14 DAY TRIAL // Google is working on a malware detection system for macOS, which it has recently open-sourced on GitHub. The project, named Santa, is currently at version 0.9.12 and is developed by Google's Macintosh Operations Team.
As Google describes the project, this is not a full-on antivirus engine, but a simple app that whitelists and blacklists macOS processes.
Santa's GUI is nothing more than a glorified notification window that lets users know when the app has blocked a process from executing. The version Softpedia tested has no other GUI, except the popup you see pictured at the end of the article.
Santa has two modes of operation, otherwise a very simplistic app
At its core, this malware sniffer is nothing more than a userland daemon that scans new processes and blocks apps from executing based on a list of allowed/disallowed processes stored in a local SQLite database.
The project's documentation on GitHub details two operational modes: MONITOR and LOCKDOWN.
The MONITOR mode uses a blocklist to tell the OS what apps it's not allowed to run. The LOCKDOWN uses a whitelist of apps it's allowed to run, meaning any other app not on this list will be blocked by default.
Users and network admins can add apps to Santa's blacklist based on signing certificates.
"You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates," Google explains. "A binary can only be whitelisted by its certificate if its signature validates correctly, but a rule for a binaries fingerprint will override a decision for a certificate; i.e. you can whitelist a certificate while blacklisting a binary signed with that certificate, or vice-versa."
Santa has built-in defenses to prevent tampering
Just like any good security product, Santa keeps logs of all tasks it performs but also comes with its own security measures to make sure malware won't sabotage the product's own process in order to avoid detection.
Malware can modify Santa's blocklist to block Santa or macOS core processes. Santa's components also validate each other using Apple's XPC service API and won't communicate if any of their signing certificates aren't identical.
There's no fixed date for Santa's release. Everyone can install the product, but bear in mind that this is alpha-stage software.
