Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Apple Improving OS X Anti-Malware Feature - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Apple Improving OS X Anti-Malware Feature

One of the not-much-talked-about new features in Snow Leopard aka OS 10.6 was a build in anti virus tool. However, up to now, the tool only looked for a small number of old malware samples, hardly ever found in the wild. This changed with today's OS X security update (2011-003). This latest update includes the ability to automatically download new signatures, just like for other anti malware software. In addition, signatures got added for the recent set of fake AV tools spreading for the Mac ("Mac Defender").

XProtectUpdater, the new component downloading these updates, it configured using the system preferences according to some reports. But so far, I have not been able to find the configuration in either of the systems I installed the update on. (I will keep looking and maybe will update this later)

 Update: Found it. The item is called "Automatically update safe downloads list". It can be found in the "General" tab of the security settings. I guess this is the least "malicious sounding" naming Apple could come up with. It is enabled by default.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4506 Posts
ISC Handler
May 31st 2011
I guess the 1st step is realizing you have a problem (or at least that you aren't immune).

135 Posts
Download the update directly and then install it. It seems to cleanup if you do not have MacDefender, something which would make sense for apple to do.

You can find the following
/usr/libexec/XprotectUpdater and /usr/libexec/MRT. Seems that cleans MRT up. Tested it on all versions we have of MacDefender and it worked, went into the contents and removed the executable.

In the control panel Apple put the option, which as you say is the least malicious sounding name...

11 Posts
Oh, it works but not a end all. I would like apple to create a control panel for seat-belt, that I think would be a really big step up. Also during system install have the user create a Admin and general user. I think this is a case of Apple not wanting to be in the anti malware business but trying to deal with the problem, while not killing its marketing. They can do something really different, if they are brave. Like all companies, I fear this will not be the case.

11 Posts

Sign Up for Free or Log In to start participating in the conversation!