Mac security glossary with plain-English definitions for 25+ security terms including XProtect, Gatekeeper, FileVault, SIP, TCC, LaunchAgent, LaunchDaemon, YARA rules, zero-day vulnerabilities, rootkits, keyloggers, adware, spyware, Trojans, ransomware, phishing, code signing, notarization, sandboxing, Full Disk Access, kernel extensions, system extensions, and endpoint detection. Each term includes how CoreLock helps protect against related threats.
Security Reference
Every security term you need to know, explained in plain English. No jargon, no technical degrees required.
Apple's built-in malware detection system that runs silently in the background. It checks apps against a list of known malware signatures when you open them for the first time. XProtect updates automatically but only catches known threats — it cannot detect brand-new or modified malware.
A macOS security feature that verifies apps are signed by identified developers and notarized by Apple before allowing them to run. If an app fails these checks, macOS blocks it from opening. Gatekeeper prevents most unsigned malware but can be bypassed by users manually.
Apple's full-disk encryption technology that encrypts the entire contents of your Mac's startup disk. When enabled, your data is unreadable without your login password, even if someone removes the drive. FileVault uses XTS-AES-128 encryption.
A macOS security technology that restricts what the root user account can do. SIP prevents processes from modifying protected system files and folders, even with administrator access. Disabling SIP significantly weakens your Mac's security.
The macOS framework that manages app permissions for sensitive resources like your camera, microphone, screen recording, contacts, and files. TCC is what creates the permission prompts you see when apps request access.
A background program that starts automatically when you log into your Mac. LaunchAgents run in the context of your user account and are stored in ~/Library/LaunchAgents. Legitimate apps use them for updates and background tasks, but malware also uses them to persist after restarts.
Similar to a LaunchAgent but runs at system level with root privileges, regardless of which user is logged in. LaunchDaemons are stored in /Library/LaunchDaemons and start at boot time. They have higher privileges than LaunchAgents.
A pattern-matching language used by security researchers to identify and classify malware. YARA rules describe text or binary patterns that match known malware families. They are widely used in threat hunting and incident response.
A technique that measures the randomness of data in a file. High entropy often indicates encryption or compression — common in packed malware, ransomware payloads, and obfuscated code. Normal text files have low entropy.
A software security flaw that is unknown to the vendor and has no available patch. 'Zero-day' refers to the fact that developers have had zero days to fix it. These are the most dangerous vulnerabilities because there is no defense until a patch is released.
Malware designed to hide deep inside your operating system, making it invisible to normal detection methods. Rootkits can intercept system calls, hide files and processes, and maintain persistent access. They are extremely difficult to remove.
Software that secretly records everything you type, including passwords, credit card numbers, and private messages. Keyloggers can be standalone malware or bundled with other threats. They often transmit captured data to remote servers.
Software that displays unwanted advertisements on your computer, often through pop-ups, browser redirects, or injected ads on web pages. While not always malicious, adware degrades performance and may track your browsing habits.
Software that secretly monitors your computer activity and sends information to third parties. Spyware can capture screenshots, log keystrokes, access your webcam, and track your location. It often comes bundled with free software downloads.
Malware disguised as legitimate software. Unlike viruses, Trojans don't replicate themselves — they rely on tricking you into installing them. Once installed, they can steal data, install additional malware, or give attackers remote access to your system.
Malware that encrypts your files and demands payment (usually cryptocurrency) to decrypt them. Ransomware can spread through email attachments, compromised websites, or network vulnerabilities. Even paying the ransom doesn't guarantee file recovery.
A social engineering attack where attackers impersonate trusted entities (banks, tech companies, coworkers) to trick you into revealing sensitive information like passwords or credit card numbers. Phishing typically occurs via email, text messages, or fake websites.
A process where developers cryptographically sign their apps using a certificate issued by Apple. Code signing verifies the developer's identity and ensures the app hasn't been tampered with after it was signed. Unsigned apps trigger Gatekeeper warnings.
An Apple process where apps distributed outside the Mac App Store are submitted to Apple for automated security checks. Notarized apps have been scanned by Apple for malicious components. CoreLock itself is Apple Notarized.
A security mechanism that isolates an app from the rest of your system. Sandboxed apps can only access specific files and resources they've been granted permission to use. All Mac App Store apps are sandboxed, but apps downloaded from the web may not be.
A macOS permission that grants an app access to all files on your disk, including Mail, Messages, Safari data, and Time Machine backups. This is one of the most powerful permissions an app can have. Only grant it to apps you fully trust.
A macOS permission that allows an app to control your computer, observe input, and interact with other apps. Originally designed for assistive technology, it's now used by password managers, automation tools, and unfortunately, some malware.
A loadable module that extends the macOS kernel's functionality. Kernel extensions run with the highest privileges and can access any part of the system. Apple has been deprecating kexts in favor of safer System Extensions since macOS Catalina.
Apple's modern replacement for kernel extensions. System extensions run in user space (not the kernel) with limited privileges, making them safer. They're used for network filtering, endpoint security, and driver functionality.
A category of security tools that continuously monitor endpoints (computers, phones) for suspicious activity. EDR solutions collect system data, detect threats, and provide response capabilities. CoreLock is a consumer-friendly EDR for Mac.
CoreLock scans for every threat in this glossary — and explains what it finds in plain English.
Download CoreLock Free