With Apple’s Mac OS X 10.6 Snow Leopard operating system arriving on people’s doorsteps over the coming weekend, you’d think that all the new features are known by now, and there will be no more major surprises. Well, that’s not entirely true: on Intego’s Mac Security Blog, it is reported that Snow Leopard comes with anti-virus/malware functionality built-in. Update: Snow Leopard testers on MacRumors confirmed the functionality. How, exactly, it works, is not yet known, however.
The Intego blogs talks about “reports we’ve seen” which state Snow Leopard comes with anti-virus/malware functionality built-in, and also provides a screenshot of how it looks. This dialog appeared after downloading a file through Safari, and the operating system detected the RSPlug trojan.
There’s no way at this point to confirm this news, but it’s interesting nonetheless. Only today did Apple release two Get a Mac ads which played on the rather outdated mantra of “thousands of viruses” for Windows, so if Snow Leopard came with built-in anti-virus/malware, that is sort-of funny.
Joshua Long theorised which anti-virus/malware scanner Apple chose to include with Snow Leopard; ClamAV was a logical contender, but as it turns out, ClamAV’s engine labels the above trojan differently. Intego and Symantec do label it as such, and of those, Intego obviously couldn’t be it. Could this mean Apple licensed the engine from Symantec? Or did they develop their own?
It is important to stress that there is currently very little to be worried about when it comes to the Mac and security. While several security researchers claim Mac OS X is easy to hack, large-scale infections have yet to take place. Still, proper security policies should always be enforced.
“outdated mantra of “thousands of viruses” for Windows”
Is it “outdated” because you think that it’s not true or because you tire of hearing of this problem?
“While several security researchers claim Mac OS X is easy to hack”
Perhaps, yet not a single virus has appeared on OS X.
I’m curious why you try to minimize Window’s security problems yet embellish OSX’s.
Edited 2009-08-25 22:08 UTC
Did you not READ the final paragraph?
Yes I did Thom and yet there are still no viruses for OS X.
My question still remains
Edited 2009-08-25 22:09 UTC
This is the final paragraph:
In what twisted beyond-the-looking-glass kind of universe can THAT be seen as “embellishing” OS X’ security problems?
And as for Windows and viruses – yes, that is very much an outdated issue ever since Vista came out – almost three years ago now. There haven’t been ANY major outbreaks since then of anything (except when people did not keep their computers up-to-date).
No viruses have appeared yet you reference quotes from people saying that its easy to hack thus reinforcing the false notion that the lack of viruses on the Mac is the result of its smaller size. By reference them at all you are embellishing OS X’s insecurity.
Let the track record of an OS speak for its security capabilities rather than allow someone who may want to sell you a security product or minimize OS X’s increasing popularity.
“And as for Windows and viruses – yes, that is very much an outdated issue ever since Vista came out”
Oh so your position is that Vista is not susceptible to thousands of viruses? I’ll quote you… “In what twisted beyond-the-looking-glass kind of universe” do you live in?
“There haven’t been ANY major outbreaks since then of anything (except when people did not keep their computers up-to-date”
If you are talking about the feature in Windows that minimizes the OS’s features to gain increased security then yes, you would be right.
I like to abuse poor Thom as well (sometimes in fun) but I don’t really think he was being over the top. While OS X has remained unscathed, the potential IS there because certain privileges are granted to the “admin” user, just like in Windows.
People rant about Windows security but the major reason why it is more open to problems is because of the elevated user privileges. If the system was locked down it would not be an issue… but that would raise OTHER issues with software products that apparently depend on elevated user privileges as well… I digress.
This article was about Mac OS X, not Windows. Thom should not have to make that comparison in his comments. Security vulnerabilities are security vulnerabilities.
I would rather have not read the flip comment about the new ads and the irony of the virus checking software, but hey, what can you do.
Although you are correct in saying that OS X Leopard and earlier are not up to date with regards to security features for the most part, OS X operates not quite as “admin” user – it is somewhere in-between Windows’s free-for-all admin privileges and a more traditional Unix model. If you try to install files outside of the user’s directory tree, or other directories where the user has write privileges, you indeed will get a password prompt from sudo.
