As a malware analyst or security researcher, having a powerful and dynamic analysis utility is vital to being able to effectively and efficiently identify malware. FortiAppMonitor is a freeware utility developed and released by Fortinet designed to monitor the behaviors of programs on macOS. It enables users to understand malware capabilities and quickly analyze the malicious behaviors of malware targeting macOS. Its capabilities include the following features:
1. Monitors process execution with command line arguments and process exit.
2. Monitors all common file system events, including file open, read, write, delete, and rename operations.
3. Monitors network activities, including UDP, TCP, DNS query and response, and ICMP for both IPv4 and IPv6 protocols.
4. Monitors .dylib loading events.
5. Monitors KEXT loading and unloading events.
It also provides a fine-grained filter so that users can set a filter for those event types they are interested in, as well as a powerful search functionality so users can quickly search through records based on the keywords. Users can also save all records into a JSON format file. In addition, all these FortiAppMonitor features are all accessed through an easy-to-navigate GUI design. Users can also copy one specific record on a GUI screen to the clipboard using the shortcut key “Command+C”.
This utility was initially demonstrated by FortiGuard Labs researcher Kai Lu at the Black Hat USA 2018 Arsenal entitled, “Learn How to Build Your Own Utility to Monitor Malicious Behaviors of Malware on macOS”. In this presentation, Kai presented this advanced solution for monitoring the malicious behaviors of malware in the macOS kernel. He also walked attendees through all the key technical details for the implementation of this utility. For users interested in a quick tutorial, you can download his presentation slides here.
Users are welcome to send feedback or submit bugs to firstname.lastname@example.org.
Supported OS Versions
macOS 10.11 (OS X El Capitan)
macOS 10.12 (macOS Sierra)
macOS 10.13 (macOS High Sierra)
macOS 10.14 (macOS Mojave, Beta)
Latest Version: FortiAppMonitor.app 1.0.0
Release Date: August 15, 2018
File Size: 52.1 MB
Download our latest Global Threat Landscape Report.
Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.