Security tools are a necessary evil in the face of a growing Mac malware threat. Fortunately you can protect yourself and restore peace of mind with the right tools, like Objecive-See‘s bounty of freebies.
The project is the brainchild of Patrick Wardle, a security researcher who created a range of tools to secure his own computer. He’s since released them all for free, and maintains a repository of known Mac malware for research and educational purposes.
Let’s take a look at the lineup and how you can use these tools to better protect your Mac.
1. Do Not Disturb
What It Does: Get alerts about physical access attacks on your MacBook.
If you travel with your MacBook or your workplace favors a “bring your own device” approach, physical access attacks might be your laptop’s biggest threat. Many of us leave our laptops unattended to grab a coffee without thinking about the very real threat posed by malicious USB devices and other users.
Do Not Disturb installs a persistent launch process which logs all known “lid open” events, with the option of sending alerts or executing custom actions. It works best when paired with the companion iOS app, allowing you to take evasive action like snapping a shot of the culprit using your webcam, or shutting down your Mac remotely.
Once you’ve installed the app you can view a log of physical access events, no iOS counterpart app required. There are also preferences for running the app “invisibly” using passive logging (no visible alerts) and by hiding the menu bar icon.
Download: Do Not Disturb
What It Does: Scan your Mac for signs of persistent malware.
More than a basic malware scanner, KnockKnock looks for signs of persistent malware—malicious code that installs itself repeatedly. This usually happens when your computer restarts. KnockKnock integrates with online detection tool VirusTotal, so known malware receives a red highlight on detection.
While VirusTotal integration is nice, the app also reports other persistently installed applications. Most of your results will be benign, but it gives you the opportunity to look down the list and see if you spot anything unusual. The app detects many different types of persistent installers, including plugins, browser extensions, launch and login items, and kernel extensions.
What It Does: Like a security-focused version of Apple’s Activity Monitor task manager.
TaskExplorer is very similar to the Activity Monitor app supplied with your Mac, except with VirusTotal integration. That means the app flags any known malicious currently running processes. You can send anything you don’t recognize to VirusTotal’s servers for analysis.
The app can quickly view the signing status of any running processes, view loaded dynamic libraries, network connection details, and files currently in use by a given task. It’s similar to KnockKnock, but the emphasis here is on processes that have already launched, rather than the code responsible for their execution.
What It Does: Looks for and attempts to block malware installers.
While KnockKnock looks for the installers responsible for malware, BlockBlock attempts to deny the installation altogether. It does this by running constantly in the background, monitoring common persistence locations, and displaying an alert when it detects something suspicious.
As you might expect, BlockBlock integrates with VirusTotal. It flags known malware, but many of BlockBlock’s detections are legitimate apps performing routine operations. BlockBlock gives you the option of blocking any detected installations. The app also reports if the installer is signed by Apple, by a third party, or completely unsigned.
What It Does: Monitors for newly created encrypted files in a bid to prevent ransomware attacks.
Ransomware is a specific type of malware that locks you out of your data, usually demanding some sort of payment for the safe return of your files. A hallmark of this particular malware design is the creation of encrypted files by suspicious processes.
RansomWhere? monitors your system for known signs of ransomware, blocking the process and prompting you to either allow or terminate a possible threat. The app flags untrusted processes that rapidly create encrypted files, while explicitly trusting Apple-signed software and software installed prior to downloading the app.
Like other Objective-See apps, RansomWhere? doesn’t specifically look for malware but actions indicative of malware. It’s possible the app will flag legitimate processes, though the developer has tried to keep the number of false positives to a minimum.
What It Does: Alerts you when your microphone or camera activates.
One of the simplest Objective-See apps, OverSight alerts you when your Mac’s microphone or webcam turn on. There are known examples of Mac malware that attempt to record or even stream users, which is why so many users cover their webcams as a precautionary measure.
OverSight monitors and reports webcam or microphone events. The alert includes the name of the process and the process identifier, along with a prompt to Allow or Block the request. You can also whitelist safe applications so that you don’t have to approve them all the time.
Most interestingly, the app attempts to detect secondary processes that try to piggyback on legitimate webcam or microphone requests. It’s not infallible, but it’s better than nothing.
What It Does: Lists currently loaded kernel extensions.
Kernel extensions (known as “kexts”) are given highest privileges in macOS, so it’s important that you don’t have any untrustworthy modules running. KextViewr displays all currently loaded kexts along with their signing status, path to installed files, and perhaps most importantly, results from any hashes cross-referenced with VirusTotal.
You can filter these processes using the following hashtags: #apple, #nonapple, #signed, #unsigned, and #flagged. There’s not much more to it than that!
8. What’s Your Sign
What It Does: Check an app’s signing status to determine its trustworthiness.
Not all unsigned apps are dangerous. Many open source projects and freebies are unsigned, since the developers lack the funding to get a developer license. With that in mind, a signed app is more trustworthy (from a security standpoint) than an unsigned one.
What’s Your Sign adds a new right-click context option called Signing Info. Click it and you’ll find out if the app is Apple-signed, third party-signed, or not signed at all. That’s all there is to it.
Download: What’s Your Sign
More Useful Objective-See Tools for Mac Users
In addition to the tools here, Objective-See has a few other tools certain users may be interested in:
- Lockdown: Written for El Capitan to provide a way to quickly limit a Mac’s exposed “surface area” by locking down known-exploitable services. Currently does not work with High Sierra.
- Ostiarius: Another app for El Capitan meant to close a security hole that allowed malware to bypass Gatekeeper. As of macOS Sierra or later, Apple has fixed this issue and Ostiarius is no longer required (it may be useful if you can’t upgrade your Mac past El Capitan, though).
- dylib Hijack Scanner: Objective-See’s first tool, last updated for El Capitan. Similar functionality is part of TaskExplorer above.
Security tools can help you prevent and detect malware infection, but a dash of common sense can do wonders for avoiding infection too. Always be suspicious of processes asking for your admin password, unsigned apps that require Gatekeeper circumvention, and leave system integrity protection enabled at all times.