Fake MacDefender Warning.

Fake MacDefender / Mac Security.

ALL SAFE HERE.

Edited by deleted (Thu 19-May-11 20:34:31)

Gullible people will install anything. Doesn't matter what computer they own.

Although I see Ed Bott is really determined to make a name for himself.

Yup.

Quite ironic given his blog seems to be mostly about fixing up Windows to get it to run properly.

Excellent write-up from Ars:

http://arstechnica.com/apple/news/2011/05/malware-on...

http://www.theregister.co.uk/2011/05/25/apple_acknow...

Ooh-Err..

Subject line duly changed. Thanks for the update John.

http://support.apple.com/kb/HT4650

From the horses mouth.

If the malware has been installed, we recommend the following actions:

- Do not provide your credit card information under any circumstances.

Now it doesn't require an Administrator password. It looks like OS X is beginning to catch up with Windows.

In reply to a post by AEP:

Now it doesn't require an Administrator password. It looks like OS X is beginning to catch up with Windows.

God lord. You really don't mind making yourself look retarded. Seriously, don't you dare play the "getting personal" card - that really was spectacularly dimwitted thing to post. Trolling, pure and simple.

Lets see what an actual security expert says:

In reference to edition.cnn.com/2011/TECH/gaming.gadgets/05/23/malware.security.deb...:

Miller noted that Microsoft recently pointed out that 1 in 14 downloads on Windows are malicious. And the fact that there is just one piece of Mac malware being widely discussed illustrates how rare malware still is on the Mac platform, he said...."Mac malware is still relatively rare, but is getting worse," Miller said. "At some point soon, the scales will tip to installing antivirus, but at this point, I don't think it's worth it yet for most people."

I'm merely repeating what an article in Ars Technica reported. I made no comment of my own about it.

You really don't mind making yourself look retarded.

Why do you always have to resort to these pathetic insults? Are you so unable to take part in rational discussion? You really shouldn't take it so personally that there is now malware in the wild for OS X.

Lets see what an actual security expert says:

Mac malware is still relatively rare, but is getting worse.

Comparisons with Windows are irrelevant; we're talking about OS X here, not Windows. The fact is that, as the "actual security expert" says, malware is now a reality on OS X and is only going to get worse. Welcome to the real world.

Now, can we please try to keep the discussion on a sensible level and avoid the childish insults please.

Mac Malware was always a reality, there just was very little of it about. Anyone that can programme a computer can produce an application that pretends to be anything and because people are naive they may install it.
It's up people to be very careful what they download and what they install and it's up to Apple to help prevent people from doing this by educating them and stopping the worse effects of Malware in osx.

This is not like a virus were people unknowingly in most cases contract a virus from an email or web site this needs to have the user install or at least download and run the programme. There is a huge difference.

The security software industry is busting for a mac virus or malware. They make millions or even billions each year from the mess Microsoft has created and the market is saturated, they need new markets....

Security Update 2011-003 now available via software Update, see http://support.apple.com/kb/HT4657

Quick install, no restart

It also adds an extra item under SysPrefs => Security on the General tab:

Automatically update safe downloads list

Checked by default.

This is not a good thing surely Bill ?

I'm not sure... there's some more information about it here:

http://support.apple.com/kb/HT4651

I've left it checked for the moment, if it gets in my way I'll uncheck it.

I believe the safe list is just a text file - can't imagine it getting in the way of anything. Haven't checked but I imagine updates to whatever engine is used will still come via Software Update.

I can think of no compelling reason to uncheck it.

Comparisons with Windows are irrelevant;
Yet, oddly, you felt the need to make one.

In reply to a post by ian_c:

I imagine updates to whatever engine is used will still come via Software Update.

The support document I linked to suggests that it's just for Safari, iChat, Mail etc, not any of the virus scanners, and the implication is that it's automatic and daily whereas Software Update can be configured. Not that it matters much

I can think of no compelling reason to uncheck it.

Nor can I really, I just don't like computers doing something without asking first

The support document I linked to suggests that it's just for Safari, iChat, Mail etc, not any of the virus scanners

Well, yeah - it's checking for Trojans and that tends to be where they come via. A text file will have the defs and needs routine updating (a tweak of MacDefender would be easy enough to add, say).

Whatever bit of OSX does the processing will need less regular patching, as new *approaches* to malware are discovered.

Bill - you are the same as me - I prefer to see what's there before I actually download/ install it .

Mousing over it shows << checks daily for updates to the safe downloads malware detection signature list and installs new signatures if they are available >>

Looks as if it should be OK - but does anyone have any real knowledge of it ?

You realise this list has been in OSX since Leopard?

The only change is that it gets updated as needed, rather than when Apple gets round to it.

In reply to a post by goldenoldie:

Bill - you are the same as me - I prefer to see what's there before I actually download/ install it .

To be fair it's usually a matter of "when" rather than "what"- I don't think I've ever declined an update, for example¹.

But I've delayed quite a few until a more convenient time, especially those that require a restart!



¹ eta- not for the OS anyway, I've declined a few for 3rd party applications if they weren't useful to me.