Also, you can run as non-admin and most applications, unlike Windows, won’t break if you do – but you’ll be entering your password a lot more and not much additional real security will be there as a result. (See Vista’s UAC for an example of why more is not better with regards to security prompts.)
I don’t disagree… I think OS X is definitely more secure and less prone in that regard.
I do wish a solution was available to lessen raised priv dependencies on Windows. It never had to be that way once NT arrived – or so I believe. If an application really required privileged access to a system resource, that could be accomplished without granting general, elevated privileges.
I don’t know… it is a bit of a mess now and would probably be a pain to change the way things are done now, for developers of huge products that have come to depend on that legacy weakness…
developers poor programming practices being a pain for them to correct rather than rely on ongoing insecurity through design doesn’t really justify not correcting true privileged separation in Windows. The decision to back off of better security practices because AV companies complained loudly enough was disappointing. I’d much rather have an awkward quarter while third party and MS internal developers fixed there broken programs rather than relying on poor privileged management. I include MS developers in that last bit due to the “do as we say, not as we do” approach to being able to temporarily disable UAC while asking non-MS developers not to make use of the feature.
the few applications that do not work properly as a non admin can usually be made to work by changing security settings on the folders/files they are trying to work with.
I work every day, all day, in a non admin account on windows and there is no real difference between that and any other os i have ever used.
Well, you have to say that Vista and 7 has made it a hell of a lot easier. It was far more difficult to do in XP because switching to administrative privileges was generally a pain and couldn’t be done for certain things.
At least I get a nice prompt in Explorer now when I copy a file to a place that needs administrative privileges and you can easily fire admin tools upwith admin privileges. I just wish Linux distributors would start doing the same and making sudo better and easier to administrate in applications.
I’ve had no grief from ksudo though I’ve not had to change from the defaults provided by Mandriva. My preference actually goes the other way, I wish Windows temporary elevation was as flexible as sudo where I can specify what user on what machine can elevate what commands, provide user groups or even provide aliases for commands.
Still, I select rpmdrake and up pops the KDE prompt for the admin password. No real grief there; for me anyhow.
To really make that work and easy to administrate you need a GUI for that ;-).
For windows, you would need a GUI app or maybe a registry merge. I can use the same sudo config file across multiple servers and workstations or even distributions which makes it much more pleasent to work with. I’ve not dug into how config with ksudo and gnome’s equivalent do it but that’s probably more a matter of checking my Mandriva box to see if it has default entries for the draketools.
I’m sure there is also a graphic visudo type frontend out there also though. I’m mostly working with Debian these days and with good habits developed on headless servers and ssh, no synaptic or unnecessary GUI config utils go into my workstations either. I’m not everybody or the average user though.
He pointed out the vulnerability to targeted remote intrusion. That doesn’t mean he was also implying vulnerability to the more automated, “scattershot” security risks (EMail viruses, infected websites, etc). They’re certainly related, but they’re not interchangeable.
Okay, let’s take an example from outside the computer world: the amount of break-ins in (most) rural areas is substantially less than in urban areas, even when measured per-capita.
Based on that, would you say it’s reasonable to conclude that people in rural areas are just fundamentally more law-abiding? Or would you consider that to be an oversimplification because it ignores other factors like population density, the social dynamics of rural vs. urban populations, etc?
Okay Thom, I would hardly consider Windows viruses to be an outdated issue. I do a lot of IT work and I’ve seen a significant increase lately in malware infestations. While these may not have been viruses, per se, they are extremely invasive and disruptive and require work to remove. Not for the lay person. Frankly, I think you’re delusional if you actually believe Windows Vista+ are somehow safe from infestation.
Vista was hated for its UAC, Vista had proved to be less prone to virus attacks. I am handling about 120-130 laptops in my office all of them running Vista, there have only a few (minor) virus attack complaints, also the Vista 64 bit version has proved to be even better. Vista has been my favorite Microsoft OS till now, adding network devices is easy, is much more secure that Windows Xp and Vista is anyday nore stable than Windows Xp. I am not a Microsoft fanboi, use Linux at office and Mac at home, but there is no denying that Vista (Windows 7 as I have heard) are step in the right direction for Microsoft.
Huh??
http://www.sophos.com/security/analyses/viruses-and-spyware/osxleap…
http://www.macworld.com/article/53737/2006/11/macarena.html
There are viruses for OS X. Please don’t let the facts stand in your way.
