Other issues in this category (32)
Big Sur, kexts, and all the rest
Thursday, December 24, 2020
Today we will continue discussing the topic of how an anti-virus works in macOS operating systems.
To do its job, an anti-virus needs to be kept informed about changes in the controlled system, in particular about file downloading and program launch. To be precise: this means the download of any file and the launch of any program, no exceptions. No other program in the system should be able to somehow intercept this information before the anti-virus receives it and filters it — for example, by removing malware activity data.
Before the macOS Big Sur operating system appeared, this task was carried out in the same manner as in Windows — by downloading drivers that, in the macOS, are called "system extensions" (formerly "kernel extensions" or "kexts") — an extension of the system kernel. This means that the operating system saw the anti-virus as an extension of its capabilities.
However, if driver loading is enabled, they can be loaded by programs, even "unfriendly" ones. After all, once they have downloaded the drivers and have access to the operating system’s kernel, such programs can do whatever they want in your PC, everything from intercepting confidential information to removing that information completely.
After the release of macOS High Sierra 10.13 in 2017, the operating system began to automatically block third-party drivers — the user was shown the notification "The system extension was blocked", and thus they needed to allow the drivers to operate manually
Until the drivers were allowed to work, the anti-virus component did not work. To allow the download of system extensions , the user had to go to the Apple menu (), select System settings and open the section Protection and security. And, if necessary, the user had to disable the protection (by clicking on the icon and entering the user name and password). And they had to click on the Allow button next to the message from Doctor Web about the system software being blocked.
In March, 2020 — after the release of macOS Catalina 10.15.4 — the operating system started warning users that the applications that use system extensions are "incompatible with the future macOS version". This OS is macOS Big Sur.
It limited the use of drivers (completely in the version for ARM64, partly for Intel CPUs), requiring all developers to use a special programming interface (API) that is designed to provide the same functionality as the drivers.
Thus, an anti-virus switched from being a system application to being a custom application that has access to certain system kernel functionality.
Because of these innovations, Doctor Web's specialists had to completely rewrite the SpIDer Gate and SpIDer Guard modules by revamping the entire traffic interception scheme.
The Anti-virus Times recommends
Currently, whether an API can be used is determined by Apple. It is assumed that no applications, other than those that have been authorised, will be able to use it. Will this solve the security problem? Time will tell whether attackers will be able to access the API, but we can say right now that at least one loophole remains. These are vulnerabilities that can be in any software, and that can be exploited by cybercriminals. In this regard, we urge users to not forget to update their software — at least when it comes to installing security updates.