macOS Sonoma could be locked down with XProtect behavioral security

Malware illustration

Apple's XProtect is a set of rules that are used to check apps and code on a Mac for malware. Initial iterations of XProtect checked apps during Gatekeeper checks, with later updates adding a daily check and expanding the types of malware that it could detect.

A third version of the concept appeared in macOS Ventura, but acted in an observer capacity rather than actively dealing with malware issues. Now, it appears that Apple is gearing up this new version to move from observing to reacting.

According to The Eclectic Light Company's Howard Oakley, the third XProtect was spotted in macOS Ventura and referred to as the XProtect Behavior Service (XBS). The service checked for malicious behavior by apps, including attempting to access private data used by browsers and messaging apps.

So far, XBS has observed but steered clear of blocking apps for bad behavior, though it has been compiling a database of suspicious activity based on a set of Bastion rules. Those rules initially identified four behaviors, with updates on August 8 and September 1 altering them, as well as adding a fifth rule.

These Bastion rules are used to build filters, which controls access to elements such as private data in Chrome, Firefox, and Safari browsers, or communications apps like Messages, Microsoft Teams, and Slack. There are also limits to writing to a privileged helper tools directory and controlling access to socket ioctl commands.

Oakley reckons that the updates are an important milestone in the development of XBS for Mac security, but until it stops just observing, "its role is severely limited."

Apple's timing for the updates is seemingly consistent with a release of a "fully functional intervention" version of XBS for macOS Sonoma, possibly in early 2024 in macOS 14.3, "or possibly sooner," reckons Oakley.

While the possible introduction in macOS Sonoma is a good sign, those sticking to using macOS Ventura may not benefit from the change at all. As the Bastion updates are only useful for macOS versions with a syspolicyd version that supports behavioral protection, that rules out macOS editions preceding macOS Ventura, and possibly macOS Ventura itself.