@DrillSgt
Re: Leap-A and Macarena
At first, it they were a Virus… Then classified as a Worm. Then, a Trojan Horse. Regardless of the definition, they are both malware.
Although they were one of the first for the Mac neither of them can be classified as a virus as it is not self-replicating.
I would suggest that you not get the definition of a virus from a software development company who might want to simply sell you their software.
Edited 2009-08-25 22:52 UTC
You’re really arguing semantics here. Whatever you choose to call it, would you want the stuff on your machine? I sure wouldn’t.
If a close friend or family member were going to buy a Mac, I would tell them that just because it’s a Mac does not mean that it’s not vulnerable to viruses and malware. Regardless of how true (or not) that is, I’d rather people I care about to stay security-conscious, no matter what platform they’re on.
Better to be safe than sorry, I always say.
Edited 2009-08-26 03:31 UTC
Because downloading something, by choice, installing it, and giving it your password, twice, is somehow as bad as a virus and not a trojan?
No security in the world can protect people that thoughtless.
There are no viruses on Mac that auto-install and and self-spread to other machines. The situation is in no way comparable to the Windows world where I am scraping rootkits and malware off of Windows machines (including Vista) all day long.
Cut the bullshit fanboi. Last statement was biggest pile of shit I heard in long time. Seriously all malware comes from users accepting installations of “Britney spears nude video” or other crap. And if you have UAC enable, like any sane person that doesn’t read Mac fanboies crap does, Windows will do pretty much same as you said, and don’t give that bullshit “Oh I need to type password” crap like you Mac fanbois always do. Just shows that Apple is finally accepting facts and doing something to offer active defense.
When you’ve got a way of potentially walking into many systems then self-spreading becomes less necessary for malware, but to think that a Mac is not capable of doing that is naive. Some of the demonstrated ways into a Mac have been trivially easy because of the assumptions that can be made once you get there. Take a look at the Mac and you find an alarming number of programs and services that simply run setuid.
I think a lot of people are going to be in for a shock.
Edited 2009-08-26 15:40 UTC
It has certainly been proved that there are some humdinger exploits in OS X out there just waiting to be exploited, unlike Windows or Linux. OS X just needs to become more attractive for malware writers on a large scale.
That sentence there is the usual cast-iron denial you get from nutcase OS X supporters.
My family copy is estimated to ship on the 2nd. I can’t help but wonder what it will be like. I had hoped to hear more about wonderful (or at least very consistent) performance because of all the work done with what sounds like pervasive threading, etc. But who knows what else might be in there (but how did this remain a “secret?”)
There are some other security features Apple hardly talks about. At WWDC they announced Safari for Snow Leopard will have sandboxing of plug-ins, like Chrome. Also, a number of exploit prevention measures have been implemented, such as improved ASLR, “stack-smashing” type preventions for areas of memory besides the stack, and so on. Of course, most of these are available to people running Chrome and Vista already, but they should make hackathons much less embarrassing for Apple in the future.
Edited 2009-08-25 22:49 UTC
I guess their decision is to keep those sorts of details far from the end user and just tell them, “improved security”. If you’ve seen an ordinary person roll their eyes when they start hearing technical details you can understand why Apple doesn’t make the specifics of their security features on their marketing blurb.
WWDC was technically speaking a developer’s conference. Apple other than commenting on the stability (which incidentally is a security improvement) improvement in Safari due to the plugin-sandboxing was *silent* on the security improvements in 10.6, and in fact has been totally silent in all of their marketing and announcements about Snow Leopard security until this week, when it got put into a corner of the “64 bits” sub-site where you read “details” of the 64 bit technology. They, on contrast, have far from been reticent about OpenCL, Grand Central, and 64 bit addressing. No, there’s more to it than simply user-friendliness in what is, after all, a technological-improvements release.
