© Michael Reynolds/EPA, via Shutterstock
© Eduardo Munoz/Reuters
© Maria Hergueta
Over the last few years the way that Apple and its official authorised service providers handle your Mac has changed. When you take or send in your Mac for repair or service, they no longer start it up in the way that you would, so don’t need to log into it the way that you do. This is why there are hidden FieldService folders or volumes in /System/Volumes, as they will be used during its service. In the past, technicians often needed access to your user account, and you may have been asked to provide your password; now it’s the exact opposite.
The first and most essential step in preparing your Mac to go away, even for a brief battery replacement, is to ensure that you’ve got at least one full and complete backup on storage that will remain with you. If you use Time Machine, its backups should do fine, but you should check that they don’t exclude folders or volumes that you can’t readily restore. Open Time Machine settings and click on the Options… button to ensure that no significant data are excluded from your Mac’s final backup.
Some repairs will inevitably lead to all your documents and files being wiped. Any that requires the main logic board to be replaced is almost certain to do that, but so can other procedures that you wouldn’t expect to be as radical in effect. Technicians generally work on the assumption that you have already taken care of your own files, so if they do need to erase or replace internal storage, don’t be caught out and lose all your data.
Once you’ve backed your Mac up, if FileVault isn’t enabled, turn it on, if your Mac will cope with that. Intel Macs with a T2 chip and Apple silicon Macs don’t encrypt the contents of their internal storage when you do that, as the Data volume is always fully encrypted. All they do is use your password to protect the encryption key that’s already being used to encrypt your data. That’s more than sufficient to prevent anyone who doesn’t know your password from gaining access to anything on your Mac’s Data volume. Although it’s most unlikely that any technician might try to abuse that, FileVault ensures they can’t.
For Intel Macs without a T2 chip, enabling FileVault does require the entire contents of the Data volume to be encrypted, which can take many hours or even days. If you have sufficient advance notice, it’s still worth considering.
If your Mac has a T2 or Apple silicon chip and is going to have its internal storage, or its main logic board, replaced, then you can safely assume that you’ll be restoring it from your backup when that Mac has been repaired. For an extra touch of security, immediately before parting with it you can use the Erase All Content and Settings (EACAS) feature in System Settings > General > Transfer or Reset. That will destroy the encryption keys to its Data volume and ensure that no one will ever be able to access its contents.
There are a couple of things that you need to do to help the technician:
If you’re sending your Mac in, you’ll probably receive detailed instructions as how to prepare and package it ready. If you’re taking it in, then technicians normally appreciate it if you bring its power cable. Once it’s ready and shut down, give it a quick clean. That’s important if it’s being repaired under AppleCare+, when signs of neglect or abuse might count against you. Macs that have been used in smoky areas usually accumulate tar deposits that should be carefully removed from around their ports. In more serious cases a deep clean may be needed: a technician told me of an iMac that had been the perch for its owner’s parrot, and had become heavily soiled by the bird’s droppings.
When you’re taking your Mac in, remember to take evidence of its purchase in case that’s needed, and a written record of your user name and password, in case you’re asked to start it up. There’s nothing worse than struggling to remember them when under pressure.
These apply to Macs to be serviced or repaired by Apple technicians, or those of Apple Authorised Service Providers. If your Mac is being maintained by an independent repair shop, then they may require different, so ask them what they need you to do.
As the threat landscape and strategies change, different parts of macOS security have been more actively developed. When Java and Flash vulnerabilities were dominant, XProtect’s metadata became vital for blocking older unpatched versions. Then in 2020, Apple grew XProtect’s Yara signatures to detect more malicious software, in 27 updates released that year. That campaign had finished by 2023, when it was only updated once each month, and all eyes were on the youthful XProtect Remediator maturing rapidly in its 18 updates. This article outlines what changed in macOS security protection during 2024, and how Apple has shifted emphasis back to XProtect, together with the importance of CDHashes and notarization.
