Malware research involves running malware samples, typically in VMs. Because developer codesigning certificates are trivial to acquire in the Apple ecosystem, OS X malware samples are very often code signed. When malware is discovered, Apple can and often does revoke the associated cert. While this is a good thing for end-users, it can be a hindrance for malware research.
Fortunately, it is easy enough to disable this security feature.
- Disable OCSP and CRL checking in Keychain.
- Remove the CRL cache: sudo rm -rf /var/db/crls/
- Disable the ocspd LaunchDaemon: e.g. sudo rm /System/Library/LaunchDaemons/com.apple.ocspd.plist. If you’re running 10.11 of course you’ll need to temporarily disable SIP to do this.
The above works on 10.10. I’m not sure if all of the above is necessary, e.g. maybe it’s sufficient to just disable the OCSPD service. It could be that half of the above isn’t needed, but I don’t know which half, so just do all of it and you’ll be happily running malware in no time.
As an aside, it’s kind of fun to read the CRL:
Bonus: now you can run things signed with compromised codesigning certificates, but another potential hindrance is Xprotect, which is the OSX-equivalent of Windows Defender. Have a look at /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist to see the file signatures for all the evil things. If something you want to run is on this blacklist, you will not be able to run it. Once again this is a beneficial protection layer for end-users, but a potential hindrance for malware researchers. Fortunately this too is easy to circumvent: just delete the plist file and reboot.