{"id":49009,"date":"2016-02-22T09:16:55","date_gmt":"2016-02-22T17:16:55","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=49009"},"modified":"2019-05-17T21:49:51","modified_gmt":"2019-05-18T04:49:51","slug":"os-x-security-under-the-hood-features-that-protect-your-mac","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/os-x-security-under-the-hood-features-that-protect-your-mac\/","title":{"rendered":"OS X Security: Under the Hood Features That Protect Your Mac"},"content":{"rendered":"

\"Mac<\/p>\n

When you use your Mac for work or play, you see windows and menus for the apps you use, for settings, and more. But these user-facing features are just a small part of what powers an operating system. In addition to all of the many calculations your Mac makes so your apps can do their work, displaying text and video, there are many under the hood security features that keep you and your data safe.<\/p>\n

Over the years, Apple has added a number of robust security features to OS X<\/a>, some of which you\u2019ve heard of, and some that you might not know about. In this article, below, you will discover\u00a0the less visible security features in OS X that protect you from hackers and malicious software, and that keep your data safe.<\/p>\n

File Quarantine<\/h3>\n

In 2009, when Apple released OS X 10.6 Snow Leopard, the new operating system included a rudimentary anti-malware feature. While the official name is File Quarantine, people in the security industry tend to call it XProtect, after one of its configuration files, Xprotect.plist<\/code>. We explained how this works<\/a> back when it was released. Unlike a true anti-virus, File Quarantine looks for a limited number of very specific types of malware. And it only detects this malware if it\u2019s downloaded to a Mac via Safari or Chrome, received as an email attachment by Mail, or sent via a Messages file transfer (and a few other apps).<\/p>\n

The only thing a user sees is a banal setting in System Preferences<\/strong> > App Store<\/strong>. Make sure that Install system data files and security updates is checked to ensure that your Mac updates the File Quarantine exclusion list. If your Mac does detect something nefarious, you\u2019ll see an alert<\/a>.<\/p>\n

Gatekeeper<\/h3>\n

Added to OS X 10.7.5 and 10.8 (Lion and Mountain Lion), Gatekeeper is a technology that uses code signing<\/em> to verify the authenticity and integrity of applications you launch on your Mac. Every developer can request a certificate from Apple to \u201csign their code.\u201d This cryptographic certificate allows OS X to ensure that an app you run is not only from a registered developer, but also that it hasn\u2019t been modified.<\/p>\n

There are some limits though. As Apple explains<\/a>:<\/p>\n

\u201cDeveloper ID signature applies to apps downloaded from the Internet. Apps from other sources, such as file servers, external drives, or optical discs are exempt, unless the apps were originally downloaded from the Internet.\u201d<\/p><\/blockquote>\n

So you\u2019re protected when you download apps, but not if someone manually installs an app on your Mac, or if you copy it from an external or network drive. And this certificate system can go wrong. In November, Mac users suddenly found they could not launch apps from the Mac App Store<\/a>, because of an expired certificate.<\/p>\n

With Gatekeeper, users have three options. In System Preferences<\/strong> > Security<\/strong> > General<\/strong>, you can choose whether you want your Mac to open apps from the Mac App Store only, from the Mac App Store and registered developers, or from Anywhere, bypassing Gatekeeper entirely. It\u2019s a good idea to choose one of the first two options, though if you test applications, you\u2019ll need to pick the third.<\/p>\n

\"malware-updates\"<\/a><\/p>\n

Sandboxing<\/h3>\n

While you may think that sandboxing has something to do with playing or experimenting, it\u2019s actually a robust security feature that was added to OS X 10.5 Leopard, and reinforced with subsequent versions of OS X. Apple says sandboxing<\/a> \u201cprovides a last line of defense against the theft, corruption, or deletion of user data if an attacker successfully exploits security holes in your app.\u201d<\/p>\n

Sandboxing is a way of creating a virtual, impenetrable wall around each application or process.<\/p>\n

\"sandboxing\"<\/a><\/p>\n

Sandboxing protects Mac users from web-based malware. Since Safari is sandboxed, malware that loads in a web page won\u2019t be able to install on your Mac, or affect other apps or files. However, be wary of anything that downloads unexpectedly, and don\u2019t ever open such files; they could get past the sandbox, if you authorize their installation.<\/p>\n

