Hacking Book | Free Online Hacking Learning


google's malicious software detection system "santa" tailored for mac os has been open-source

Posted by agaran at 2020-02-27

1、 Project introduction

At present, Google is developing a malware detection system for Mac OS platform. According to the latest report of softmedia website, the project has been open-source, and the project code is hosted on GitHub platform. The project, called "Santa", was developed by Google's Macintosh R & D team. The current version of the software is 0.9.12.

As described by Google, the "Santa" project is not a traditional anti-virus engine. It can only add malicious processes of some Mac OS platforms to the blacklist or whitelist. In addition, Santa's graphical user interface (GUI) is not complicated, it only has a more beautiful notification window. Santa needs to use this window to inform the user which process is forbidden to execute. The version tested by softmedia's security researchers has no other user interface, only a dialog as shown in the figure below.

2、 In depth Santa project

Santa provides two modes of operation, in addition, it is just a very simple application.

The core of Santa malware detection system is nothing more than a monitoring process in the user state. It can scan new processes and block (or allow) the application to run according to the process blacklist (or whitelist) stored in the local SQLite database.

According to the introduction document hosted on GitHub, Santa provides two modes of operation: monitor and lockdown.

In monitor mode, Santa can read the forbidden program information from the blacklist, and then tell the operating system which applications are not allowed to run. In lockdown mode, Santa only allows programs in the white list to run, which means that applications not in the white list will be disabled by default.

In addition, users and network administrators can also judge the validity of the application based on its signature certificate, and add potential malicious applications to Santa's blacklist.

It is worth noting that Santa has built-in security measures to prevent illegal tampering by malicious attackers. Like many other excellent security products, Santa records all tasks it performs in the program log. In addition, it also has corresponding safety protection measures. Because a lot of malware will try to destroy Santa's scanning process and avoid detection. So Santa's own safety protection mechanism is to prevent such incidents.

Malware can modify Santa's blacklist and then let Santa block the execution of the core processes of Santa and Mac OS. Santa will use the API of Apple XPC service to verify the validity of its components. If the signature certificate of any component fails to pass the verification, Santa will prevent the component from communicating with other components.

The functions of Santa are as follows:

- multiple operation modes: Santa's default operation mode is monitor mode. In this mode, all other programs can run except those marked in the blacklist. The operation information of all programs will be recorded and saved in Santa's event database. In lockdown mode, only whitelisted applications are allowed to run.

- event logging: when the kext file is loaded, all the operation behaviors of the running program will be recorded.

- certificate based detection rule: in addition to using the "fingerprint" (hash value) of the program code for judgment, Santa can also use the signature certificate to determine the applications that need to be listed in the white list or blacklist. Only when the signature certificate of the program has passed the verification can the program be included in the white list.

- path based detection rule: this function is similar to the restriction function provided by the managed client of OS X system. But this feature allows us to add regular expressions to the detection conditions during detection.

3、 Installation and operation of Santa

First, open the MAC terminal, and then enter the following command:

git clone https://github.com/google/santa

Operation rendering:

After the terminal prompts that the task is successful, you will see the Santa project file in the directory under the current user.

Note that before you run Santa, you also need to address the dependency of the cocoapods class library management tool. For this part of the problem, please move to the official website of cocoapods for specific installation steps [portal].

After the installation, you can perform a simple test of Santa's capabilities. You can use the terminal command "yes"

Join Santa's blacklist. The test command is as follows:

santactl rule –blacklist –path /usr/bin/yes –message "NO"

If you run the "yes" command in the terminal, you will see a pop-up window, and the window information will prompt you that the application has been banned, and the prompt information is "no". In addition, windows allow end users to turn off prompts about the application. After the user selects this option, Santa will not prompt the user about the forbidden information of changing the program within 24 hours.

It's just a simple functional test, and of course, Santa's capabilities go far beyond that. Users can download and install Santa by themselves, and then test it according to their own ideas.

4、 Run demo

Five, summary

The current version of Santa is 0.9.12. The developers of Google's Macintosh R & D team are still conducting functional and security tests on the Santa project, and trying to fix the vulnerabilities in the product. If you think you have enough software development ability, Google's Macintosh R & D team will welcome you to participate in the Santa project. For details, please refer to the code contribution document [portal] of the Santa project.

At present, the release date of the official version of Santa is not clear. Anyone can download and install this product, but please remember that Santa is still a testing software, and the Santa project is not an official project of Google.

If you have any questions about the Santa project, or if you have any problems during the installation, you can visit the "Santa dev" module of Google forum to find out. In addition, you can visit GitHub's Wiki and issues sections to learn more.

6、 Reference link

1. GitHub homepage of Santa project:


2. The "Santa dev" section of Google's official forum:


3. Use and configuration guidance of Santa:


4. Installation and use guide of cocoapods class library management tool: