Google releases enterprise anti-malware tool for Macs

Google has offered an early Christmas present to enterprises running Mac OS X computers, bringing its internal "Santa" anti-malware tool to the open market.

The software allows enterprises to monitor and lockdown devices in their fleet by "keeping track of binaries that are naughty and nice", Google said.

It consists of a "kernel extension (KEXT) that monitors for executions, a userland daemon that makes execution decisions based on the contents of a SQLite database, a GUI agent that notifies the user in case of a block decision and a command-line utility for managing the system and synchronising the database with a server", Google wrote on its Github page.

Google released the open-source tool, authored by one of the company's sysadmins, Russell Hancox, last week. Initially developed for use on Google's fleet of 40,000 Macs, it is now being offered to the general public for free.

The tool is designed to run in two primary modes: monitor and lockdown.

In monitor mode, all binaries except those marked as blacklisted are allowed to run, while in lockdown mode, only whitelisted binaries can be executed.

The software offers features including the ability to blacklist or whitelist files based on signing certificate, as well as an event logging tool that stores all executions processed by the userland agent.

"Santa" is an early version of the software, and is not an official Google product. The search giant warned it was still writing more tests, fixing bugs and finishing a security audit of the tool.

The Google Mac team suggested limiting its use to testing while the team irons out issues including the tool's inability to ensure only valid clients connect to the kernel extension.