Google releases enterprise malware watchdog for Mac OS

Google's Mac team has kicked off the holiday season with Santa, its tool that looks for all things naughty and nice on its massive fleet of Macs.

While some consumers find Apple's XProtect anti-malware enough protection for their Mac, most enterprises running Apple machines don't, including Google, which has developed its own lockdown software.

Dubbed Santa, the software developed by Google's Macintosh Operations Apple Team "keeps track of binaries that are naughty and nice".

Google released the tool on GitHub last week as an open source project that others can contribute to. The OS X security tool is just one of many the team has open sourced in the past that are used to manage the company's fleet of over 40,000 Macs worldwide. As Google's Mac ops team outlined last year, it has a preference for open source tools and, if it can't find one that suits, the team builds its own. Some of the tools built by Google include Simian, its in-house software deployment system for Macs, and Cauliflower Vest, a key recovery system designed for FileVault.

Read this

Google's VirusTotal puts Linux malware under the spotlight Google's VirusTotal puts Linux malware under the spotlight As Linux malware matures, Google's malware checker will give samples the same treatment as those uploaded for Windows.

Santa is an early version of a binary whitelisting and blacklisting system for Mac OS X, which offers enterprises a way to monitor and lockdown devices in the fleet.

"It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server," a Mac ops team member said.

In Santa's Monitor mode, basically everything is allowed to run expect for blacklisted binaries, which are logged and recorded in the database. Lockdown mode on the other hand only allows whitelisted binaries to run.

Other features include a tool to blacklist or whitelist files based on their singing certificate, enabling admins to block or trust all binaries from a publisher, as well as an event logging tool.

The Google Mac team notes that Santa contains a number of bugs so Mac admins should probably limit its use to testing for now. Some of the issues include a potential race-condition and the fact it's currently unable to ensure that only valid clients connect to the kernel extension.

Google will require potential contributors to sign one of its contributor license agreements, and the company notes that Santa is not an official Google product.

Read more on this story

Show Comments