Edited by billford (Wed 01-Jun-11 10:42:10)

There's a long way to go before it catches up with Windows.

I believe much of the problem is due to people logging in with an admin account. That's pretty dumb on any OS.

I don't think Apple marketing has ever claimed OSX was impossible to write a virus for, they just listed the amount of viruses known for each platform. On Windows it was in the tens of thousands.

I guess the criminals have realised that Mac owners have more money to steal.

Link.

No I didn't. Your "actual security expert" did.

In reply to a post by AEP:

Link.

Good grief, a malware author modifies his product to evade detection... what is the world coming to

Exactly.

What will be more interesting is to see how quickly Apple respond. That's the game nowadays.

"Quickly" is a comparative term... what would you use for your reference?

Microsoft would be a good reference point. Or any of the big anti-virus firms. The one that we used to use at work (F-Secure) typically took about 12 hours maximum to publish a data fix for a new piece of malware - we used to update the central definition file from them every two hours.

Still not quick enough - I've seen new malware reach our systems before the definitions were updated, but other more generic features of the software were sufficient to block them.

In reply to a post by AEP:

No I didn't. Your "actual security expert" did.

Read your own posts, muppet:

http://forums.thinkbroadband.com/mac/t/4005566-re-fa...

In reply to a post by billford:

"Quickly" is a comparative term... what would you use for your reference?

How about "by now" (patch out - will be picked up in next safe download check (or last one, depending on when yours runs).

Seems quick enough to me, though some may beg to differ.

Any idea how can you check when/whether an update has been collected? Software update shows nothing, and I can't see anything in the system log.

Nothing obvious. I think Apple's policy is to be non-drama-queeny about it.

A process called xProtect runs and phones Apple Towers, but the only reason I know is Little Snitch alerting me. If the check box is checked, it is automatic. Basically, as long as you are on the Net you will be up-to-date within 24 hours max.

After a bit I will just tell LS to let it through, but I like to watch stuff for a few iterations before I do that (that approach also showed just how often Google s/w phones home!).

Thanks

I found an entry for xProtect in the system log at just before 9am, but unfortunately it was an "Unable to connect" error- it had chosen to phone home whilst I was re-booting the router

Sod's Law rules...

I'll have another look tomorrow.

it had chosen to phone home whilst I was re-booting the router

Ha ha! Typical.

And this, if you wish to force an update:

http://www.tuaw.com/2011/06/03/force-your-mac-to-upd...

(As far as I can see, a simple uncheck and re-check forces it.)

Mine says it last updated at 00:13:07 GMT today, and it's at version 3.

In reply to a post by ian_c:

A process called xProtect runs and phones Apple Towers, but the only reason I know is Little Snitch alerting me. If the check box is checked, it is automatic. Basically, as long as you are on the Net you will be up-to-date within 24 hours max.

Can you see xProtect running in Activity Monitor? or from a 'ps ax' in the terminal as I can't see any such process (...and yes I have installed the update).

In reply to a post by ian_c:

(As far as I can see, a simple uncheck and re-check forces it.)

Yes, so will a re-start.

I discovered one thing- if the computer is in sleep mode when update time comes around, it won't try again when it wakes up.

Could be a nuisance if you somehow get the update time set to the wee small hours!

XProtect operates by modifying the file type detection process, deep in the file system itself. See http://ithreats.net/2010/06/19/about-mac-os-x-v10-6-...

Basically, each file that is written by the OS is checked to see if it meets certain criteria. If it does, its metadata is tagged with a corresponding file type. Most file types are just those that relate files to specific applications, but the XProtect extension adds tags for files that should be quarantined.

Note the comment at the end of the above post. Since XProtect is only triggered by a file save action, it will not detect a pre-existing copy of a malware file, already running on your system. Apple may have moved forward on this since the post was written a year ago, since they need to deal with users with MacDefender already installed. But that may use a different process from XProtect itself.

So you won't see a separate process running, because it's done by the file I/O kernel itself.

XProtectUpdater is the process that calls home and gets the new version of the protection system signatures. It is called by launchctl - the Apple replacement for cron - and the entry that controls it is at /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist, which runs /usr/libexec/XProtectUpdater when it is first installed, and then every 86400 seconds thereafter, (24 hours). So it is launched on a schedule, updates the signature file, and then shuts down again.

In reply to a post by billford:

I discovered one thing- if the computer is in sleep mode when update time comes around, it won't try again when it wakes up.

Could be a nuisance if you somehow get the update time set to the wee small hours!

I'm surprised. Normally, a process controlled by launchctl will run the next time it can if the computer is asleep at the scheduled time. That's how all the other routine maintenance processes operate to rotate logs etc.

In reply to a post by AlanH:

I'm surprised.

I was too, but that's what (didn't) happen this morning, or tonight when I got back home.

It's only one instance so maybe something else interfered, but it might be worth keeping an eye on.

Ta, I was curious as I can see no mention of xProtect in the system log file and it had not updated itself today. I did the check/uncheck in the system prefs to prod it. The iMac is left on so I would have expected it to get the update.