[Rumour] Snow Leopard Has Hidden Antivirus Talents

By +Frank B.
in Back Page News

 Share

Recommended Posts

Grand Master

+Frank B. Subscriber²

Posted
  • Subscriber²
Posted

500x_snowav.jpg

Well, this is int-er-est-ing: Early testers have come across what looks like a new antivirus function within Snow Leopard. Or to put it another way, Macs don't need antivirus! Wait.

The new feature behaves like a cross between a traditional antivirus tool and the "Are you sure you want to open this?" warnings already present in Leopard. I doubt it's doing any real-time heuristic scanning and it's definitely not running as a visible app in the OS, but if it's checking .PKG and .DMG files for malware before you run or mount them, well, that sounds an awful lot like what your average Symantec, AVG or Kapersky product is intended to do.

The first report came from the Intego blog, (they make Mac antivirus software) and it's been corroborated by Snow Leopard testers over at the MacRumors forums. We'll try to test this one out as best we can, but it's looking like Apple may have slipped this ever-so-slightly unflattering feature into their new OS under the radar.

souricon.gif News source: Gizmodo

Does anyone else find this ironic (if true), considering what Apple's marketing department focused on in the latest 'Get a Mac' ads?

Disclaimer: This post was written on a Mac, running OS X 10.5.

Grand Master

what

Posted
Posted

Hardly ironic. They're keeping true to their word by preventing any possible malware from reaching your computer in the first place. It's essentially a re-worded confirmation box for when you run a new program, but made more focused on preventing malware to stop people mindlessly clicking 'run' when the box pops up.

Grand Master

Quillz

Posted
Posted
Maybe like UAC, or if not once again Apple allowed to bundle what it pleases in to its OS.

But basic Unix password prompts are already very similar to UAC.

As stated, this isn't really anything new at all, just your typical password prompt, but reworded to call attention to any potential malware you might be installing on your system.

Veteran

NeoTrunks

Posted
Posted

Very good move. This is a message warns the user of what they are installing. There are too many people that will give permissions to just anything these days.

Edit: Pretty much summed up by Quillz. You'd still need an account with SU privileges and would still need to type your password for something like this to work.

Experienced

pdmcmahon

Posted
Posted
Well, this is int-er-est-ing: Early testers have come across what looks like a new antivirus function within Snow Leopard. Or to put it another way, Macs don't need antivirus! Wait.

Does anyone else find this ironic (if true), considering what Apple's marketing department focused on in the latest 'Get a Mac' ads?

Disclaimer: This post was written on a Mac, running OS X 10.5.

I am running 10A432 and I see nothing resembling AV software at all.

By the way, this build is full of WIN.

Mentor

svnO.o

Posted
Posted
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Contains just the two most active trojans, the DNS changer one and the one bundled with the pirated iWork.

Nice find. I don't use OSX but it's still interesting to know.

Grand Master

Quillz

Posted
Posted
Ah so Apple can bundle antivirus software with their OS but Microsoft can't (in Europe)

Because Apple, for whatever reason, isn't considered to have a monopoly.

Also, this isn't really anti-virus software at all. It's just a reworded standard password prompt that simply uses a blacklist, similar to a phishing filter in a web browser.

Proficient

JoeyF

Posted
Posted

I notice a lot of people are saying "It's just reworded" or "It's UAC".... Am I the only one that noticed the dialog says "It contains the OSX.RSPlug.A malware"?

It is specically saying "It contains", not "It may contain", not "There is a chance this may contain", but simply stating that it does, indeed, contain malware. If Apple just said that every thing you download specifically contains malware, that would cause all sorts of problems and backlash. It has to either be scanning or using some kind of filter/blacklist/analyzer to detect malware.

Grand Master

Quillz

Posted
Posted
I notice a lot of people are saying "It's just reworded" or "It's UAC".... Am I the only one that noticed the dialog says "It contains the OSX.RSPlug.A malware"?

It is specically saying "It contains", not "It may contain", not "There is a chance this may contain", but simply stating that it does, indeed, contain malware. If Apple just said that every thing you download specifically contains malware, that would cause all sorts of problems and backlash. It has to either be scanning or using some kind of filter/blacklist/analyzer to detect malware.

I think it's using a blacklist, and I'd imagine it's something that can and will be updated in 10.6.x builds.

Grand Master

Boz

Posted
Posted
Hardly ironic. They're keeping true to their word by preventing any possible malware from reaching your computer in the first place. It's essentially a re-worded confirmation box for when you run a new program, but made more focused on preventing malware to stop people mindlessly clicking 'run' when the box pops up.

So wait, when Apple embeds an antivirus checking in the OS it's awesome but when you can choose what antivirus you want to install on Windows than it's PC being hit with viruses and it's ridiculous. GOT IT!

This is the same thing as Microsoft Security Essentials only done Apple way, meaning it's "hush hush" and again closed up and embedded in the OS.

Smells like same crap to me if you ask.

Grand Master

Vice

Posted
Posted
Ah so Apple can bundle antivirus software with their OS but Microsoft can't (in Europe)

Let's just be clear this is not Antivirus software.

  • It does not actively scan the systems Hard Disk or Memory
  • It is not a separate application
  • It does not detect Viruses or Worms

What it does do is check the contents of a mounted disk image before it opens it and checks for two very specific files.

To call this an Antivirus is a huge stretch. It isn't even comparable to Windows Defender.

Grand Master

Boz

Posted
Posted (edited)
Let's just be clear this is not Antivirus software.

  • It does not actively scan the systems Hard Disk or Memory
  • It is not a separate application
  • It does not detect Viruses or Worms

What it does do is check the contents of a mounted disk image before it opens it and checks for two very specific files.

To call this an Antivirus is a huge stretch. It isn't even comparable to Windows Defender.

Well it is an antivirus as long as it checks the contents of the files and looks for viruses, thus the name Anti-virus. You don't have to have antivirus resident in memory in Windows either, but you apps do because they want to make sure that they prevent action even if you ran the file.

Norton AntiVirus only runs in memory on my computer to check for emails too (which will undoubtedly happen on OSX if it hasn't already). It's not differnet than AV apps on Windows checking in zip/rar archives and comparing it to the library of viruses. If anything the necessity due to Windows being highly targeted system means that the preventive measures and libraries or viruses are much wider and the heuristic methods of catching viruses have improved, something that OSX is yet to face.

Edited by Boz
Grand Master

Vice

Posted
Posted
Well it is an antivirus as long as it checks the contents of the files. You don't have to have antivirus resident in windows in Windows either, but you apps do because they want to make sure that they prevent action even if you ran the file.

Norton AntiVirus only runs in memory on my computer to check for emails too (which will undoubtedly happen on OSX if it hasn't already). It's not differnet than AV apps on Windows checking in zip/rar archives.

It doesn't even check for or remove Viruses. Since when did an Anti-Virus no longer detect or remove Viruses?

And in-fact this doesn't remove any type of file. It does a very rudimentary check and tells the user. That is it.

Grand Master

giga Veteran

Posted
  • Veteran
Posted

Possibly related..

http://developer.apple.com/releasenotes/Ma...MacOSX10_5.html

Quarantine

Applications that download files from the Internet or receive files from external sources (such as email attachments) can use the Quarantine feature to provide a first line of defense against malicious software such as Trojan horses. When an application receives an unknown file, it should add quarantine attributes to the file using new functions found in Launch Services. The attributes associate basic information with the file, such as its type, when it was received, and the URL from which it came. When the user tries to open a file that has quarantine attributes associated with it, Mac OS X inspects the file and automatically prevents known malicious files from being opened. For other files, the system asks the user what to do about the file, providing the user with information found in the quarantine attributes. If the user approves the opening of the file, the quarantine for that file is lifted.

If you are developing a web browser or email program, or if your software somehow deals with files from unknown sources, you should use the Quarantine feature as part of your program?s basic security procedures. Quarantine is part of the Launch Services API, which is itself part of the Core Services framework. For more information about the Quarantine API, see the LSQuarantine.h header file in that framework.

Grand Master

Boz

Posted
Posted
It doesn't even check for or remove Viruses. Since when did an Anti-Virus no longer detect or remove Viruses?

And in-fact this doesn't remove any type of file. It does a very rudimentary check and tells the user. That is it.

Well that just makes it a bad anti-virus not a non-anti virus. The fact that it checks against the library of viruses to make sure you didn't catch is the definition of anti-virus program. That's how Windows anti-virus programs work too. They check your files and archives to make sure you don't have a known virus but also include a smarter heuristic methods that help prevent from those viruses that are unknown. Of course, if you are infected on OSX I'm not sure what you are to do. Reinstall the OS?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By Nas · Posted

      Oh, I did. And it's even worse than I was hoping! Besides a lot of techno-babble jargon (yes I understand 100% of it but it's still all just techno-babble) there's 2 key points that make me super-weary about even considering testing this out. -- By default, after installation, a relay is automatically set up, so you do not need to care about that. * Non-chatmail apps use email servers as a long-term message archive while chatmail clients use email servers for ephemeral instant message relay. * Supporting the full variety of classic email setups would require considerable development and maintenance efforts, and complicate making chatmail-based messaging more resilient, reliable and fast. -- Basically, the end-user device is the 'server' (relay) so there is NO ARCHIVING whatsoever because every message is necessarily ephemeral. Great for techno-paranoia (and for illicit activities preferring no tracks to cover) but terrible for everybody else. It's also ironically contradictory to engineering principles of redundancies besides the transport layers due to the explicit absence of any persistent storage. Instead of 'classic email address' retaining multi-GB messaging archives on its server, now every device must retain 100% of those storage demands. (Email messages were originally meant to be short correspondences, not the multi-MB attachments boondoggle that now exists with unlimited spam engines flooding every potential recipient.) Any device swap or reset (or loss) makes the entire message history go bye-bye forever... lest there's an off-device auto-archival "relay" mechanism that's really a separate server that holds onto all transported messages (an email server) that utilizes 'chatmail email address' identities (like an email server) and its own persistent storage archive (like an email server). But... this solution is hoping to exist alongside real-world email address identities (based on the email server relay pathway) but simply render messages in chat thread format in an ephemeral manner (with contents being encrypted, and messages auto-expiring) ... In the end, it's a chat app/experience for the Web3/P2P-at-all-costs zealots. (I have accts on all sorts of federated web3 services so I understand the technical and non-technical alike.) For any practical users, however, it's just another service to download/install, register, cross-share id cards/qr codes, but know that there's no history/archive whatsoever (by design) so no account/message recovery whatsoever... update the device, install a bummed update patch, or dare upgrade your device... all history, poof, gone. Ya gotta start everything over again like they're a brand new person.
    • You've tried DuckDuckGo and Brave Search, now get serious with SearXNG

      By zikalify · Posted

      You've tried DuckDuckGo and Brave Search, now get serious with SearXNG by Paul Hill Over the last decade, it has become quite trendy to dump Google Search in favor of privacy-preserving alternatives such as DuckDuckGo, Startpage, and Brave Search. These search engines have done a very good job at highlighting dodgy practices by Google, such as adjusting search results based on what it thinks you’ll like (filter bubble) and stalking you around the web to advertise to you. While these search engines are good starting points when compared to non-private services like Google, there are still quite a few issues with them. For example, both DuckDuckGo and Brave Search require running non-free JavaScript in your web browser, which is comparable to running proprietary software on your computer, meaning you can be sure about what it’s actually doing in the background. Another issue is that these search engines are hosted on the respective companies’ servers, and you are using a service that you don’t control. Finally, DuckDuckGo, while offering privacy features, relies heavily on Microsoft’s infrastructure for its results and, in the past, has permitted Microsoft tracking scripts. If you are looking for a more private search solution than DuckDuckGo, Brave Search, and Startpage, then I recommend taking a look at SearXNG. It is a privacy-respecting metasearch engine that can be used via different public instances, which is useful for mobile users, or you can install it on your computer or server and run it locally with maximum control. Unlike Google, Bing, or Brave Search, which crawl the web and have their own search indexes, SearXNG is a metasearch engine, meaning it taps other search engines, stripping your identifying data, such as IP address, user agent, and cookies, in the process. Your search query is sent to the other search engines you enable before aggregating the results. SearXNG has deployment flexibility. If you are a casual user or a mobile user and don’t want to run SearXNG locally, you can use a public instance that is hosted by someone else. The main problem with this is that you are putting trust in the maintainer of the instance regarding stuff like logs that they may keep; good hosts should have a privacy policy explaining their policies. If you are trying to use SearXNG, you can also install the software on your device and then head to 127.0.0.1:8080 in your browser and search from there. While you don’t have to worry about a third-party admin like the public instances, search engines could ultimately block your IP address if they frown on you pulling in their search results locally. If you want to run it locally, it’s a good idea to use proxies or VPNs to hide your actual IP. You don’t have to worry about this with a public instance, as search engines never see your IP address. The main privacy benefit of using SearXNG is that it isolates your identity from the underlying engines that it’s capable of searching, such as Google and Bing. These search engines will only see requests coming from a generic server, so they can’t profile you and create a bubble filter that influences what results you see. This also ensures that your search engine doesn’t turn into an echo chamber that prevents you from reading alternative points of view. As a free software project, you are allowed to inspect SearXNG to make sure there are no negative features bundled inside. This sets it apart from the privacy search engines mentioned earlier because you can’t check their source code. As a meta search engine, you are not restricted to getting results from one source. Due to the fact that it scrapes content from other websites, your SearXNG instance will periodically get blocked from different providers, so it’s good to select a range of sources as a backup. While enabling all of the services will give you great results, this can make searching slower. I am personally happy with slower searches for the best results, but you can always check which providers are slowing down your search from the search results page and disable them to speed things up. If you want decent results quickly, enable the main search providers such as Google, Brave, DuckDuckGo, Qwant, Bing, and Yahoo. This way, you get wide coverage without the latency. On the Engines tab in Preferences, do note that there are different tabs, such as General, Images, and Videos, with their own providers that can be toggled and are not covered by "Enable all" while on the General tab, so be sure to dig into each. Just a note, if you want to enable everything, press "Enable all" in one tab, then hit save at the bottom of the page, then do the next tab, and so on. If you press "Enable all", then do that in each tab, and then save, nothing will stick. When I had just some of the search engines enabled, I searched “define nefarious” and results came back with the definition of “define” - obviously that was a sucky result. However, when I had everything enabled, it found dictionary pages for the word “nefarious” and even had an inline definition on the sidebar, which is quite nice too - that was delivered by WolframAlpha for anyone wondering! Probably the worst thing about this meta search engine is that the engines you select are saved with a cookie, so you must enable them on every new device you use SearXNG on, including if you decide to go into incognito mode with your web browser. Honestly, I would say this is the most annoying aspect, and perhaps if your browser lets you choose a separate private browsing search engine, then it would be best to use DuckDuckGo for this portion of your browsing. Another weakness of SearXNG is the random blocking of it by search providers. When you are on the results page, expand the “Response time” box, and it will show things like “Suspended: too many requests” or “access denied”. This is why it is good to enable several providers so that there is always a fallback to get results from. I won’t pretend SearXNG will be for everyone, however, if you enable all of the providers and put up with the slower response time, the results can be really amazing. Even if you don’t want to use it as your daily driver, keeping a bookmark handy that links to it is a good idea if you ever feel like doing a deep dive into a niche topic where other search engines are just failing to bring up any good result, due to the amount of sources it looks on. If you’re interested in radical user control over the software you use, installing SearXNG locally can also be a good idea, but be prepared to be temporarily blocked from sites if you trigger bot sensors without a VPN. Personally, I’ve opted to use a public instance, rather than install it myself. If you want to use it via a public instance, head over to searx.space to find a provider. Let us know in the comments if you have used SearXNG or its predecessor, Searx. What do you think about the quality of the results?
    • Windows 11 is getting redesigned taskbar settings in new build

      By Captain_Eric · Posted

      Dear Neowin, If it is not too much trouble, can you start using the new-ish designations for Insider Preview? "Experimental" is different than "former Dev" as it can apply to different models, eg 26H1 or 26H2 etc, right? No need to seed confusion IMHO. And, please "finally" update your graphics. OK?
    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By zikalify · Posted

      Did you see their FAQ, its quite good. Have a look in the Advanced section. https://delta.chat/en/help
    • Apple MacBook Neo is a blessing for Windows users, here's why

      By Pandadriver · Posted

      Just install Linux Mint that is a real blessing and many times cheaper because you can continue using your old Windows computer/laptop with the latest Linux updates.

  • Recent Achievements

    • Week One Done
      Woland13 earned a badge
      Week One Done
    • One Month Later
      Woland13 earned a badge
      One Month Later
    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done
    • Week One Done
      tuben earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      502
    2. 2
      +Edouard
      226
    3. 3
      PsYcHoKiLLa
      158
    4. 4
      Steven P.
      75
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!