Monday, November 28, 2011

How to Update Apple's Safe Downloads List (XProtect.plist Malware Definitions)

UPDATE, 23 Oct 2013: None of these tricks work in OS X Mavericks (version 10.9). If you know of a way to manually check for XProtect updates in Mavericks, please leave a comment.

Apple just released an update for its XProtect.plist malware definitions file (which Apple calls the "safe downloads list"; this is kind of a misnomer because it's actually a list of unsafe downloads). The latest update appears to block a new version of a Trojan horse that masquerades as a Flash Player update, which Apple labels OSX.FlashBack.B. I thought this would be a good opportunity to share with my readers a few ways to manually force an update to Apple's definitions.

To briefly review, Mac OS X Snow Leopard and later (including Lion) include very basic protection against malicious downloads under certain circumstances. In May 2011, after the outbreak of MacDefender malware, Apple released a security update that enabled automatic updating of Mac OS X's built-in definitions file for Snow Leopard. Automatic updating has always been built into Lion since its initial release in July 2011.

Before you update your Mac OS X anti-malware download definitions, you should first make sure you have the latest version of Mac OS X installed (10.6.8 is the final version of Snow Leopard, and 10.7.2 is the current version of Lion as of when I'm writing this). You can check for updates by going to the Apple menu in the top-left corner of your screen and selecting "Software Update...".

After installing all available OS and security updates (and restarting your computer if necessary), you have a few options on how to check for updates to Apple's malware definitions:
  • The first (and nicest) solution is to download Adam Christianson's Safe Download Version app from The Mac Observer's site (direct download link). This app automates the whole update process for you; it notifies you what version your current definitions are and their release date, lets you check for updates, and notifies you if you already have the latest version installed.
  • The second option is to update via System Preferences (which you can find by clicking on the Apple menu and selecting "System Preferences..."). In the System Preferences main window, click on Security, then click on the General tab, then uncheck and re-check the box next to "Automatically update safe downloads list" (note that you may need to click on the lock and type an administrator password first).  You won't get any feedback indicating whether the update process has completed; you'll just have to assume that it worked (this is why I prefer using Adam's Safe Download Version app mentioned above).
  • The third option is to run either of the following Terminal commands (pick one):

    sudo /usr/libexec/XProtectUpdater
    sudo launchctl start

    You can copy and paste one of those into the Terminal (which you can find by clicking on the magnifying glass in the top-right corner of your screen and starting to type the word Terminal). After running either of those commands, you won't get any feedback indicating whether the update has run; you'll just have to assume it worked—or if you want to see whether the version changed after running the command (note that it may not; Apple often goes a long time in between updates), you can copy and paste this command before and after you run one of the commands above:

    more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

    The XProtect.meta.plist file lists the date and version number of the XProtect.plist definitions file which is located in the same directory on your hard drive.

As I've mentioned previously, Apple's (un)safe downloads list is not a replacement for true antivirus software. It mostly protects against Trojans downloaded through Safari, Mail, and other applications that add the "quarantine" flag to new downloads that may contain malicious content. Aside from that, Apple's built-in protection does not currently do much; it doesn't protect against viruses (such as Microsoft Word and Excel macro viruses), rootkits, worms, Windows malware, and so forth; all of these have unfettered access to invade and brutalize your Mac unless you've installed full-fledged antivirus software. Sophos has a free home edition for personal use which I like, ClamXav is free for anyone to use (although its features are very limited; it's primarily a manual system scanner, but it includes an automatic download scanner that you can manually configure), and Intego VirusBarrier isn't free but it's produced by a company that specializes in Mac security. A few other commercial options exist for personal or small business use (be sure to get a current version if you buy from anywhere other than the developer's site), and several major antivirus vendors sell enterprise editions of their software for medium to large organizations.

If you found this article useful, please share a link to it on your favorite social networks, and don't forget to subscribe using the links below!

For more from the JoshMeister on Security, please subscribe via e-mail or RSS and follow me on Twitter or .