Is Snow Leopard's bundled anti-malware enough?

Filed Under: Apple, Malware

Snow Leopard Creative Commons flickr photo stream Tambako the Jaguar (not much online)There has been much attention and debate raging on the internet for several days of Apple's decision to include an anti-malware tool in Mac OS X 10.6. We have blogged about some of the details from Graham Cluley and a more technical analysis from SophosLabs.

So for those of us responsible for supporting Macs in corporate environments, what does this mean for us? Not a whole lot. As security professionals, we have been aware that there are threats to OS X and we need to protect and monitor Macs no different than we protect our Windows and Linux computers.

In fact as SophosLabs blog mentions if you have a commercial anti-virus product installed on your Mac the functionality never sees the sample, as the anti-virus product intercepts it before reaching Apple's detection. To me this feels a lot like Microsoft's approach with the Malicious Software Removal Tool. It provides end-users with protection against major threats, and hopefully draws attention to the fact that OS X has deviants targeting it, no different than every other operating system.

The risk I have seen ignored by others in the discussion about malware and OS X seems to ignore a very important tale often told by our Global Sales Trainer Anthony Ross. Too frequently our technical support team and sales engineers are faced with recurring infections that no one is able to pinpoint. Like Typhoid Mary, Macs often host file shares, websites and other content frequently accessed by Windows computers. Having a comprehensive anti-virus application that not only protects the host, but others around them is essential.

I will likely have more to say on this subject as it becomes more clear how Apple intends on updating and developing this technology. Like Graham, I hope to see more colaboration with the security community. Although it only detects 2 trojans (1 of which if downloaded through BitTorrent does not actually get detected) at this point, it's clearly a great first step to provide some awareness to the average OS X user when they may be considering a dangerous action.

Update August 29, 2009: Clarification, all files downloaded by BitTorrent are not detected as Apple's integrated protection does not contain an on-access scanner, on-demand scanner or any cleanup ability. Only applications that use LSQuarantine can detect the trojans that exist in XProtect.plist that shipped in Snow Leopard.

Creative Commons flickr photo stream Tambako the Jaguar (not much online)

,

You might like

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.