able to see "the green" of a dashboard that shows 100% compliance.

I get that Catalyst falls short in some places, but since the SDK works on iOS, macOS (Designed for iPad) and macOS, claiming that it can’t work on macOS (Catalyst) is bizarre. And while it wasn’t a big deal for my use case, there were people on that GitHub thread saying that a different Microsoft SDK (some sort of cross platform thing IIRC) *only* worked on Catalyst, so the lack of Catalyst support was a huge issue for them. Plus if I actually needed to roll Microsoft sign in on macOS, I wouldn’t be happy about not being able to do so and having to recreate a custom solution.

Well, it's more a case that Catalyst is limited by what iOS can do for the most part. So if I want to interact with some system component, there will be things that macOS can do that Catalyst might not let you do, or doesn't map appropriately on macOS. I'm not super involved with auth on iOS/Mac at the moment, so I don't really have any insight as to what these specific differences are.

The auth portion should generally work fine in Catalyst, but I suspect a security architect is involved with the decision if it's not just "it's low priority". I also wouldn't be surprised if there's feedback aimed at Apple to unblock that has gone un-fulfilled. I have a couple issues that have been open with them for about 4 years now.

The only thing worse than corporate bureaucracy is two corporate bureaucracies.

 

[Andropov]

Yeah, so my general take is that pushing scanners onto Macs for corporate isn't doing much to protect that specific Mac that XProtect can't. However, it does help put management's mind at ease by trying to remove those Macs as entry points for other malware that can make it onto file shares, into code repositories, etc, and being able to see "the green" of a dashboard that shows 100% compliance.

Are you thinking of any specific way a Mac could act as an entry point for malware if it can't be infected itself? I can only think of trivial things like not detecting malware for other platforms in mail attachments and things like that.

Well, it's more a case that Catalyst is limited by what iOS can do for the most part. So if I want to interact with some system component, there will be things that macOS can do that Catalyst might not let you do, or doesn't map appropriately on macOS. I'm not super involved with auth on iOS/Mac at the moment, so I don't really have any insight as to what these specific differences are.

The auth portion should generally work fine in Catalyst, but I suspect a security architect is involved with the decision if it's not just "it's low priority". I also wouldn't be surprised if there's feedback aimed at Apple to unblock that has gone un-fulfilled. I have a couple issues that have been open with them for about 4 years now.

The only thing worse than corporate bureaucracy is two corporate bureaucracies.

Yes, from what I gathered from that GitHub thread, the issue was that the iOS Keychain API is less featured than the macOS Keychain API. So it's possible that they're waiting on Apple to extend the iOS Keychain API to cover features only present on macOS. But if the "macOS style" Keychain API is required, this doesn't explain how the SDK works on iOS.

I suspect that what many people will do is something that was already mentioned in the thread: people will end up not using their SDK, opting to roll their own code for authentication, which will no doubt be less secure and less informed about edge cases than Microsoft's SDK. So they kind of shot themselves in the foot here. And from experience, there's a ton of edge cases when dealing with Microsoft accounts / authentication (that isn't documented anywhere), so the end result will be poorer integration with Microsoft products.

 

[Nycturne]

But if the "macOS style" Keychain API is required, this doesn't explain how the SDK works on iOS.

The security model is different, so the sort of attack surface you have to be aware of is larger on macOS than iOS. Particularly because macOS has a single login keychain rather than the more sandboxed keychains of iOS.

Again, I’m not close enough to this to know for sure what the exact issues are.

Are you thinking of any specific way a Mac could act as an entry point for malware if it can't be infected itself? I can only think of trivial things like not detecting malware for other platforms in mail attachments and things like that.

Nothing specific that I haven’t already touched on, other than the device is an endpoint where *a* person acts as the boundary between the outside world and corporate data. The corporate network is the system to be protected in this context. Your specific machine is just a piece of the puzzle, and forms part of the surface that can be used to attack, and may contain some useful tidbits to either exfiltrate or use to attack deeper into the corporate system.

I think the thing I’d want to impress is that in my neck of the woods, we have thousands of folks with access to corporate data. It takes just one mistake by one person to potentially undo the whole thing.

Sometimes it’s not even about protecting a specific chink in the armor, but making sure other layers deeper in aren’t vulnerable.

Considering some of the *interesting* ways Microsoft got attacked lately, it’s increasingly to the point where if you want a good detailed explanation of how these things tie in, talk to a security researcher. Attacks are getting increasingly sophisticated.

people will end up not using their SDK, opting to roll their own code for authentication, which will no doubt be less secure and less informed about edge cases than Microsoft's SDK. So they kind of shot themselves in the foot here.

For sure. I’d rather have an SDK with features disabled than no SDK.

And from experience, there's a ton of edge cases when dealing with Microsoft accounts / authentication (that isn't documented anywhere), so the end result will be poorer integration with Microsoft products.

For sure. My current project is a consumer of the MSAL library, and so we’ve been in the weeds a bit on this. We just don’t support Catalyst, just iOS and Android.

 

[Andropov]

The security model is different, so the sort of attack surface you have to be aware of is larger on macOS than iOS. Particularly because macOS has a single login keychain rather than the more sandboxed keychains of iOS.

Again, I’m not close enough to this to know for sure what the exact issues are.

Yes, but since Apple allows running iOS apps on the Mac unmodified, that can of worms is already open. Apps that run using the "Designed for iPad" destination will run on the Mac, with MSAL, using the iOS-style keychain.

Considering some of the *interesting* ways Microsoft got attacked lately, it’s increasingly to the point where if you want a good detailed explanation of how these things tie in, talk to a security researcher. Attacks are getting increasingly sophisticated.

Not a super in-depth book, but since I had a few long commutes this weekend, I started reading Patrick Wardle's The Art of Mac Malware: The Guide to Analyzing Malicious Software (I had bought it already a few months back). It was an interesting read, sometimes I'm still amazed by all the stuff macOS and iOS has available because of the BSD roots that are almost never talked about in iOS/macOS development. Too bad other more in-depth books referenced (like Jonathan Levin's macOS and iOS Internals are unavailable for purchase outside the US

For sure. My current project is a consumer of the MSAL library, and so we’ve been in the weeds a bit on this. We just don’t support Catalyst, just iOS and Android.

Ah, same boat then. My sympathies.