Snow Leopard malware protection system: What does XProtect do?

With the release of the new version of OS X today (Snow Leopard OS X 10.6) Apple have added some malware protection. XProtect (we are calling it this as this is the name of the detection data file) provides a level of protection against variants OSX/iWorks-A (OSX.Iservices) and OSX/Jahlav-C (OSX.RSPlug.A).

Users who upgrade to Snow Leopard (OS X 10.6) and who encounter the Trojans while browsing for:

and are not running a Mac specific security product (e.g. Sophos Anti-Virus for OS X), may receive a pleasant surprise:

As opposed to the message from Sophos:

When files are downloaded through the following applications:

  • Entourage
  • Safari
  • Mail
  • Firefox
  • Thunderbird
  • iChat
  • and other programs that use LSQuarantine

then the files are tagged with an extended attribute called When the downloaded file is run (automatically or manually), this triggers the use of Launch Services. Launch Services then triggers the XProtect scan of the file.

Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the extended attribute, for example via:

  • Skype
  • Adium
  • BitTorrent
  • and Finder (via USB keys, network share, etc …)

XProtect is never triggered and thus these threats can run unfettered. However OSX/iWorks-A was distributed through infected torrents and so wouldn’t be blocked by XProtect.

Users who have Sophos Anti-Virus installed with the on-access scanner enabled will never see this new XProtect functionality – the malware is detected by Sophos long before Launch Services gets to search for it.

XProtect seems to be a natural progression from the functionality that Apple added in 10.5, that warned the user before running installers/applications which had been downloaded from the Internet or an untrusted source.

Thanks to Michael Shannon, Researcher, SophosLabs UK and Ben Jupp, Senior Mac Specialist, Sophos Global.