Apple Improving OS X Anti-Malware Feature

Published: 2011-05-31
Last Updated: 2011-05-31 22:34:45 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

One of the not-much-talked-about new features in Snow Leopard aka OS 10.6 was a build in anti virus tool. However, up to now, the tool only looked for a small number of old malware samples, hardly ever found in the wild. This changed with today's OS X security update (2011-003). This latest update includes the ability to automatically download new signatures, just like for other anti malware software. In addition, signatures got added for the recent set of fake AV tools spreading for the Mac ("Mac Defender").

XProtectUpdater, the new component downloading these updates, it configured using the system preferences according to some reports. But so far, I have not been able to find the configuration in either of the systems I installed the update on. (I will keep looking and maybe will update this later)

 Update: Found it. The item is called "Automatically update safe downloads list". It can be found in the "General" tab of the security settings. I guess this is the least "malicious sounding" naming Apple could come up with. It is enabled by default.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: anti virus apple os x
3 comment(s)


I guess the 1st step is realizing you have a problem (or at least that you aren't immune).
Download the update directly and then install it. It seems to cleanup if you do not have MacDefender, something which would make sense for apple to do.

You can find the following
/usr/libexec/XprotectUpdater and /usr/libexec/MRT. Seems that cleans MRT up. Tested it on all versions we have of MacDefender and it worked, went into the contents and removed the executable.

In the control panel Apple put the option, which as you say is the least malicious sounding name...
Oh, it works but not a end all. I would like apple to create a control panel for seat-belt, that I think would be a really big step up. Also during system install have the user create a Admin and general user. I think this is a case of Apple not wanting to be in the anti malware business but trying to deal with the problem, while not killing its marketing. They can do something really different, if they are brave. Like all companies, I fear this will not be the case.

Diary Archives