How to keep Mac OS X's safe downloads list up-to-date

Filed Under: Apple, Apple Safari, Featured, Malware

Mac OS XDid you know that Mac OS X includes some very basic protection against malicious downloads?

When you download an application via Safari or an attachment in Mail and then try to open it, Apple checks the file against its "safe downloads list" (sometimes called "XProtect.plist" after its file name) to ensure it doesn't contain any known Mac malware.

Mac OS X is supposed to check for updates to this malware definitions list daily, but you can force an update using one of the following techniques.

The first method is to click on the Apple menu and select "System Preferences..." and then from the main window click on Security, then click on the General tab, and then uncheck and re-check the box next to "Automatically update safe downloads list" (note that you may need to click on the lock and type an administrator password first). If you don't see this checkbox, you should make sure you're running either Lion (v10.7 or later) or the latest version of Snow Leopard (v10.6.8).

Security system preferences

Although this is the simplest solution, it doesn't give any indication of whether the update has actually completed, which is why I prefer to use the following alternative instead.

The second method is to download and install Safe Download Version, a freeware app created by Adam Christianson of The Mac Observer.

When you run Safe Download Version, it tells you the version of your currently installed definitions and their release date, lets you check for updates, and notifies you whether you already have the latest version installed or if a new update has been applied.

You can also check for updates by running XProtectUpdater via a Terminal command, as described in this article.

Although it's nice to know you have the latest version of Apple's malicious download definitions, don't let it give you a false sense of security.

Mac OS X currently only detects a limited number of specific malicious downloads from about ten different types of Mac malware. Apple's built-in protection does not defend against a wide range of threats including (but not limited to) malware copied over a network share or from an external drive, malicious JavaScript code embedded in Web pages, Microsoft Word or Excel macro viruses, malware downloaded with an application that doesn't utilize Apple's safe downloads protection, or malware that already exists on your hard drive.

Apple's download scanner also doesn't offer any protection against malware for other platforms such as Windows, so you'll have no way of knowing whether that flash drive you used at work or on a friend's PC might be carrying an infection.

To step up your own Mac's defenses, I recommend installing the free Sophos Anti-Virus for Mac Home Edition. You can see how it works compared with Apple's safe downloads protection in the video below.

(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)

, , , ,

You might like

8 Responses to How to keep Mac OS X's safe downloads list up-to-date

  1. Jon Fukumoto · 1408 days ago

    I have Sophos Anti-Virus on my Mac. Even though Macs don't have as much viruses and malware as Windows systems, it's still a good idea to have this program. There's no such thing as a 100% secure system, and Macs like PCs, need to be protected.

  2. BDMSTUDIOS · 1408 days ago

    Why a post about SL while LION is out?

  3. The file should be checked at startup, then daily or on wake if the system has been asleep at the scheduled time.

    You can specify a shorter interval (say 3600 seconds for an hourly check) by editing /System/Library/LaunchDaemons/

    PS, somewhat annoying that I had to retype all but the first six words of this comment after authenticating with Twitter!

  4. Mary Beth · 1407 days ago

    I will install your free Anti-Virus, but I have a question: I usually use Google Chrome as my browser instead of Safari. Am I still getting the same level of protection using Chrome?

    • Using Sophos will give you the same protection regardless of what browser you use but Apple's protection is only good when you use Safari. So use Sophos, I have and it is a great program. It does not slow down you Mac at all and is very unobtrusive.

    • Sophos Anti-Virus for Mac, HE has a built-in real-time scanner that scans all files as they are accessed. It also contains a manual scan option (to scan your entire drive, or custom parts/files/etc.) and a contextual scan integration into the Finder (right click and scan a file you're unsure of). It is also fully scriptable with AppleScript.

      XProtect only works with a "whitelist" of programs, including almost all of the available web browsers (including Safari, Chrome and Firefox), the most popular Mail apps and the most popular IM apps with file transfer capabilities, and removable media. If you use a command-line file transfer tool or something less common, for example a BitTorrent client, FTP client or a Java-based download accelerator, XProtect will not scan the files.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog, and follow him on Twitter and Google+.