Sophos Cloud Optix
When Apple released their most recent patch for OS X, 10.6.7, they slipped in a little extra feature. This time they have updated XProtect, their basic anti-virus component, to detect one more unwanted Mac application.
Apple keeps pretty quiet about this technology, only adding identities when some piece of unwanted software is having an effect on many OS X users.
Sophos has detected this sample since October of 2010 as OSX/Spynion-A. What does this sample do that has triggered Apple to decide to block it?
Well, it is an application that attaches itself to many “free” downloads. These include fancy screensavers, backgrounds and other adornments for your Mac.
When you install these freebies you are prompted to accept an End User License Agreement (EULA). This EULA asks for your permission to spy on your browsing habits, search behavior, online shopping and many other private pieces of information.
Of course you read the EULA right? You always do? I thought so…
But that is how most spyware and malware infects a Mac… by attaching itself to something you want. Let’s say you didn’t read the EULA and you clicked “I Agree”.
You would expect a software installer to need your permission to update your screensavers, so you enter in your administrative credentials… You may get a shiny new screensaver, but you also just signed over your life to a “market research company” with spyware that cannot be uninstalled without a Mac guru.
While it’s nice to see Apple trying to help, their protection still isn’t really enough. As we have pointed out in the past, XProtect only scans for malicious content in applications that use LSQuarantine.
The primary way XProtect helps is when you are downloading a DMG or application through Safari/Chrome/Firefox/Mail/Thunderbird. If the archive you downloaded has PremierOpinion in the install package, OS X 10.6.7 will alert you, asking if you wish to proceed.
Apple does default to the “Move to Trash” option, but if the user has already accepted a license agreement that transfers their current and future earnings to a spyware program and has entered in their Administrator password, are they likely to choose the “Move to Trash” option?
Apple’s acknowledgement of the threat is good news, but the protection provided in Snow Leopard is too limited to be of use. It’s best to run a proper anti-virus product, like the free Sophos Anti-Virus for Mac Home Edition, to look for more than the handful of malicious files Apple detects.
Free Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition
Additionally, XProtect does not protect you from malicious content on BitTorrent or from removable media like USB thumb drives. Having a proper on-access scanner will detect malicious Mac malware regardless of its origin, providing for a truly happy Mac.
So essentially Microsoft Security Essentials: Mac Edition
I am coming from a Windows background, recently joining the Mac community; How does Apples automatic XProtect feature impact Sophos AV?
In the windows world, its almost a cardinal sin to run two AV software on the same box. Does XProtect interfere or impact Sophos AV? ( given that it is auto-installed as part of the update.)
@Matt: XProtect.plist is nothing more than a tiny file (currently under 6 KB) that lists a tiny number of Mac-specific threats (currently 6, to be exact). It's part of the CoreTypes framework. Basically all it does is enable specific applications such as Safari to determine whether a file is infected with one of these specific infections after the download completes. It does not conflict with a "real" anti-virus running on the same system.
To see the difference between Apple's limited protection compared to what Sophos AV does, and to see what happens when Sophos AV is added to a Snow Leopard system, watch this YouTube video from SophosLabs, made by Graham Cluley back in August 2009:
I saw a video I think was also posted by this site, about downloading free mac software can result in malware attaching it self to it. What I would like to know, is why your program is free. Are you going to install a malware attached with Sophos? I feel like when something is free, it never is. There is always a price you have to pay one way or another for the free program. Because nothing is free, nothing. Why Sophos is? What is the real price?
Not sure if you are trying to be funny, or insulting. The real price is free. As in beer, gratis, at zero price.
We don't even ask for your email to download it.