Tuesday, August 25, 2009

Breaking News: Mac OS X Snow Leopard Built-in Antivirus?

I just noticed a very intriguing post on Intego's Mac Security Blog claiming that Apple's upcoming operating system, Mac OS X v10.6 "Snow Leopard," will have built-in antivirus functionality. The following screenshot is alleged to show a system warning after downloading malware via Safari:


Intego's blog post is sparse on details, but one thing that they haven't explored is which antivirus engine Apple might be using behind the scenes. The only clue seems to be the name of the malware in the screenshot.

The name "OSX.RSPlug.A"—one of many names of a particular type of Mac-infecting malware—is used by Intego[1] and Symantec[2], while Sophos and McAfee use different names (OSX/RSPlug-A[3] and OSX/Puper.a[4], respectively).

ClamAV seems like a logical engine for Apple to choose since it's freely available and has been part of Mac OS X Server for years, but ClamAV doesn't appear have a virus definition called OSX.RSPlug.A; it apparently only detects it as "OSX.RSPlug"[5].

Since Intego obviously didn't know about this until today, it's clear that Apple didn't license the technology from Intego. The only other company that appears to use the same malware name is Symantec. Could it be that Apple licensed Symantec's virus scanning engine? Or could Apple have developed its own custom AV engine?

Regardless of whose engine is being used, it's exciting that Apple may be including anti-virus functionality in its next-gen consumer OS (if you believe the "reports" that Intego claims to have seen).

UPDATE: Ryan Naraine from Kaspersky Lab and Threatpost says in his ZDNet column that he has "confirmed that Apple is not using the open-source ClamAV engine to handle these scans so it's likely the company has entered into an agreement with a commercial anti-virus company." This supports my theory that Apple may have licensed the technology from Symantec, maker of Norton AntiVirus. The latest I've heard through the grapevine is that Apple is indeed using a Symantec API.

UPDATE 2: The Register cites an anonymous source who claims that rather than including a full-fledged virus scanner, Apple is only checking for two specific types of malware: "Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives." According to MacRumors, this XProtect.plist file is located here on a drive with Snow Leopard (note that the file does not exist in Mac OS X v10.5 Leopard):

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

MacRumors identifies the second type of Mac malware as "OSX.Iservice", although it is unclear whether this is the actual name used in Snow Leopard. This malware is known variously as OSX.Iservice (Symantec)[6], Trojan.OSX.iservices.A (ClamAV), OSX.Trojan.iServices.A (Intego), OSX/iWorkS-A (Sophos), and OSX/IWService (McAfee).

If Apple hasn't licensed technology from Symantec, at the very least Apple is clearly favoring Symantec's malware names.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

9 comments:

  1. Since I'm running the GM seed, I'd be interested to know where this was downloaded from, for independent confirmation.

    ReplyDelete
  2. Seriously: do you really think they would include a "open" button in the eventuality it contained mailware ?

    This is a fake... And a very bad one ;)

    ReplyDelete
  3. One other possibility - Apple is using ClamAV but writing it's own signatures.

    ReplyDelete
  4. Could Apple have updated ClamAV used in v10.6 to have the definition for OSX.RSPlug.A?

    ReplyDelete
  5. How about ClamAV which is also used on OSX server 10.5?

    ReplyDelete
  6. Yea, right, an Open button? No way José!

    ReplyDelete
  7. Could they have just written a filter into the Spotlight indexer that looks for signatures in files as they're indexed, and then a little policy to silently 'index' all new files and mounted images without necessarily making an actual index? Seems like Apple already has a great technology to unobtrusively search for 'patterns' in files with Spotlight; leveraging it for antivirus would be no big thing. Also, if this is true, definition updates would just be part of point releases and updates, which seems all that's needed given the slow proliferation of Mac malware.

    ReplyDelete
  8. Just to clarify, I think that the Open button has to be an option. I could definitely see a confirmation popup in the even that one chose to open an "infected" file. But, file scanners aren't perfectly accurate, and sometimes perfectly neutral IT tools make it into the lists as Trojans despite mainstream acceptance. But you guys have a point. We are talking about the company that despite its obvious genius at times still prefers the 1-button mouse!

    ReplyDelete
  9. Why is an open button such a surprise? You can bypass quarantine in most virus programs already. There is a warning, and this appears to be mostly unintrusive, seems ok to me. Open isn't the default option, either.

    ReplyDelete

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)