A decade or more ago, it would have been unthinkable: Microsoft developing an anti-malware platform for macOS.
But that’s exactly what Microsoft announced on Thursday. The company launched a limited preview of Microsoft Defender Advanced Threat Protection (ATP) for macOS, a move it says will help protect customers running non-Windows machines.
With that move comes a name change as well to de-emphasize Windows. The software will now be known as Microsoft Defender ATP. It’s compatible with the last three releases of macOS: Mojave, High Sierra and Sierra. According to a blog post, Microsoft plans to expand Defender ATP to other platforms, too.
One of the main advantages is that administrators will see security alerts for their Mac machines within Defender’s portal, which can show alert process trees and contextual information about a threat.
“We’ve been working closely with industry partners to enable Windows Defender Advanced Threat Protection (ATP) customers to protect their non-Windows devices while keeping a centralized ‘single pane of glass’ experience,” the company writes in a blog post.
Microsoft’s Expanded Security Tools
The software includes what Microsoft calls “next-generation antimalware protection,” a broad term used by many security vendors that typically refers to machine learning techniques that can flag files as likely to be malicious without comparing ones against a known sample.
The move to macOS comes as Microsoft has increasingly been building out its tools to both prevent breaches and make it easier for post-breach investigations.
In February, Microsoft extended the endpoint detection and response (EDR) capabilities in Defender from only Windows 10 through to Window 7 and 8.1. Although Microsoft would like all of its customers on Windows 10, it says it wanted customers to “achieve the best security possible while transitioning.” Mainstream support for Windows 7 is scheduled to end next January.
EDR is kind of like a flight recorder for endpoints. If a breach occurs, it allows security pros to go back and see step by step how an infection occurred, which can help for both remediation and defense (see The Lowdown on EDR Security Software: Do You Need It?).
From a detection standpoint, Defender is a great antivirus product, says Jake Williams, a former operator with the National Security Agency’s Tailored Access Operations unit and founder of Rendition Infosec, a security consultancy in Atlanta.
But “my only issue with it is that it lacks some enterprise management features (particularly reporting). ATP is starting to fix that though, so in a few years it could be a major player,” Williams says.
Apple: Not Immune to Malware
In the early 2000s, Apple used security as a marketing advantage, particularly when Windows was suffering tough times in the days of worms, drive-by exploits and aggressive adware. But the gap has largely closed: Microsoft’s Trustworthy Computing initiative and dramatic improvements in later version of Windows made the OS much harder to exploit.
And while malware writers tend to still focus on Windows, there have been examples of ransomware for macOS and many pestering adware programs, although those usually rely on tricking users to install them rather than software exploits.
Still, there’s much more malware for Mac than people realize, writes Thomas Reed, director of Mac and Mobile at the security vendor Malwarebytes.
Since I have access to the threat telemetry we’re collecting from Malwarebytes for Mac detections, I can say LOTS. I can only speak about numbers of files detected, because the telemetry’s anonymized very heavily, but there are a lot… like, tens of thousands per month.
— Thomas Reed (@thomasareed) March 18, 2019
“Since I have access to the threat telemetry we’re collecting from Malwarebytes for Mac detections, I can say lots,” Reed writes on Twitter. “I can only speak about numbers of files detected, because the telemetry’s anonymized very heavily, but there are a lot… like, tens of thousands per month.”
AV on Mac: A Good Idea
macOS ships with a couple of built-in security tools: Gatekeeper and XProtect. XProtect is its antivirus engine, which relies on signature updates to detect malware.
Gatekeeper checks if an application has a digital signature that indicates it comes from Apple’s Store or if it has an approved developer’s certificate. If it doesn’t have one, Gatekeeper can block installation, although users can override its ruling.
There are a variety of security vendors, such as Symantec, AVG, BitDefender, Kaspersky Lab, Malwarebytes and Trend Micro and more, that offer security suites for Mac.
It’s probably a good idea to use a third-party security tool, says Patrick Wardle, a Mac security expert and founder of Digita Security, which develops advanced security tools for Mac. Wardle, a former NSA hacker, has also developed and released a variety of free security tools for Mac on his Objective-See website.
“I’m a firm believer that macOS users should install additional (3rd-party) security tools,” Wardle says. “Various built-in security mechanisms of macOS are somewhat trivial to bypass. Apple’s rather deceptive marketing has made Mac users overconfident in the security of their devices. This means malware can (and does) often finds a way onto macOS systems. 3rd-party security and AV products can help.”
Wardle says Microsoft has done a “lovely job with Defender on Windows,” but it remains to be seen how that will translate to different malware techniques, families and payloads crafted for macOS.
Based Blockchain Network