Santa, Google’s new enterprise malware watchdog for Mac OS
Google has admitted before that it prefers to use open source products. And if they cannot find a product for their needs, they build it. Google has also released some of these products that it has built to the open source community and it released another one today. Dubbed Santa, it is a binary watchdog for MacOS.
Whitelists and Balcklists
While some consumers find Apple’s own XProtect anti-malware enough protection for their Mac, most enterprises running Apple machines don’t, including Google, which has developed its own lockdown software. Google released this product on to GitHub so that other could contribute to its development.
Santa is a very early version of a watchdog. “It consists of a kernel extension that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronizing the database with a server,” a Mac ops team member said.
The product has 2 modes, Santa’s Monitor mode and Lockdown. In Santa’s Monitor mode, everything is allowed to run except for the blacklisted binaries. And in Lockdown mode, only whitelisted binaries are allowed to run i.e. its reverse. Other features include a tool to blacklist or whitelist files based on their signing certificate, enabling admins to block or trust all binaries from a publisher, as well as an event logging tool.
The tool does contain a few bugs though. So users are recommended to use it with caution. Some of the issues include a potential race-condition and the fact it’s currently unable to ensure that only valid clients connect to the kernel extension. Google will require potential contributors to sign one of its contributor license agreements, and the company notes that Santa is not an official Google product.
You can be part of the Santa team and enhance its performance or detect some of the bugs that it may have, if you wish to do so head over to Github