Tuesday, August 25, 2009

Breaking News: Mac OS X Snow Leopard Built-in Antivirus?

I just noticed a very intriguing post on Intego's Mac Security Blog claiming that Apple's upcoming operating system, Mac OS X v10.6 "Snow Leopard," will have built-in antivirus functionality. The following screenshot is alleged to show a system warning after downloading malware via Safari:


Intego's blog post is sparse on details, but one thing that they haven't explored is which antivirus engine Apple might be using behind the scenes. The only clue seems to be the name of the malware in the screenshot.

The name "OSX.RSPlug.A"—one of many names of a particular type of Mac-infecting malware—is used by Intego[1] and Symantec[2], while Sophos and McAfee use different names (OSX/RSPlug-A[3] and OSX/Puper.a[4], respectively).

ClamAV seems like a logical engine for Apple to choose since it's freely available and has been part of Mac OS X Server for years, but ClamAV doesn't appear have a virus definition called OSX.RSPlug.A; it apparently only detects it as "OSX.RSPlug"[5].

Since Intego obviously didn't know about this until today, it's clear that Apple didn't license the technology from Intego. The only other company that appears to use the same malware name is Symantec. Could it be that Apple licensed Symantec's virus scanning engine? Or could Apple have developed its own custom AV engine?

Regardless of whose engine is being used, it's exciting that Apple may be including anti-virus functionality in its next-gen consumer OS (if you believe the "reports" that Intego claims to have seen).

UPDATE: Ryan Naraine from Kaspersky Lab and Threatpost says in his ZDNet column that he has "confirmed that Apple is not using the open-source ClamAV engine to handle these scans so it's likely the company has entered into an agreement with a commercial anti-virus company." This supports my theory that Apple may have licensed the technology from Symantec, maker of Norton AntiVirus. The latest I've heard through the grapevine is that Apple is indeed using a Symantec API.

UPDATE 2: The Register cites an anonymous source who claims that rather than including a full-fledged virus scanner, Apple is only checking for two specific types of malware: "Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives." According to MacRumors, this XProtect.plist file is located here on a drive with Snow Leopard (note that the file does not exist in Mac OS X v10.5 Leopard):

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

MacRumors identifies the second type of Mac malware as "OSX.Iservice", although it is unclear whether this is the actual name used in Snow Leopard. This malware is known variously as OSX.Iservice (Symantec)[6], Trojan.OSX.iservices.A (ClamAV), OSX.Trojan.iServices.A (Intego), OSX/iWorkS-A (Sophos), and OSX/IWService (McAfee).

If Apple hasn't licensed technology from Symantec, at the very least Apple is clearly favoring Symantec's malware names.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.