More of this could be great for corporate machines. Currently they are often bogged down with poorly behaving third party security software, some of which causes real problems for users, which could be lessened if some of that software could be replaced with better behaving OS capabilities.
Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way. It looks to me like the third parties keep looking for new features they can advertise, knowing that corporate InfoSec will mandate support for them quickly, and that an OS-provided solution isn’t sold in the same way, so will be deemed unsuitable.
If you read the darwin-kernel mailing list archives from 10-15 years ago, some of the most ignorant questions were from AV vendors. (like: "why does my system deadlock when I stop the entire kernel waiting for a userspace helper ..") They seemed so horrifically incompetent that I resolved to never run any 3rd party AV software on any machine I control.
Scenario 1: corp buys into Apple's protection, gets rid of (most) third party software
Scenario 2: corp keeps third party software, which bangs its head against Apple's protection which prevents such god processes to access information, thus corp disables Apple's protection and keeps using third party software.
Scenario 3: Apple treats third-party software that "bangs its head against Apple's protection" as malware, force-disabling it; mandates all third-party software to be rewritten to just use control APIs for Apple's internal protection mechanism.
IMO this is pulling the OS closer towards a more trusted platform model that mobile devices have been afforded through years of incremental refinement of corporate MDM solutions.
>Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way.
It is more and more, but you need the expensive Microsoft 365 license to use the web portal for it for, key word, MANAGEMENT.
You want to be able to scan computers, lock them out of all network access besides the AV management, block usb/peripherals etc etc when an attack happens.
For those interested in more details on XProtect’s status on their systems, Howard Oakley (the author of this blog) also provides free utilities: https://eclecticlight.co/downloads/
I wonder why Apple finds the need to run all of this security software in the shadows with zero documentation, near zero user access to logging, and zero user access to what the system is doing. Is it just some leftover pride because a handsome actor in blue jeans said macs don’t have viruses on TV 15 years ago?
Because a serious enough malware running rampant on their platform would cause actual monetary loss for them, potentially losing their image as a safe OS?
Zero user control over technical functionality is totally Apple's MO these days. They were a lot better at this in the early OSX days, they only used to hide technical details but the user could still control them if they knew what they were doing.
But since iOS they've been slowly pushing this model to Mac. It pushed me away from the Mac platform, I only use it for work now.
“RansomWhere? is a utility with a simple goal; generically thwart OS X ransomware. It does so by identifying a commonality of essentially all ransomware; the creation of encrypted files.”
Given AV firms change hands and veer into dark patterns, forum posts like this one shouldn't recommend anything in particular as the ownership and policies can change overnight.
I do wonder whether they'll let other apps hook into the "don't access private data for X" safeguards. In this hypothetical, how many developers would choose this – over simply putting their private data behind a password?
Readit News
Windows Defender (or whatever it’s called) looked like it might help similarly on Windows, but I haven’t seen it being used that way. It looks to me like the third parties keep looking for new features they can advertise, knowing that corporate InfoSec will mandate support for them quickly, and that an OS-provided solution isn’t sold in the same way, so will be deemed unsuitable.
Anyone feel more optimistic?
Good call. There has been too many awful products in that space.
Scenario 2: corp keeps third party software, which bangs its head against Apple's protection which prevents such god processes to access information, thus corp disables Apple's protection and keeps using third party software.
(Compare/contrast: Hypervisor.framework)
E.g. https://www.bloomberg.com/news/features/2023-05-11/the-plot-...
Deleted Comment
We used to write image processing pipelines.
This is code that really needs to run fast.
We spent a huge amount of time tuning, analyzing, and re-tuning the software.
Our IT group was completely focused on office workers, and would force us to install their spyware on our test machines.
It was not a good fit.
It is more and more, but you need the expensive Microsoft 365 license to use the web portal for it for, key word, MANAGEMENT.
You want to be able to scan computers, lock them out of all network access besides the AV management, block usb/peripherals etc etc when an attack happens.
You DONT want to just let it run headless.
XProCheck, which allows for easier viewing of XProtect log details: https://eclecticlight.co/consolation-t2m2-and-log-utilities/
As well as SilentKnight + LockRattler for checking the status of XProtect updates and other security configuration: https://eclecticlight.co/lockrattler-systhist/
But since iOS they've been slowly pushing this model to Mac. It pushed me away from the Mac platform, I only use it for work now.
https://objective-see.org/products/ransomwhere.html
For a deep dive into this line of thinking, his post:
Towards Generic Ransomware Detection (04/20/2016) — https://objective-see.org/blog/blog_0x0F.html
Malwarebytes purchased an activity detecting product and claimed to offer this type of protection, though that marketing has become more generic now:
https://www.malwarebytes.com/cybersecurity/business/what-is-...
Given AV firms change hands and veer into dark patterns, forum posts like this one shouldn't recommend anything in particular as the ownership and policies can change overnight.
Deleted Comment