Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


July 1st, 2011

Notes on internal MacOS anti-malware tool (aka XProtect)

On August 28, 2009, Apple released Snow Leopard. One of new functions added to this version is basic anti-malware tool called “XProtect”. The name is based on the name of one .plist file which contains strings that are necessary for detection. Apple had not provided a name for the tool, so developers made it.

 


Latest version of XProtect.plist

 

How does it work

If any application that have in its Info.plist’s LSFileQuarantineEnabled set to TRUE downloads a file, extended attribute is added to the file. This attribute store information about date and application which downloaded the file. If this file is application or installer (work even when is packed) and is later executed, system see this information and prompt the user with message like this:

 

So, since 10.6, XProtect function hangs on this quarantine function and before this dialog is shown, it scans the file. When file is infected, instead of warning user get message like this:

 

 

Known problems

In first Snow Leopard release (10.6.0) there was only two (!) virus definitions in XProtect.plist (OSX.RSPlug and OSX.Iservice). OSX.Iservice (also known as iWorkS-A) is virus packed inside pirate version of iWork ’09 and Adobe Photoshop CS4 distributed via BitTorrent network. If users BitTorrent client has not enabled LSFileQuarantineEnabled (and I have no clue if there is BitTorrent client that has it), file won’t be scanned. Same trouble may be with other P2P clients and FTP clients.

But it’s not the major problem. Major problem is, that Finder is not scanning files copied or opened from USB drives, DVDs, CDs, or network volumes. They are not scanned and user won’t get any notification if they are infected.

Another problem is with .mpkg installation files. Apple’s Installer uses two types of packages: .pkg and .mpkg. XProtect handle with .pkg, but not with .mpkg.

 

Updates

Since 10.6.0 was XProtect.plist updated. Now, in 10.6.7 has XProtect.plist definitions for 4 viruses: OSX.RSPlug.A, OSX.Iservice, OSX.HellRTS and OSX.OpinionSpy.

 

Categories: Mac Tags: , , , ,
  • Mike

    yea. there’s definitely limits to that little antimalware program. doesnt this prove that Macs can get viruses then? ;) since it NEEDS even that. :D

  • Clint Millar

    HI I just would like to say that if Macs need xprotect I would say that Macs should just download the mac avast antivirus free that way that you have got a trusted antivirus software company.

  • Juan Silva

    You could write about the TDL-4: The ‘indestructible’ botnet. I think many want to know that Avast is doing to combat this Malware.
    More information on this link:

    http://news.cnet.com/8301-13506_3-20075725-17/tdl-4-the-indestructible-botnet/

  • http://yoetama.blogspot.com yanita

    I’ve long since maybe 2 years more use avast though only using the free version, avast thanks.

  • http://rene10 rene alvarez llanes

    HI I just would like to say that if Macs need xprotect I would say that Macs should just download the mac avast antivirus free that way that you have got a trusted antivirus software company.