mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-22 21:01:34 -05:00
add xprotect info
This commit is contained in:
parent
a0ae942229
commit
d583d90627
@ -48,4 +48,12 @@ You will see `flags=0x10000(runtime)` if it's enabled.
|
||||
|
||||
[Gatekeeper](https://support.apple.com/guide/security/gatekeeper-and-runtime-protection-sec5599b66df/web) stops you from running apps that aren't notarized. Notarization is a process by which app developers submit their app to Apple to scan for malware and ensure it meets certain requirements. Among these are that it is signed with a key provided by Apple to the developer and that the Hardened Runtime is enabled. It's also scanned for malware. Gatekeeper also prevents the loading of unwanted plugins with benign apps by opening apps from randomized, read-only locations.
|
||||
|
||||
While the Gatekeeper warning can be easily bypassed by control + clicking on the app and clicking open, it's useful since it presents an unavoidable warning when you try to run an app for the first time that's not downloaded from the App Store.
|
||||
While the Gatekeeper warning can be easily bypassed by control + clicking on the app and clicking open, it's useful since it presents an unavoidable warning when you try to run an app for the first time that's not downloaded from the App Store.
|
||||
|
||||
## XProtect
|
||||
|
||||
XProtect is the built-in antivirus software in macOS. Like all AV, it's a last line of defense after all others have been bypassed.
|
||||
|
||||
XProtect uses of YARA signatures and is updated frequently, independent of OS updates. This is one of the many reasons you should be cautious about blocking connections to Apple servers; many of them serve a security purpose, so make sure you know what you're blocking. It can also detect unknown malware using heuristics. When it detects unkown malware, it will send information about that software to Apple so that they can update the signatures in XProtect.
|
||||
|
||||
Apple also issues revocations for notarization tickets, these are detected with online OCSP checks. Blocking these checks will make you more vulnerable to malicious apps.
|
Loading…
Reference in New Issue
Block a user