“Joshua Long theorised which anti-virus/malware scanner Apple chose to include with Snow Leopard; ClamAV was a logical contender, but as it turns out, ClamAV’s engine labels the above trojan differently. Intego and Symantec do label it as such, and of those, Intego obviously couldn’t be it. Could this mean Apple licensed the engine from McAfee? Or did they develop their own?”
from this sentence it would appear you ment to say Symantec instead of McAfee. Where did the McAfee reference come from? does it lable this the same as the screen shot?
though i like their new beta i have been playing with. http://www.mcafee.com/us/enterprise/downloads/beta/beta_mcafee/msm/…
Edited 2009-08-25 22:50 UTC
For those interrested, I would guess that it is not an anti-virus as on windows. Instead, it is probably implemented in the core services, as part of CoreTypes. In other words, the library detecting files types (a little bit like “file” in unix). Right now, it probably only includes RSPlug and Iservice, as they are the two most widespread malwares for mac. We’ll see on friday.
Exactly, have to agree, it^aEURTMs just detects the two known trojans when you try to mount a DMG^aEUR”it^aEURTMs not a background scanner and it^aEURTMs asinine (and shows deep lack of technical understanding) from the pundits to think that from this screenshot.
Hmmm. That does seem to make some sense. I can’t wait to get my copy!
This is not the first Mac OS X version to bundle anti-virus. Mac OS X Server bundles ClamAV since a long time. Granted, mainly for the build-in mail server, but the local system could be scanned with it as well.
I wonder if Apple also replaced ClamAV with this solution in the mail server. I hope so. ClamAV is very bad at finding malware.
However, instead of licensing a commercial AV solution, I personally had preferred it if Apple made a few people work full-time on ClamAV. Other OSes would then benefit from it as well. Apple’s decision is understandable, though. For them OSX security is more important than improving a bad OS-agnostic solution.
Well, I would say it’s neither ClamAV or a commercial scanner. If one is developering an operating system, as Apple is, there are far more efficient ways of detecting malware, than to license a commercial scanner, trust me. It will probably be a very lightweight library, part of CoreServices.
They contracted Symantic people to include the Audit(1) service in Panther, they pushed it out to BSD but they always say, “written by Symantic under contract by Apple” in so many words on the documentation of this. I suspect it was Symantic.
Careful with those words. I thought for a minute that they inadvertently had malware on the installation DVDs.
Then, I read that Snow Leopard had an anti-virus scanner. I thought surely that they would scan for viruses instead of anti-viruses.
“I thought surely that they would scan for viruses instead of anti-viruses. ;-)”
Norton bloatware is more of a threat to my system than most viruses. There’s surely a market for anti-virus scanning software
Reminds me of a girl I used to work with. She handed me a burnt CD of Norton’s and asked “Can you install this virus on my computer?”
Does anyone else out there think Apple has included this feature, not so they can block real malware, but so when Rixstep discovers the next OS X security flaw and writes a proof-of-concept exploit, Apple can block it from running and therefore leave people in the dark about the flaw?
Maybe that was her pickup line?
Indeed, but is it bloatware of crashware? The last time I had Norton Utilities on my Mac (Mac OS 8.x?) was when they introduced CrashGuard, which crashed my system more than any other software.
Does this not harm McAfee and Symantec on the Mac platform? And before anyone says, “Apple doesn’t have a monopoly”, they do have a monopoly on Mac OS systems (and Mac OS computers, for that matter), and anti-malware software is designed for particular systems. You can’t argue, “Well, Apple doesn’t have a monopoly. Symantec can always sell there anti-virus software on other systems.” That argument makes no sense for anti-virus software; there is no market for Macintosh anti-malware software on other operating systems.
My question is rhetorical, because we all know the EC will allow this, since Apple is one of their blessed children.
McAfee and Symantec’s marketing on the Mac platform hurts them already – NAV and McAfee have the well-deserved reputation to be even more shit on MacOS, of dying on OS updates, of hogging up the machine, of being late on library updates, and they sell the “hundreds of viruses” fear by making people thing MacOS classic viruses can still affect OSX, which is an entirely different system.
WTF are you talking about? Apple is NOT a monopoly, especially not in the PC market.
Almost every jurisdiction in the world treats monopolies differently.
Actually that’s an interesting question MollyC is asking: how will this affect Symantec and McAfee? And what will the EU think or do about this?
1. Just like there’s AVG Free for Windows, there is also a free tool available for Mac OS which I find rather charming (and which I use), called iAntiVirus. This may also affect their sales negatively.
