Some Insight into Apple's Anti-Virus Signatures
Now with Apple pushing out its first daily update to combat the latest MacDefender variant, its a good time to take a closer look at "XProtect", the Snow Leopard Anti Malware engine (or to use the Apple euphemism: "safe download list").
OS X heavily relies on XML files for configuration. These "plist" files are easy to read. The same is true for the XProtect configuration, which includes the currently valid signatures. Two files are used:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
This file appears to track XProtect versions, and when they got applied.
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
This is the actual signature file. For example, one of the MacDefender entries looks like:
<dict>
<key>Description</key>
<string>OSX.MacDefender.B</string>
<key>LaunchServices</key>
<dict>
<key>LSItemContentType</key>
<string>com.apple.installer-package</string>
</dict>
<key>Matches</key>
<array>
<dict>
<key>MatchFile</key>
<dict>
<key>NSURLNameKey</key>
<string>Info.plist</string>
</dict>
<key>MatchType</key>
<string>Match</string>
<key>Pattern</key>
<string>3C6B65793E43464276B6....F737472696E673E</string>
</dict>
[ ... 3 more 'dict' sections deleted ... Also, the string is appreviated to fit ]
</array>
</dict>
xpath /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
/plist/array/dict/string
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Comments