Jump to content

Do I need SIP with Malwarebytes Premium?


Recommended Posts

My IMAC using Catalina 10.15.4 began bogging down the other day and one of the remedies I tried was to disable SIP using the csrutil disable within terminal. It seems snappier now but I cant honestly confirm thats what it was as I ran Disk First Aid and tried a number of other remedies. Now that it is time to potentially turn it back on, after reading it occured to me why do I have it? From my research it is a VERY rudimentary form of protection and one that should probably be handled by Malwarebytes Premium regardless? Is there a point to expending the memory for both Malwarebytes and SIP if they are only duplicating each others efforts?

Link to post
Share on other sites

I feel certain that Malwarebytes won't do anything to protect you from the kind of damage that can be done with SIP disabled. It's designed to ignore anything place in SIP protected places since checking there would be a waste of time.

I don't know who would ever recommend disabling SIP to improve performance. Any process attempting to do things to areas protected by SIP would have to be either malicious or mistakenly coded. SIP does require you to take a few extra steps to allow some applications to properly install or run, but that's a small price to pay for the protection it provides to your System and other critical file areas.

I have no idea what you mean by "expending the memory" as SIP doesn't require any additional memory.

I can't emphasize enough that you need to leave SIP enabled at all times, especially since it appear you aren't thoroughly familiar with why it's used.

Link to post
Share on other sites

Excellent! Can you direct me to where I can see that Malewarebytes was 'designed to ignore anything place in SIP protected places since checking there would be a waste of time?"

My research has come up with the following "some people believe that SIP plays a role in preventing malware from infecting Macs. Unfortunately, that’s not the case. Even before SIP, only some malware made changes to the files that are now protected by SIP. Malware can infect a Mac quite easily without doing that, and without even needing root permissions. This means SIP does nothing to prevent malware from invisibly infecting your Mac if you make the mistake of opening the wrong app."

I could be mistaken but my understanding is that Malwarebytes DOES prevent malware from infecting my Mac. Admittedly the same entry states that SIP is an "excellent security measure, ensuring that the system files cannot be tampered with" without alluding to why that would be if it does nothing to prevent malware from infecting my Mac. Please help me understand what I am paying for with Malwarebytes Premium if it is not protecting me from making the mistake of opening the wrong app? It would seem to me, reading between the lines that SIP actually offers more protection not from outside attacks but from within, by not allowing the user to make changes outside of the home folder even with Sudo or Root (yes I know what that is).

Even if Malwarebytes does nothing to cover any lapses left by disabling SIP  I would get same level of protection as I had with OS X versions before El Capitan. As far as memory is concerned the reason I had honed in on it in the first place is that is was showing as hogging about 10% of my memory in Activity Monitor but that may have been Xprotectservice which is another seemingly if not ineffitve certainly obsolete tool with regard to Marlwarbytes.

But admittedly if it turns out that SIP doesn't duplicate efforts and does not take any memory I am certianly not adverse to turning it back on as the benefits would seem to outweigh the risks.

Link to post
Share on other sites

Malware used to attack Macs before SIP were known to modify applications (such as Safari) and occasionally system components to redirect their functions or disable security features as well as store some of their files in areas currently protected by SIP. Now that these areas of infection have been taken away, malware developers must be more inventive in finding ways to accomplish their mission without their installation being obvious to the user.

I can’t point you to anything regarding Malwarebytes and SIP,  I just know from a decade of collaboration with it’s original developer, that Malwarebytes only looks in places where current malware is known to be installed or downloaded, thereby saving a great deal of time that many other anti-malware scanners use in examining ever readable file and comparing it against a database of millions of signatures. Since malware can no longer be downloaded or installed in SIP protected areas, there would be no reason to look there.

The premium features in Malwarebytes for Mac do their best to identify installers as soon as they are downloaded in order to prevent you from accidentally infecting your Mac. SIP won’t do anything like that, but there are other security features of macOS (quarantine, Gatekeeper and XProtect) do attempt to do that, but to date have not kept up with all the infections that are currently in use, especially the most prolific which are adware infections. Here are a couple of blogs that talk to some of that:

https://blog.malwarebytes.com/mac/2019/12/mac-threat-detections-on-the-rise-in-2019/

https://blog.malwarebytes.com/mac/2020/02/mac-adware-is-more-sophisticated-dangerous-than-traditional-mac-malware/

Link to post
Share on other sites

First, I would agree with Al that turning off SIP is not a valid means for improving performance, and that disables a very significant security feature of your system. I strongly advise against turning off SIP.

That said, if we saw malware dropping files in SIP-protected locations on systems where SIP is turned off, we would scan for and detect those files. We don't see that. It's not that we're ignoring these locations because they're protected by SIP... it's that we don't see malware installing things there, because it can't on the vast majority of Mac systems.

However, if some malware were able to find a SIP bypass vulnerability and exploit that to install files in SIP-protected locations on systems where SIP is enabled, neither we nor any other antivirus vendor would be able to remove those files without guiding the user through manual intervention.

Link to post
Share on other sites

My main OS is 10.13.6 HSierra, but I occasionally run 10.14.6 from dosdude1  on my older non-metal machines, which requires SIP to be disabled for its patches run on unsupported Macs.  As a FYI, I would encourage anyone running with SIP, disabled or not, to install Patrick Wardle's blockblock, which will prevent anything newly persistently installed, which it would seem will cover a great deal of potential malware.

EDIT: link to blockblock above is now to v.1.0.0, "Supported OS: macOS 10.15+"   I have v.0.9.9.4, so uncertain if this new version will run on either 10.13 or 10.14. Will be testing to see. Will report back.

Link to post
Share on other sites

Nope, downloaded and tried, the new blockblock v.1.0.0 will not run on anything below 10.15. And not finding the older v.0.9.9.4, except on one of the possibly dicey download sites. Hoping it might reappear at objective-see at some point. I would think that the vast majority of Mac users are being left out, at least those that are informed that older 32 bit applications will not run on 10.15.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.