If malware on Mac OS excluded from certain areas of the system, why is there and option for full scanning of all files? Is my understanding incorrect?
Answer
Quick vs Full Scanning on Mac OS
Best answer by JDeBerry
When it comes to protecting a user against harmful applications, macOS comes with a suite of technology intended to protect the system from different forms of malware. System Integrity Protection, Gatekeeper and its notarization requirements, as well as Runtime Protection do a phenomenal job of only allowing trusted applications to run. Apps downloaded from the App Store are also limited to accessing data using Apple APIs and are restricted from sensitive system data. By only downloading applications exclusively from the App Store, a user could greatly minimize their risk to the more common types of malware, which often come in the form of an application downloaded from outside Apple’s store.
When a user chooses to modify their System Preferences and allow applications downloaded from outside the App Store is when the potential risk becomes greater. If the user were to install a malicious application, although the Kernel and System files are still protected by macOS, the user’s data would still be potentially exposed. Similarly, threats to the system and your personal data come in other forms besides just applications. Malicious web content and scripts have fewer native controls or protections within macOS. These can be introduced to the system in a number of ways; email attachments, “drive-by downloads” performed by websites, etc. We have our own real-time shields that are designed to catch something like a malicious script when it executes, but searching the entire file system for this type of content allows us to catch it before it attempts to run.
Is running a Full Scan a requirement to be protected? Given our real-time shields, perhaps not, but a good security posture comes from a layered approach. Increasing the opportunities to detect and remove a threat bolsters that posture. Like anything, there are pros and cons with each design choice. Full scans take longer to complete than a quick scan would, and there may be scenarios where a quick scan may be more desirable to the user.
I hope that helps answer your question.
-Josh
Good question
Let me ping
Late 2015 ~ 5K ~ 27 inch iMac ~ macOS Catalina 10.15.7 ~ Clone & Backup with: SuperDuper - Time Machine & iCloud. PWM: RoboForm. 👁¿👁 Spam Annihilater 👁¿👁
When it comes to protecting a user against harmful applications, macOS comes with a suite of technology intended to protect the system from different forms of malware. System Integrity Protection, Gatekeeper and its notarization requirements, as well as Runtime Protection do a phenomenal job of only allowing trusted applications to run. Apps downloaded from the App Store are also limited to accessing data using Apple APIs and are restricted from sensitive system data. By only downloading applications exclusively from the App Store, a user could greatly minimize their risk to the more common types of malware, which often come in the form of an application downloaded from outside Apple’s store.
When a user chooses to modify their System Preferences and allow applications downloaded from outside the App Store is when the potential risk becomes greater. If the user were to install a malicious application, although the Kernel and System files are still protected by macOS, the user’s data would still be potentially exposed. Similarly, threats to the system and your personal data come in other forms besides just applications. Malicious web content and scripts have fewer native controls or protections within macOS. These can be introduced to the system in a number of ways; email attachments, “drive-by downloads” performed by websites, etc. We have our own real-time shields that are designed to catch something like a malicious script when it executes, but searching the entire file system for this type of content allows us to catch it before it attempts to run.
Is running a Full Scan a requirement to be protected? Given our real-time shields, perhaps not, but a good security posture comes from a layered approach. Increasing the opportunities to detect and remove a threat bolsters that posture. Like anything, there are pros and cons with each design choice. Full scans take longer to complete than a quick scan would, and there may be scenarios where a quick scan may be more desirable to the user.
I hope that helps answer your question.
-Josh
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.