A third XProtect was discovered in Ventura, this time observing potentially malicious behaviour such as attempts to access private data for browsers and messaging apps. This XProtect Behaviour Service (XBS) has used a set of Bastion rules embedded in the strings in
syspolicyd
to record behaviours in a new database, but so far has been an observer and hasn’t blocked such behaviours. Security researchers have already been able to discover its records of novel malicious code, and Chris Long has documented how to access its database, but so farsyspolicyd
has only watched and recorded.Recent descriptions of Bastion rules have identified four, last updated in
syspolicyd
in macOS 13.5 on 24 July 2023. Those changed on 8 August, when Apple released its first update to the Bastion rules, and again a month later on 1 September, when they changed again. There’s now a fifth Bastion rule, and XBS appears to be getting ready to fly for the first time.
If you had told me in 2005 or so, when I was a fervent Mac user, that one day, macOS would come with an extensive set of antivirus and antimalware tools that ran silently in the background, checking everything you do on your computer – I’d have thought you were crazy.
But here we are.
Thom Holwerda,
Apple actively pushed the lie that macs were impervious to malware and some users bought into it religiously when the RDF was in full force. They don’t want to call attention to it, but turns out that apple computers are vulnerable and their users need AV as much as anybody else.
Linux users on the other hand don’t have to worry about viruses… /sarcasm
This, again. Here is one of those ads: https://www.youtube.com/watch?v=V0feR5grSa4
Completely misleading, but technically legal.
Which is the issue here, Apple ships an AV in MacOS (so far so good), but can’t tell you when it catches some bit of malware as to not distrurb the reality marketing lie that Macs don’t get viruses. So, they just silently quarantine and delete the malware without telling the user what happened (which is bad because getting “malware caught” warnings means whatever you just did was dangerous and shouldn’t do it again, because no AV can catch all malware). You actually have to use third-party utilities to see the outcome of scans in a nice UI: https://eclecticlight.co/2022/12/29/checking-macos-malware-scans-endpoint-security-or-the-log/
reality marketing lie = reality-distorting marketing lie
> Linux users on the other hand don’t have to worry about viruses… /sarcasm
Well not really, at least until the year of Linux Desktop finally comes