2. Though virus definitions are OS-specific (which is your point in bold), I must remind you that the suites of Symantec and McAfee do also scan for the existence of viruses and malware that could affect Windows (e.g., to prevent you from sending infected emails).
3. If the speculations about involvement of either Symantec or McAfee were right, this may mean the question of which will have the main anti-virus share on the Mac OS platform would already have been settled, as technology from one of these parties is readily implemented.
4. Your rhetorical assertion that the EU protects Apple is ridiculous and misses ground altogether, especially in this case. Just like BOTH Microsoft and Apple have included a firewall in their OS, they are also both entitled to including anti-malware functionality. Personally, I even expect Apple to put in a fairly simple system and leave the market open for among others Symantec, McAfee and iAntiVirus.
There are two or three trojans for Mac OS. Symantec’s and McAffee’s Mac business is purely Fear-Uncertainty & Doubt. They sell a false sense of security and that’s all. They scan for Windows viruses too, an area Apple would never cover, so I don’t see this simple DMG detection in Snow Leopard affecting their bottom-line.
My feeling is that third party scanners are the parasitic program to be added in after the fact. I’d much rather a platform who’s developers respond to viruses as “proof of concept” and correct the fault they exploit. I can accept an OS developer provided applet as part of that provided it demonstrates a better effective rate than third party addons or can be superseded by those addons if they prove better.
Still, it’s more about correcting the vulnerability rather than getting into the addiction of relying on third party parasitic industries with “it’s not our fault” thinking. I would have more easily accepted Windows properly designed requiring AV companies to write better software rather than backing off and allowing the kernel hooks to be added back in. I can accept osX shipping with included IDS also.
The rest of my platforms provide a long list of IDS available from the repositories so no reason to fault the first two for the same attribute provided it stands up under testing.
lol, Apple has a “monopoly” in making Macintosh computers in the same way that Blizzard has a monopoly in making World of Warcraft.
Really?:
http://www.edri.org/edrigram/number5.18/ec-apple-prices
http://www.edri.org/edrigram/number5.7/ituned-free-drm
Not many, but they had some issues with the commission. The antitrust office is quite an active one, and I don’t think it has many friends.
Anyway, its common hearing people blaming EC and I can’t understand why (yes I do but won’t say). As an European I feel happy they kick anyone ass whenever it’s necessary. In fact, the biggest benefit of being part of the EU is the tremendous work done on consumer protection laws — from food and drugs regulations, mobile prices, get microsofty behaving….
… and the antitrust commiseration doing its job
A lot of badies on the Windows platform seem to disable Msft Defender the first thing they do. Possibly because it’s free and the first thing people install, so it’s well worth it. One could argue that this makes Defender useless, but in my book this makes Defender a superb indicator of if there is a problem with a machine.
I wonder if Apple Wormspray, or whatever they will call theirs, will be as waterproof tool to determine if a Macintosh is infected?
I’ve had one virus 13 years ago on a PC and none on my Macs. I am glad Apple decided to be proactive and not pretended like there aren’t any problems to make their ads less ironic.
Reminds me of how there are now worms that disable McAfee and Symantec anti-virus software before wreaking havoc. It is a symptom of having security as an add on rather than it being integrated right into the operating system itself. I have a feeling that how Apple does it is by having it integrated right into the way it handles the file so that it isn’t possible by something to disable it without bringing down the whole OS – which would undermine a silent infection occurring behind the scenes.
Assuming that is indeed the case, it does carry a big downside: keeping the “list” of bad files up-to-date. Apple has a history of keeping things lingering around.
Windows Defender gets updated regularly in the background (in 7 at least, where Defender is an integral part of the OS), separate from the normal update cycle. Apple will have to do the same for this functionality to not only BE effective, but REMAIN effective.
Of course, this isn’t an issue now, as said. There simply aren’t any serious threats out there for the Mac OS right now.
I would hope they have realized by now (which their ads suggest) that one of their selling points is the (relatively) trouble free user experience on a Mac and put some resources into this.
A friend complained his machine (windows) was slow a while back. I did a netstat and saw some 100 connections to various smtp-servers. If he were on a Mac and the scenario was the same, I’m not quite sure he’d be the first in line to get another Mac.
The title implies that the MacOS will include malware.