Understanding the Fundamentals of AI Concepts for Nonprofits
June 11, 2025
Why My .NET Aspire EventHub Emulator Didn’t Start (And What I Forgot to Add)
June 11, 2025
Enhancing macOS security with behavior monitoring
As attackers become more sophisticated in today’s rapidly evolving threat landscape, security strategies must continue to innovate to keep pace. For instance, static signature-based approaches to malware detection are useful but not enough. Rather, when combined with more dynamic forms of detection like behavior monitoring, your environment is better equipped to block new and evolving threats.
Behavior monitoring observes how software behaves in real-time to detect and analyze potential threats based on the behavior of the applications, daemons, and files within your system. Behavior monitoring is a cornerstone of Microsoft Defender’s cloud-based protection strategy. A wide array of our most advanced protection capabilities rely on behavior monitoring’s cloud models to not only detect but also effectively respond to complex and evolving threats.
Today, we’re excited to announce that behavior monitoring is now generally available on macOS, and is rolling out broadly over the course of the next few weeks. Like with Windows and Linux, behavior monitoring for macOS extends Defender for Endpoint’s protection beyond static signatures to track the larger scale relationships between processes. This capability significantly enhances the early detection of suspicious or malicious activities by spotting unusual process interactions and patterns.
What does this mean for customers?
By extending this critical technology to macOS, customers will benefit from a consistent level of protection across all of their devices. Behavior monitoring introduces a rich new stream of telemetry that helps lay important groundwork for advancing innovative protections against threats targeting macOS users. In the future, it will be possible to build custom logic based on the process and file system events supported by behavior monitoring, equipping you with a more dynamic and tailored way to secure your endpoints.
Real-world example of behavior monitoring
Let’s understand the significance of this feature. The Atomic macOS Stealer (AMOS) is a sophisticated macOS malware engineered to steal sensitive information from systems. It targets a broad spectrum of data, including Keychain passwords, system information, files from desktop and documents folders, macOS user passwords, browser data (such as cookies and login credentials), and cryptocurrency wallets. To evade detection, AMOS employs obfuscation techniques like XOR encryption, making its payloads challenging to identify through static analysis alone. Due to its advanced nature, effective detection of AMOS necessitates dynamic analysis and behavior detection methods, rather than relying solely on static signature-based approaches.
Behavior monitoring alerts are displayed in the Microsoft Defender XDR portal alongside all other alerts, enabling effective investigation.
The following image in the Microsoft Defender XDR portal shows that Defender detected and terminated a suspicious action using behavior monitoring on macOS.
The following image is an alert in the Microsoft Defender XDR portal that shows that a suspicious action was blocked using behavior monitoring technology.
To experience the Mac antivirus behavior monitoring and blocking, users will need a minimum version Microsoft Defender for Endpoint, which is 101.25032.0006.
Availability
Our macOS behavior monitoring and blocking capabilities are available on the following major versions of Mac currently supported by Microsoft Defender for Endpoint:
- macOS Ventura (13)
- macOS Sonoma (14)
- macOS Sequoia (15)
Behavior Monitoring is being rolled out automatically following our safe deployment practices (SDP) per the schedule below.
|
Channel |
Staring Date |
App Version |
|
External |
3/31/2025 |
> 101.25042.0002 |
|
Production |
5/19/2025 |
> 101.25032.0006 |
Once fully deployed, behavior monitoring will be on by default for everyone. You can confirm your device’s enrollment status by checking the output of mdatp health –details features in your terminal.
If your device is not yet enabled automatically, you can enable it manually.
Enabling Behavior Monitoring
For customers that need to change the settings of behavior monitoring, you can use Intune or a 3rd party MDM for enterprises or manually using sudo mdatp config behavior-monitoring for a trial deployment. Support for behavior monitoring in Defender for Endpoint’s security settings management experience is expected this summer.
Additional resources for securing macOS with behavior monitoring
The following resources can help you optimize your macOS security and behavior monitoring settings:
- Refer to the following article for more details about configurations related to behavior monitoring.
- Monitor the What’s new in Microsoft Defender for Endpoint on Mac page for upcoming announcements.
- Read this blog to learn more about how behavior monitoring works on Linux.
We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender XDR portal.
Learn more
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.