This has definitely been the year of XProtect, which performs on-demand checks of code that’s about to be launched, using a set of Yara rules to detect known malware. Our Macs started 2024 with version 2177, and after a record total of 29 updates for all macOS and a sudden change in version numbering, by the year’s end that has reached 5284. Even more impressive is the growth of XProtect’s Yara detection rules: at the start of 2024 there were about 195 rules taking 167 KB of text; as we pass into 2025, there are now about 328 rules in 921 KB of text. That’s 170% of the number of rules, and over five times the size.
macOS Sequoia has also brought the most substantial change to XProtect itself, in the introduction of a new medium for delivery of updates to its data, suggesting that XProtect is being forked. When macOS 15.0 was first released, XProtect could receive updates via either the old mechanism of Software Update, or through a new connection to iCloud using CloudKit. After a transition period, updates switched to iCloud only with effect from macOS 15.2.
Apple released two test updates for Sequoia only during September, one of which brought a huge increase in Yara rules in a file of 1.2 MB in size. This suggests that Sequoia’s XProtect is likely to see more frequent and larger updates now that this new mechanism has been tried and tested. How that will run alongside updates for older macOS has yet to be demonstrated, and none of this has been documented by Apple.
This runs daily or more frequent background scans looking for the presence of malicious software and remediating it whenever it can. Although most of its scans are brief, those for Adload can now take several seconds or longer. Our Macs started the year with version 122 containing 22 scanning modules. Since then there have been 18 updates, bringing new modules for Bundlore (also the subject of a campaign in XProtect), and the newer Crapyrator and Dolittle (covered by extensive rules in XProtect), while RedPine has been dropped. We end the year with version 149.
For much of the year updates have been released every two weeks, but have reduced to one update each month since the summer. It’s thought that XProtect Remediator also uses XProtect’s Yara rules for detection purposes, so it should have benefitted from all those updates as well.
The most recent of the XProtect trio, this watches for code that breaks its Bastion rules of behaviour by accessing files in specific sensitive locations, and similar. Apple states in its Platform Security Guide that this isn’t used to block apps or for local detection: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
Its Bastion rules have grown from 7 to 12, adding watched locations in ~/Library and /Users/Shared and more. Apple doesn’t provide any information as to how useful this intelligence is proving.
As all those using macOS Sequoia will have discovered by now, it brings a major change to way that Gatekeeper’s checks for notarization can be bypassed. In recent versions of macOS, this has been simple to accomplish using the Finder’s Open command, so simple that malware developers commonly coach the user through this to ensure their unsigned code is run without the defences of macOS. The new procedure requires permission to be granted explicitly in Privacy & Security settings.
This has proved controversial, with some who distribute code that isn’t notarized complaining that it’s getting in the way of users running perfectly benign software. However, it’s an important part of the transition to reliance on CDHashes known to Apple. It has already posed a problem to those distributing malicious code, for which no simple workaround has yet emerged. This has also led to a few legitimate apps being blocked, typically when they have been updated in place without fully updating their CDHashes and notarization ticket.
The old macOS Malware Removal Tool MRT has been superseded in Catalina and later by a scanner module in XProtect Remediator. MRT was last updated nearly three years ago, with version 1.93 from 29 April 2022 being the last. It hasn’t been entirely forgotten, though, and may still be installed on the latest Apple silicon Macs.
Fuller accounts of changes in the threat landscape are given by independent security researchers. Moonlock’s was published earlier this month, and I’d expect to see reviews from Patrick Wardle at the Objective-See Foundation and others in the coming days.
The year has seen continuing increase in the number and variety of malicious products for macOS. It’s surprising how many old names like Adload and Bundlore are apparently still thriving, and the emphasis remains on stealers. Recent directed attacks have demonstrated increasing ingenuity and technical skills, and at least one managed to sneak its way through screening by Apple and became notarized, although that has since been revoked.
As ever, threats are most immediate for those who engage in high-risk activities, including downloading cracked commercial products, and dealing in cryptocurrency.
Given that there’s no sign yet that Apple has driven away those who develop and deploy malware, 2025 isn’t likely to be any easier. Most malware has yet to respond to the change brought in bypassing notarization requirements. While there are bound to be more attempts to get malware notarized by Apple, the chances of a notarized app being malicious are likely to remain as close to zero as possible. Greatest risks will continue for those who run unnotarized code from uncontrolled sources.
Apple has put a lot of effort into the changes it has made in XProtect, and will expect to see results in the coming months.
Login
