Better Mac Testing? How OS security can make AV testing harder

As Mac malware increases in prevalence, testing security software that supplements OS X internal security gets more important and more difficult.

As Mac malware increases in prevalence, testing security software that supplements OS X internal security gets more important and more difficult.

Anti-malware testing on the Windows platform remains highly controversial, even after almost two decades of regular and frequent testing using millions of malware samples. While Macs have fewer threats there are fewer prior tests on which to base test methodology, so establishing sound mainstream testing is trickier than your might think, not least because so few people have experience of it. But as both Macs and Mac malware increase in prevalence, the importance of testing software that’s intended to supplement the internal security of OS X increases, too. OK. That’s what it says in the abstract for our recent Virus Bulletin paper, but that’s because it happens to be what we think. :)

Of course, we encourage you to read the paper – Mac Hacking: the Way to Better Testing? But this is the first article in a blog series, based on the presentation rather than directly on the paper, giving a more concise summary of our views.

Windows versus OS X: infection rates

We’re not about to give an airing to the usual fanboi ‘Windoze bad, OS X impregnable’’ stuff. But compared to the hundreds of thousands of Windows-targeting samples ESET’s lab sees on a daily basis, the total number of unique OS X samples is tiny. We were going to count them before we presented the paper, but forgot to bring the magnifying glass.

Surely Mac testing, with that tiny potential sample population must be less contentious, with few threat families and generally lower infection rates?That tiny population makes finding a statistically meaningful number of samples less difficult for a tester with a comprehensive, up-to-date collection. Testing with all known Mac malware may be almost as quick – for a static test, at least – as using a smaller percentage of the most prevalent samples or families.

tell me apple

So what features and scenarios make Mac testing so much trickier? Apple’s intensive work on enhancing OS X security with internal detection of known malware has inadvertently driven testers back towards the static testing model from which Windows testing has moved on. How could Mac anti-malware testing be made easier and more similar to real-world scenarios? Can a test be less realistic and ‘real world’ yet more fair and accurate?

Windows testing has moved on from static testing – at least, the better testers have. But there are testing scenarios that are more-or-less unique to Macs and OS X, and offer unique challenges.

In recent years, the handful of threats has not just increased in number, but has in at least one case affected dramatic numbers of users.In fact, the percentage increase in the number of threats over the last year or two has been dramatic but that is in part because the starting figure was so low.

OS X has seen a steady trickle of generic malware with the occasional Flash Flood to keep the stats above water. Flashback to the Future, you might say. In 2012, OSX/Flashback pushed the number of infected machines way, way up to 600,000 – 700,000 or 2.1%, depending on whose blog and marketing literature you read. At any rate, an impressive number considering the Mac’s market share compared to Windows, and that figure is not just an outlier.

From the outset, many profit-motivated threats for OS X have been “multi-platform” or were created by the same gangs that have long been attacking Windows users. The most consistent recent growth area in Mac malware, however, has been targeted attacks, not generic, untargeted malware.

targeted attack 2

OS X almost seems to attract more (proportionally speaking) in the way of APTs, mostly targeting Non-Governmental Organizations (NGOs), presumably for political reasons]. Statistics may also be misleading because in some cases, once samples are shared Apple embeds some form of countermeasure into the OS itself.

Securing the OS

Apple and Microsoft demonstrate comparable performance over time on vulnerability patching, and proactive defensive technologies like application sandboxing. While historically, Apple has been low-key in its discussion of OS X malware, increasing volumes of Mac threat has seen Apple move towards a closer but not particularly public relationship with the anti-malware industry as well as generic, technical countermeasures. However, its inclusion of its own anti-malware components in OS X have introduced unexpected complexities into the product-testing arena, considering the simplicity of the components.


Apple started to include signature detection within the operating system with Xprotect. Unlike Windows Defender, it cannot be directly compared to a full-blown commercial anti-virus/anti-malware product, but it is enough like an AV scanner to raise concerns about whether it can meet Mac users’ expectations.

XProtect.plist is intended to help detect malware purely reactively. The detections are quite specific, don’t cover all known threats and types of threat, and there is no heuristic or generic detection to help detect new malware or variants. However, it effectively stymies dynamic testing on systems where the sample is known and detection has been added to XProtect.plist.

XProtect.meta.plist has recently been used to take a higher-level approach to preventing potential malware attacks, primarily by preventing older browser plugins (namely Java and Flash) from working.

Some people are seeing what may be differences in Mavericks as regards the implementation of XProtect, but the core functionality seems to be the same.


Gatekeeper is OS X’s approximate (and less strenuously enforced) equivalent to the walled garden of iOS and the App Store.

protect 2

It has three basic settings:

  • Install and run only apps from the Mac App Store
  • Also install and run apps that have a Developer ID
  • Install and run apps from anywhere.

Control-clicking allows you to override your chosen default setting, so the decision remains with the user (and Mavericks offers an additional option for bypassing it). Gatekeeper can be helpful when a threat relies solely on social engineering to get you to infect your system but if the malicious app is signed and appears legitimate, or exploits a vulnerability not (yet) patched in order to install silently, it is ineffective. Both Gatekeeper and XProtect will ignore a file copied from fixed media or via applications that aren’t on its select list of applications to monitor, or if it’s one of the file-types OS X considers safe. And neither monitors files on egress.

There is a risk that signature protection built into the OS might do more harm than good: in this case because Apple’s customer-base will tend to overestimate the effectiveness of any measure Apple do take, the same way that they already overestimate the value of the free anti-malware tools already available, irrespective of platform. In fact, not all threats detected by anti-malware ever get added to XProtect: malware that is less ‘dangerous’ or prevalent may never be included, which is unfortunate if you’re one of its few victims (whatever you may understand by ‘few’). Bear in that many recent Mac threats are highly targeted, aimed at activists among particular ethnic groups and NGOs.

In the next article in this series we’ll look at the tester’s dilemma: static testing in a dynamic threatscape.

David Harley & Lysa Myers
ESET North America

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center