[Rumour] Snow Leopard Has Hidden Antivirus Talents

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

500x_snowav.jpg

Well, this is int-er-est-ing: Early testers have come across what looks like a new antivirus function within Snow Leopard. Or to put it another way, Macs don't need antivirus! Wait.

The new feature behaves like a cross between a traditional antivirus tool and the "Are you sure you want to open this?" warnings already present in Leopard. I doubt it's doing any real-time heuristic scanning and it's definitely not running as a visible app in the OS, but if it's checking .PKG and .DMG files for malware before you run or mount them, well, that sounds an awful lot like what your average Symantec, AVG or Kapersky product is intended to do.

The first report came from the Intego blog, (they make Mac antivirus software) and it's been corroborated by Snow Leopard testers over at the MacRumors forums. We'll try to test this one out as best we can, but it's looking like Apple may have slipped this ever-so-slightly unflattering feature into their new OS under the radar.

souricon.gif News source: Gizmodo

Does anyone else find this ironic (if true), considering what Apple's marketing department focused on in the latest 'Get a Mac' ads?

Disclaimer: This post was written on a Mac, running OS X 10.5.

Link to comment
Share on other sites
Grand Master

what

Posted
Posted

Hardly ironic. They're keeping true to their word by preventing any possible malware from reaching your computer in the first place. It's essentially a re-worded confirmation box for when you run a new program, but made more focused on preventing malware to stop people mindlessly clicking 'run' when the box pops up.

Link to comment
Share on other sites
Grand Master

Hell-In-A-Handbasket

Posted
Posted

im willing to bet money that if this is true, people will still get infected because they dont pay attention

Link to comment
Share on other sites
Grand Master

Quillz

Posted
Posted
Maybe like UAC, or if not once again Apple allowed to bundle what it pleases in to its OS.

But basic Unix password prompts are already very similar to UAC.

As stated, this isn't really anything new at all, just your typical password prompt, but reworded to call attention to any potential malware you might be installing on your system.

Link to comment
Share on other sites
Veteran

NeoTrunks

Posted
Posted

Very good move. This is a message warns the user of what they are installing. There are too many people that will give permissions to just anything these days.

Edit: Pretty much summed up by Quillz. You'd still need an account with SU privileges and would still need to type your password for something like this to work.

Link to comment
Share on other sites
Experienced

pdmcmahon

Posted
Posted
Well, this is int-er-est-ing: Early testers have come across what looks like a new antivirus function within Snow Leopard. Or to put it another way, Macs don't need antivirus! Wait.

Does anyone else find this ironic (if true), considering what Apple's marketing department focused on in the latest 'Get a Mac' ads?

Disclaimer: This post was written on a Mac, running OS X 10.5.

I am running 10A432 and I see nothing resembling AV software at all.

By the way, this build is full of WIN.

Link to comment
Share on other sites
Grand Master

.Neo

Posted
Posted

Seems to me Apple just has a build-in list with known mallware and the Finder will quickly compare it with a downloaded DMG. Similar to phishing in Safari and other browsers.

Link to comment
Share on other sites
Grand Master

giga Veteran

Posted
  • Veteran
Posted

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Contains just the two most active trojans, the DNS changer one and the one bundled with the pirated iWork.

Screen%20shot%202009-08-25%20at%209.24.13%20PM.png

Link to comment
Share on other sites
Mentor

svnO.o

Posted
Posted
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Contains just the two most active trojans, the DNS changer one and the one bundled with the pirated iWork.

Nice find. I don't use OSX but it's still interesting to know.

Link to comment
Share on other sites
Grand Master

Quillz

Posted
Posted
Ah so Apple can bundle antivirus software with their OS but Microsoft can't (in Europe)

Because Apple, for whatever reason, isn't considered to have a monopoly.

Also, this isn't really anti-virus software at all. It's just a reworded standard password prompt that simply uses a blacklist, similar to a phishing filter in a web browser.

Link to comment
Share on other sites
Proficient

JoeyF

Posted
Posted

I notice a lot of people are saying "It's just reworded" or "It's UAC".... Am I the only one that noticed the dialog says "It contains the OSX.RSPlug.A malware"?

It is specically saying "It contains", not "It may contain", not "There is a chance this may contain", but simply stating that it does, indeed, contain malware. If Apple just said that every thing you download specifically contains malware, that would cause all sorts of problems and backlash. It has to either be scanning or using some kind of filter/blacklist/analyzer to detect malware.

Link to comment
Share on other sites
Grand Master

Quillz

Posted
Posted
I notice a lot of people are saying "It's just reworded" or "It's UAC".... Am I the only one that noticed the dialog says "It contains the OSX.RSPlug.A malware"?

It is specically saying "It contains", not "It may contain", not "There is a chance this may contain", but simply stating that it does, indeed, contain malware. If Apple just said that every thing you download specifically contains malware, that would cause all sorts of problems and backlash. It has to either be scanning or using some kind of filter/blacklist/analyzer to detect malware.

