Skip to content
TopicTracker
From HackerNewsView original
TranslationTranslation

EDR Freeze on macOS

The article discusses a technique called "EDR Freeze" that targets macOS systems, allowing attackers to suspend or freeze Endpoint Detection and Response (EDR) security tools, thereby bypassing security monitoring and evading detection.

Background

- EDR (Endpoint Detection and Response) is security software that monitors computers for threats like malware; it's the modern successor to traditional antivirus. - "EDR Freeze" refers to a technique that temporarily suspends an EDR's ability to monitor the system, making the computer blind to malicious activity. On macOS, this is done by exploiting legitimate system tools (like `kill` or `launchctl`) or abusing authorisation frameworks (ESF, Endpoint Security Framework). - Attackers use this to bypass Apple's security layers (SIP, TCC, notarisation) and to evade detection by enterprise security suites commonly deployed on corporate Macs. - The blog details a proof-of-concept tool that automates EDR disabling on macOS, and discusses how Apple's slow evolution of its security APIs leaves gaps that defenders must monitor manually.

Related stories

  • The article criticizes the declining quality of macOS app icon design, arguing that Apple's push toward uniform squircle shapes and simplified aesthetics has made modern icons look worse than older, more distinctive designs. It notes that even third-party developers are constrained by Apple's rules, while a few apps like BBEdit and Fantastical still maintain strong icon identities.