Yesterday we reported that Mac OS X 10.6 Snow Leopard, due for release coming Friday, contained some form of malware and/or virus protection. Since the scope of this protective measure was not yet known – nor if it even existed at all – I thought it would be best to write another post detailing that yes, it’s real, and yes, it’s all relatively crude.
The feature works by looking at malware definitions in the /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist file. This file currently only lists the two “most common” trojans (“least uncommon” would be better, I guess), but it should be trivial for Apple to update this file to combat variants of these trojans or even new pieces of malware altogether, if the need ever arises.
The feature builds on something introduced in Mac OS X 10.4 Tiger, which scanned files downloaded with Safari and several other applications and automatically opened them if deemed safe. This new anti-malware feature, therefore, inherits some of the key limitations of said feature.
For instance, it only works with a relatively small number of applications (Safari, Firefox, iChat, Entourage, Mail, and Thunderbird); any files downloaded with any of the other ten billion million applications capable of doing so are not scanned. In addition, files which come in through CDs or USB drives are not scanned either. As you can deduct from this, it cannot scan entire drives for malware either.
This feature seems like a quick ‘n’ dirty hack, implemented to battle the two most common trojans on the Mac. Of course, at this point in time, the Mac doesn’t really require die-hard continuous protection. Still, it’s good to know Apple is taking baby steps in combating the few pieces of malware out there.
if apple needs to keep updating that file it seems silly to do it that way. why not do it as a cloud type thing much the way that Immunet is doing.
Why would they?
It would be much better if it could monitor and scan (if needed) all inbound files but it’s better than nothing.
I would imagine that this would evolve into a real active scanner eventually. For now it’s very rudimentary.
Would it have been so hard to include a real anti-virus/anti-malware solution instead of employing this laughably simple operation?
Does not the current Mac OS X Server come with Clam AV?
I’m certainly not making the claim that Macs are currently in great danger from viruses and the like, but within reason, more layers of security are a good thing.
If you purchase AppleCare you can (or could, i’m not sure) download McAfee’s Virex for free from Apple. In a sense they always encouraged installing virus protection, and so can you if you feel it’s necessary.
Windows doesn’t (yet) come with built-in virus protection, and Windows customers are very well trained to purchase a protection suite with each PC.
Not the customers of the hundreds of computers I have to fix.
…differently. When Microsoft started implementing their own anti-malware in Windows some people applauded them, others screamed like banshees that they were trying to take over the commercial space owned by those companies who derive profit from anti-malware solutions.
I sit somewhere in the middle, I’m (again scarily find myself agreeing with Thom) thinking that its good to see them making some effort, but I don’t think it’s quite far enough. Mounted devices – even if it was prompted – and maybe something that can use existing lists so it isn’t up to Apple to keep it current, system files and processes that are “allowed” to directly interact with system components, and any applications supplied by Apple as part of the OS. But I don’t think it should be their (Apple’s) responsibility to protect everything – and there are other organisations who already do a good job of making products to do that anyway.
At the moment I use ClamXav and ClamXav Sentry and make sure all the apps I use download to a watched folder. That system seems to work well and wouldn’t be hard for Apple to bundle with the OS. For the longer term though something more integrated that can be used in conjunction with whatever options the user wants to install would seem to be the solution. Microsoft’s implementation works pretty well.
In all fairness, Msft Defender seems to play along nicely with most other Anti-* packages, but two Anti-* packages more often than not start to fight each other off. To me it’s no monopoly issue here, just a motivation to keep the competition on the edge.
this is called picking the low fruit. if apple can stop a large portion of the mac os malware with a simple list and if-then statement, that is righteous.
Thank you, someone spells it out simply. A full blown scanner is not needed to solve the only two rare trojans.
Mod up! Right you are mister.
On a related note, in Leopard there is a similar dialog when you open the first time a file you just downloaded. Rudimentary,but hey, it gives you a warning, isn’t it?
Perhaps they need to take a helicopter view on this one?
Edited 2009-08-27 10:39 UTC
Apple makes a very rudimentary, and possibly quite simple to thwart anti-malware/virus feature and everyone applauds.
Where have your heads gone people?
Don’t you remember the hundred comment long threads about how this very same idea of including anti-malware was a forced performance-killer in windows; that microsoft should just learn how to code better from the begining.
Suddenly Jobs does the same thing and its a great idea?
I’m disappointed everyone in this thread. The whole point of paying more the hardware is to feel smug about running the “superior” software stack. If I wanted to have an anti-malware program running to protect myself from the low hanging fruit I could have saved a grand (and possibly have donated that money to Thom’s strippers of world domination fund).
you’re ranting about a situation that did not occur.
Let’s think about this. Only files downloaded from the listed apps will be scanned at all. Funny, no torrent clients or p2p software is on that list. Now, one last question… where, exactly, do most people get pirated software and hense from where are the trojans most likely to come? The only word I can think of to describe this is: duh?
Apple provide the APIs by which this is done, and third party applications like firefox seem to support them. Authors of torrent clients simply need to start making use of the provided APIs.
Um, right. So now it’s the responsibility of each individual app to make sure it integrates with the os-provided file scanning? Please.
Well that’s their fault isn’t it? Other than not scanning mounted media, every user oriented base is covered. People using torrent software or P2P to download pirated applications get what they deserve, and if they are not smart enough to know how to protect themselves in the first place they shouldn’t be using either.
Why should Apple protect pirates? Why should any company? MS has to do it because unfortunately its not just pirates that are affected. Anything downloaded in windows has the potential of being some form of malware, which is a situation that MS created themselves with IE5/6 and its lack of security, as well as the fact that they don’t seem to have the balls to tell 3rd party software NOT TO REQUIRE ADMIN RIGHTS! There should be no app that requires admin rights other than something the needs to do system wide changes. I shouldn’t need admin rights to delete an icon from my f’ing desktop.
Anyway rant aside I think this is a good first step and its something that Apple controls completely which is probably the way they like it.
Since Apple is already verifying .dmg’s using FSCK when mounting them, and the Archive Utility does some checksumming on .zips before extracting, it seems trivial to implement the Xprotect function in these toolchains too.
I can only imagine this is an easy update in 10.6.x if the need arises.
I was doing some stuff on Snow Leopard and it issus a message when mounting an image – it will be interesting to see how useful it is in the future and whether people start to ignore it after a while:
http://i990.photobucket.com/albums/af23/kawaiigardiner/SnowLeopardW…
Oooh! I hope Apple removes that obscure wording from future versions. Doesn’t help at all, only scares the user.
My reaction as well; it seems that it only turns on on some images but not with others; does the checker look for malformed image header then after it detects that it then checks for the two common pieces of malware? that seems to be the scenario which unfortunately will scare the crap out of people who might have downloaded an image that was legitimate.
I dunno, but didn’t the majority of the infected cases come from pirated copies of iWork and CS downloaded from torrents? Unlike Windows where infections seem to perpetrate given any opportunity on Mac it was more of a conscious user choice.
This info. source (SCforum.info), look like very good Security Forum ?!
http://www.SCforum.info