Notes on internal MacOS anti-malware tool (aka XProtect)
On August 28, 2009, Apple released Snow Leopard. One of new functions added to this version is basic anti-malware tool called “XProtect”. The name is based on the name of one .plist file which contains strings that are necessary for detection. Apple had not provided a name for the tool, so developers made it.
Latest version of XProtect.plist
How does it work
If any application that have in its Info.plist’s LSFileQuarantineEnabled set to TRUE downloads a file, extended attribute is added to the file. This attribute store information about date and application which downloaded the file. If this file is application or installer (work even when is packed) and is later executed, system see this information and prompt the user with message like this:
So, since 10.6, XProtect function hangs on this quarantine function and before this dialog is shown, it scans the file. When file is infected, instead of warning user get message like this:
In first Snow Leopard release (10.6.0) there was only two (!) virus definitions in XProtect.plist (OSX.RSPlug and OSX.Iservice). OSX.Iservice (also known as iWorkS-A) is virus packed inside pirate version of iWork ’09 and Adobe Photoshop CS4 distributed via BitTorrent network. If users BitTorrent client has not enabled LSFileQuarantineEnabled (and I have no clue if there is BitTorrent client that has it), file won’t be scanned. Same trouble may be with other P2P clients and FTP clients.
But it’s not the major problem. Major problem is, that Finder is not scanning files copied or opened from USB drives, DVDs, CDs, or network volumes. They are not scanned and user won’t get any notification if they are infected.
Another problem is with .mpkg installation files. Apple’s Installer uses two types of packages: .pkg and .mpkg. XProtect handle with .pkg, but not with .mpkg.
Since 10.6.0 was XProtect.plist updated. Now, in 10.6.7 has XProtect.plist definitions for 4 viruses: OSX.RSPlug.A, OSX.Iservice, OSX.HellRTS and OSX.OpinionSpy.