Apple now requires that all apps sold in the Mac App Store be sandboxed, leading to problems with some apps and their features<\/a>. Sandboxing can limit the way many apps interact with the operating system and with other apps.<\/p>\n

For this reason, many developers that sell system utilities do so directly, rather than through the Mac App Store. This is the case, for example, with most of Intego\u2019s software<\/a>, which needs to be able to access many files on your Mac. You can\u2019t successfully run an anti-virus that can\u2019t check all the files on a computer.<\/p>\n

Sandboxing is entirely under the hood, there are no user options or alerts.\u00a0An app is sandboxed or it isn\u2019t.<\/p>\n

Journaled File System<\/h3>\n

Security isn\u2019t just about protecting you from bad guys, it\u2019s also about ensuring the integrity of your data. One of the unsung security features in OS X is the HFS+ file system with journaling.<\/p>\n

The original HFS (Hierarchical File System) dates back to the release of Apple\u2019s first hard drive for the Macintosh in 1985. Replacing the previously used Macintosh File System, Apple kept HFS until 1998, when Mac OS 8.1 saw the introduction of the improved HFS+. But the real change came with the Server version of OS X 10.2.2 Jaguar, when HFS+ with journaling became optional, and 10.3 Panther, when it was turned on by default.<\/p>\n

The file system is the low-level software, installed on a disk or other type of media, that catalogs and indexes the files on your computer. Without a file system, you can\u2019t copy, move, or delete files. But when disk errors occur, or when a computer crashers, the file system\u2019s catalog can get corrupted, and you may lose files. The data is still on your disk, but the file system can no longer find it.<\/p>\n

Journaling uses a sort of log that keeps a record of changes before they are finalized. In the event of a crash, the disk can read the journal to ensure that no files are lost. As Apple explains<\/a>:<\/p>\n

\u201cJournaling is a feature that helps protect the file system against power outages or hardware component failures, reducing the need for directory repairs.\u201d<\/p><\/blockquote>\n

Do you remember having\u00a0to regularly run disk repair software back in the day?\u00a0Well, when Apple added journaling to its file system, this was no longer essential. (I can\u2019t remember the last time I\u2019ve lost files or data because of disk corruption or power outages.) Of course, hard disks can still fail, so you make sure you have backups.<\/p>\n

System Integrity Protection<\/h3>\n

One of the newest security features is System Integrity Protection, or \u201cRootless.\u201d On every Mac, there are a number of user accounts, including one called root<\/em>, which is the \u201csuperuser,\u201d the One Account to Rule Them All. The root user can do anything: access and modify or delete any file, change permissions for any user, and essentially screw things up if he or she makes a typo when futzing around in the operating system. Even a normal administrator can \u201cplay root\u201d for a while, prefacing commands run in Terminal with the sudo<\/em>, or \u201csuperuser do\u201d command.<\/p>\n

System Integrity Protection, introduced with OS X 10.11 El Capitan, prevents even this root user from accessing certain files. As Apple explains<\/a>, \u201cSystem Integrity Protection restricts the root account and limits the actions that the root user can perform on protected parts of OS X.\u201d The goal of this is not to prevent any individual human user from accessing files, but rather to block malware that can \u201cget root,\u201d or obtain root access, and altering or damaging system files.<\/p>\n

This doesn\u2019t mean that these files are entirely off limit. As one would expect, certain tools can make changes to protected files. Apple elaborates on this, saying:<\/p>\n

\u201cSystem Integrity Protection is designed to allow modifications of these protected parts only by processes that are signed by Apple and have special entitlements to write to system files, like Apple software updates and Apple installers.\u201d<\/p><\/blockquote>\n

There is, of course, a way to turn off System Integrity Protection and get full root access, and those system administrators who want to work without a net may want to find out how to to this. It\u2019s not hard to do<\/a>, but be aware of the risk it entails.<\/p>\n

Computer security is complex, and there are many other under-the-hood features that keep OS X secure. Many of these features are added to Safari, since the web browser is one of the leading vectors of attack in our Internet age. The most important thing you can do to keep your Mac secure is to ensure\u00a0your operating system and apps are up-to-date, so you benefit from all the latest security features and fixes.<\/p>\n","protected":false},"excerpt":{"rendered":"

Macs include many under the hood features that keep OS X secure. This article offers a look at the less visible security features in OS X that protect your data.<\/p>\n","protected":false},"author":46,"featured_media":50293,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[7,151,13],"tags":[174,168,319,303],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n