I think it's using a blacklist, and I'd imagine it's something that can and will be updated in 10.6.x builds.

Link to comment
Share on other sites
Grand Master

Boz

Posted
Posted
Hardly ironic. They're keeping true to their word by preventing any possible malware from reaching your computer in the first place. It's essentially a re-worded confirmation box for when you run a new program, but made more focused on preventing malware to stop people mindlessly clicking 'run' when the box pops up.

So wait, when Apple embeds an antivirus checking in the OS it's awesome but when you can choose what antivirus you want to install on Windows than it's PC being hit with viruses and it's ridiculous. GOT IT!

This is the same thing as Microsoft Security Essentials only done Apple way, meaning it's "hush hush" and again closed up and embedded in the OS.

Smells like same crap to me if you ask.

Link to comment
Share on other sites
Grand Master

Vice

Posted
Posted
Ah so Apple can bundle antivirus software with their OS but Microsoft can't (in Europe)

Let's just be clear this is not Antivirus software.

  • It does not actively scan the systems Hard Disk or Memory
  • It is not a separate application
  • It does not detect Viruses or Worms

What it does do is check the contents of a mounted disk image before it opens it and checks for two very specific files.

To call this an Antivirus is a huge stretch. It isn't even comparable to Windows Defender.

Link to comment
Share on other sites
Grand Master

Boz

Posted
Posted (edited)
Let's just be clear this is not Antivirus software.

  • It does not actively scan the systems Hard Disk or Memory
  • It is not a separate application
  • It does not detect Viruses or Worms

What it does do is check the contents of a mounted disk image before it opens it and checks for two very specific files.

To call this an Antivirus is a huge stretch. It isn't even comparable to Windows Defender.

Well it is an antivirus as long as it checks the contents of the files and looks for viruses, thus the name Anti-virus. You don't have to have antivirus resident in memory in Windows either, but you apps do because they want to make sure that they prevent action even if you ran the file.

Norton AntiVirus only runs in memory on my computer to check for emails too (which will undoubtedly happen on OSX if it hasn't already). It's not differnet than AV apps on Windows checking in zip/rar archives and comparing it to the library of viruses. If anything the necessity due to Windows being highly targeted system means that the preventive measures and libraries or viruses are much wider and the heuristic methods of catching viruses have improved, something that OSX is yet to face.

Edited by Boz
Link to comment
Share on other sites
Grand Master

Vice

Posted
Posted
Well it is an antivirus as long as it checks the contents of the files. You don't have to have antivirus resident in windows in Windows either, but you apps do because they want to make sure that they prevent action even if you ran the file.

Norton AntiVirus only runs in memory on my computer to check for emails too (which will undoubtedly happen on OSX if it hasn't already). It's not differnet than AV apps on Windows checking in zip/rar archives.

It doesn't even check for or remove Viruses. Since when did an Anti-Virus no longer detect or remove Viruses?

And in-fact this doesn't remove any type of file. It does a very rudimentary check and tells the user. That is it.

Link to comment
Share on other sites
Grand Master

giga Veteran

Posted
  • Veteran
Posted

Possibly related..

http://developer.apple.com/releasenotes/Ma...MacOSX10_5.html

Quarantine

Applications that download files from the Internet or receive files from external sources (such as email attachments) can use the Quarantine feature to provide a first line of defense against malicious software such as Trojan horses. When an application receives an unknown file, it should add quarantine attributes to the file using new functions found in Launch Services. The attributes associate basic information with the file, such as its type, when it was received, and the URL from which it came. When the user tries to open a file that has quarantine attributes associated with it, Mac OS X inspects the file and automatically prevents known malicious files from being opened. For other files, the system asks the user what to do about the file, providing the user with information found in the quarantine attributes. If the user approves the opening of the file, the quarantine for that file is lifted.

If you are developing a web browser or email program, or if your software somehow deals with files from unknown sources, you should use the Quarantine feature as part of your program?s basic security procedures. Quarantine is part of the Launch Services API, which is itself part of the Core Services framework. For more information about the Quarantine API, see the LSQuarantine.h header file in that framework.

Link to comment
Share on other sites
Grand Master

Boz

Posted
Posted
It doesn't even check for or remove Viruses. Since when did an Anti-Virus no longer detect or remove Viruses?

And in-fact this doesn't remove any type of file. It does a very rudimentary check and tells the user. That is it.

Well that just makes it a bad anti-virus not a non-anti virus. The fact that it checks against the library of viruses to make sure you didn't catch is the definition of anti-virus program. That's how Windows anti-virus programs work too. They check your files and archives to make sure you don't have a known virus but also include a smarter heuristic methods that help prevent from those viruses that are unknown. Of course, if you are infected on OSX I'm not sure what you are to do. Reinstall the OS?

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.