Thursday, September 30, 2010

MacScan 2.7 Product Review

Since early 2002 (about a year after the initial release of Mac OS X), SecureMac has made an anti-spyware application for Mac called MacScan.  I've been curious about the product ever since I became interested in computer security several years ago, and I finally had the opportunity to try MacScan recently.

Earlier this month, on September 20th, SecureMac tweeted from their @macscan Twitter account that the software was being released for free for one day only in celebration of Pirate Day (hopefully a few of you saw my retweet). I took the opportunity to grab a copy of MacScan so I could finally test it myself.

MacScan is marketed as a product that "detects, isolates, and removes spyware" for the Macintosh platform.  Mac users often believe (no doubt encouraged by Apple's marketing) that there isn't any malicious software for the Mac, or that the Mac is not susceptible to hacker exploits, but unfortunately, such is not the case.  (I've discussed this occasionally, Graham Cluley from antivirus vendor Sophos has reiterated this several times recently, and Mac antivirus maker Intego frequently blogs about Apple and third-party security vulnerabilities and Mac malware.)

MacScan detects a number of different types of potentially harmful Mac OS X and Mac Classic software such as Trojan horses, keystroke loggers, tracking cookies, and remote administration programs—mainly things that could be considered "spyware," or software used to spy on user behavior.  However, it is not a full-fledged antivirus product; for example, it is not designed to detect things such as viruses (e.g. Microsoft Office macro viruses, classic Mac OS viruses, etc.) or any malicious software that isn't Mac-native (e.g. UNIX or Windows malware), etc.

Another feature found in commercial antivirus software that's not present in MacScan 2.7 is automatic on-download or on-access scanning of files.  You can manually scan files or folders, or you can schedule scans, but the current version of MacScan doesn't run in the background and automatically scan files as soon as you download them.  Thus, if you unknowingly download something malicious, by the next time you scan your system it may already have become infected.  Also, based on my testing, there doesn't seem to be any heuristic detection of unknown malware, which commercial antivirus software usually provides.  These issues could potentially be problematic for users who rely solely on MacScan for protecting their systems rather than using MacScan along with antivirus software.

But I digress; MacScan is not—and does not claim to be—a complete antivirus suite.  So how well does it detect the things it's designed to?

Since I had a copy of Lose/Lose on hand (see my article about it), I tested to make sure MacScan could detect it, and it did.  I also tested whether MacScan could detect Vine Server 3.0 (the latest version of the VNC server software formerly known as OSXvnc, which MacScan is supposed to detect), and it did.  On a hunch, I tested whether MacScan would detect a number of previous versions of Vine Server and OSXvnc (which are freely available on SourceForge), and I got mixed results.  Of the 17 different versions of the software to date, only 6 versions were detected by MacScan, and the other 11 versions were not detected at all.  I reported this to SecureMac, and to their credit MacScan's definitions were updated in less than 36 hours (the advisory about the new detections is currently visible on their spyware list).  I retested this morning with the latest definitions, and I confirmed that all 17 versions of OSXvnc and VineServer were detected.

What about tracking cookies?  The MacScan site says that the software detects "over 8800 blacklisted tracking cookies."  Since I nearly always browse with third-party cookies disabled (which theoretically should prevent a lot of tracking cookies from being saved), I didn't expect MacScan to find much, and it didn't.  MacScan only detected a single cookie, from www.googleadservices.com.  Out of curiosity, I opened the database where this cookie was found (~/Library/Cookies/Cookies.plist) and looked through it myself.  I found 360 tracking and advertising cookies.  Of those, 267 were from Google Analytics (a very popular service for tracking the number of visitors to a site and other non-personally identifiable information; apparently Google Analytics works by having sites set first-party instead of third-party cookies).  Since MacScan had detected a cookie from Google Ad Services, one might expect it to detect cookies from Google Analytics as well, but that didn't happen in this case.  The remaining 93 ad/tracking cookies were from a number of other sites and services, many of which are listed on hpHosts, Web of Trust, and other databases.  SecureMac doesn't specify which 8800 sites' cookies are blacklisted, but based on my very limited testing, their list has some room for improvement.

I also discovered a much more serious detection issue that SecureMac is planning to fix in the next release of the software, MacScan 3.0.  At a later date (after giving SecureMac a reasonable amount of time to fix the issue) I will disclose the details here on this site, so stay tuned for that.

Although the foregoing may not sound extremely positive, I wouldn't rule out MacScan entirely.  No antivirus or anti-spyware suite has perfect detection; I'm often disappointed by detection rates of new malware, even in commercial antivirus suites from companies with millions of dollars to spend on research and development.

For another thing, MacScan is less expensive than most antivirus suites and doesn't require a yearly subscription. When used in combination with a free antivirus such as ClamXav (donationware; detects Mac and non-Mac viruses) or PC Tools iAntiVirus (free for personal use; only detects Mac viruses), MacScan may help suit your needs at a better price.  Of course, MacScan can also be used alongside commercial antivirus suites, which don't usually detect things like tracking cookies.

Furthermore, MacScan is undergoing a major overhaul for the upcoming version 3 which will address several of the issues I've mentioned above.  Expect the main scanning engine to be improved, new features including drag-and-drop scanning, and perhaps most importantly the addition of a background scanning engine.  This complete redesign should make MacScan much more robust and better capable of defending Macs against Trojans and privacy invasions.  If you would like to volunteer to help SecureMac test the upcoming release, you can sign up to become a beta tester for MacScan 3.

MacScan can be purchased for $29.99 for a single user license, or $49.99 for a three-user family pack (enter a quantity of 3 or more and use the coupon code FAMILYPACK).


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.

Tuesday, September 7, 2010

Save $100 Instantly on MacTech Conference Registration

I'm going to be attending MacTech Conference from November 3-5, 2010 in Los Angeles. It's not specifically a security-oriented event—MacTech Conference is for all IT professionals and developers, and it's a great way to meet and learn from peers and experts in the field. There will be lots of fun times as well, including private access to the Griffith Observatory one night and another night at Jillian's (including bowling, billiards, Guitar Hero, and more). Meals are included!

My friends and readers can get $100 off MacTech Conference registration by signing up through this link:

http://bit.ly/mactechconf

You can also read this article from my personal blog or browse the conference site to learn more, but be sure to use the exact link above to register to make sure to get your $100 off. Register by October 29, 2010 to get the discount.

I hope to see you there! Also, feel free to share the discount link with anyone else who might be interested in attending the conference.

UPDATE, 27 Oct 2010 @ 01:19 PDT: The discount deadline has been extended to October 29th.