MDE for Mac currently includes preventive antivirus capabilities and reporting via Microsoft Defender Security Center. The following document regards the latest Public Preview build of MDE.
Defender for Endpoint endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
On-boarded macOS devices can be selected under the devices tab. The following examples use a device named venzos-Mac. For the purpose of this document, a device was enrolled into an isolated test tenant and intentionally infected with malware.
Figure 1 Overview of mac device |
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident.
In the above example, you will see that there is one open incident, two active alerts and a low exposure level.
The video below is a demo, I once made fir a client, to show what the end user experience looks like when Defender detects something.
macOS endpoints
There does not appear to be any difference in MDE functionality between devices enrolled in Apple Business Manager and devices not enrolled e.g., BYOB devices. As MDE currently leverages system extensions instead of kernel extensions (kexts), M1/silicon devices are not officially supported. This is due to M1 devices’ platform security setting blocks the loading of all third-party kexts, and that is turned on by default. In order to enable kexts, the Reduced Security option in the devices Startup Security Utility must be enabled. Although MDE can be installed on M1 devices this way, real-time scanning will not be able to be used. However, scanning (quick, full, custom) functions will.
Although MDE for macOS endpoints have many of the same functions as for Windows, not all features are available i.e. intiating an automated investigation, collecting investigation packages or a Live Response Session.
Figure 2 Missing features |
Real-time scanning via the agent is initiated whenever it receives a definition update from Microsoft. Currently there is no way of controlling and/or scheduling this process other than disabling real-time scanning. Instead, Microsoft recommends that runMDATPQuickScan.sh be pulled to run a scheduled scan. The script executes mdatp scan quick and outputs a log /var/log/mdatpscheduledscan.log
Figure 3 Log output from scheduled quick scan |
Executing a quick scan manually (or through the scheduled scan script) is not system wide. The macOS MDE research team identifies the most statistically risky locations, and they are used by the quick scan. An example of a risky location is ~/Downloads. It also means, that they can change the list of quick scan locations later. We have asked MSFT for clarification which other directories are considered “risky”. In the meantime, their general advice is - use a custom scan if you want to scan directories that you define. This limitation also applies to sentinel hunting queries.
Microsoft Defender for Endpoint on macOS preferences are managed via .plist files that can be deployed through Intune or Jamf. Any preference deployed through a configuration profile will supersede local preferences.
Preferences that can be configured are:
- Antivirus engine preferences
- Supported exclusion types
- Cloud-delivered protection
- Endpoint detection and response
- User interface
Incidents
MDE applies correlation analytics and aggregates all related alerts and investigations into one “Incident” entity. MDE generates an “attack story”, in order to better understand and deal with threats. In this example, can see that we used both active malware as well as a “dummy”. The “dummy” did not contain malicious code but rather a hash of real malware. MDE automatically prevented both.
Figure 4 Detected threats under incidents |
Selecting Malware incident on one endpoint will display further analysis and details – with the same functions as on Windows endpoints.
Figure 5 Evidence summary |
Device alerts
Alerts are any security-related incidents collected from the organization’s endpoints and flagged by the MDE service.
Figure 6 Alerts |
Figure 7 Alert diagnostics |
Figure 10 Impacted processes |
Security recommendations
Security recommendations has the same function on macOS as Windows i.e. baseline security suggestions.
Figure 11 General security recommendations |
Software Inventory
MDE supports investigating macOS software. By selecting Safari, we see the same details as would be present in Windows based software.
Figure 12 Software inventory - Safari for Mac |
This example is a vulnerability found in Safari (v.14.1) and cataloged as CVE-2021-23841.
Figure 13 Software analysis |
By navigating to security recommendations, you will be presented with more details such as which specific devices have the vulnerable version of Safari installed.
Figure 14 Security recommendation for Safari vulnerability |
Although MDE can detect vulnerable software, it is not able to act itself. Rather, you may choose to create a ticket with your endpoint managers (Jamf, etc.) to push an update out.
Or you could choose to create an exception: