Feeds

Apple sneaks malware protection into Snow Leopard

Coverage goes only so far

Next gen security for virtualised datacentres

Apple is dipping yet another toe into the anti-malware pond with a feature in the latest beta version of its forthcoming Snow Leopard operating system.

The protection was quietly added earlier this month to Snow Leopard 10A432, the most recent build of the new version of Mac OS X that is due for release this Friday, according to someone who has tested the feature and asked not to be identified because pre-release versions of Snow Leopard come with non-disclosure clauses. A separate Snow Leopard tester said the functionality is included in 10A421a, an even earlier build.

The feature causes users who try to install applications known to be malicious to receive a pop-up window warning that the file will damage the computer and should be moved to the Trash.

At the moment, though, the feature offers fairly limited protection. Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives.

The revelations come as Apple has issued a fresh round of commercials that portray the Mac as a haven free of malware threats. "I want [a computer] that just works without thousands of viruses and a ton of headaches," a prospective customer complains in this spot. An Apple spokeswoman didn't return a phone call seeking comment.

The protection appears to build off one added to the Tiger version of Mac OS X that automatically opens some files after downloading. That feature scans files downloaded with Safari and several other applications and automatically opens them if they are deemed safe. The safety checks in this feature are much more limited than those used in full-fledged anti-virus software, said Dino Dai Zovi, co-author of The Mac Hackers Handbook.

So it's not surprising to find this latest addition lacking in many respects as well. According to the person who has seen the latest beta, it checks only for the RSPlug and iServices trojans. While those are two of the most active threats confronting Mac users, the number of malware programs actively targeting the OS is most likely measured in the hundreds, security experts said.

And as we said, users who try to install one of those two trojans will receive a warning only if the file was downloaded from the internet with a small number of applications, which in addition to Entourage, iChat, and Safari, also includes Mail, Firefox, and Thunderbird, according to the person who's seen the feature. The protection also appears to be lacking any means to scan an entire hard drive for malicious files.

But it wouldn't be difficult to beef up the offering. Updating the XProtect.plist file could be easily done the next time Apple issues an update. It's unclear how easy it would be make other applications work with the feature. Dai Zovi speculates they use an application programming interface supplied by Apple engineers.

It still remains to be seen what Apple's intentions are. To offer more comprehensive protection, the company would have to update the definitions a couple of times a week to stay abreast of variations that are regularly pumped into the ecosystem. It's questionable whether Mac aficionados would have the patience to download updates that often.

"This is something that's not in the Mac users' culture," said Dai Zovi, who has not yet tested Snow Leopard. "What would be awesome is if the user could plug in their own anti-virus like Clam for a minimally obtrusive anti-virus thing."

Intego, which provides anti-virus software for the Mac, offers a bare bones write up of the new feature here. ®

This story was updated to include the observations of a separate Snow Leopard tester.

A screenshot of the Snow Leopard malware warning

A screenshot of the Snow Leopard malware warning

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.