Inside Snow Leopard's Hidden Malware Protection
While malware has long been an almost daily annoyance for Windows PCs, Mac users have become accustomed to not worrying about malicious software. Threats arise from time to time--in January of this year, for example, a Trojan horse made the rounds in pirated copies of Apple's iWork software--but most Mac users these days are probably running without virus protection software.
Apple's encouraged that, too, by frequently touting the Mac's resistance to malware in its advertising materials, especially when compared to Windows. But with the release of Mac OS X Snow Leopard, Apple's finally decided to subtly step up its game when it comes to malware, much as it has done in the past with phishing in Safari. For the first time, the Mac OS contains a built-in system that detects malicious software and attempts to protect users from inadvertently damaging their computers.
How does it work?
Since Mac OS X 10.4, Apple has built a download validation system called File Quarantine into its operating system. Beginning in Leopard, this manifested most frequently as a dialog box that popped up when a user first opened a file that was downloaded from the Internet via Mail, Safari, or iChat. The warning displayed what application downloaded the file, from what site, and at what time. It gave the user the option to continue opening the file, cancel, or view the Web page from which it had been downloaded.
In Snow Leopard, Apple has enhanced File Quarantine to also check files against known malware, pulling from a list of malware definitions at System/Library/Core Services/CoreTypes.bundle/Contents/Resources/XProtect.plist. At the time of this writing, the file contains only two definitions: the OSX.RSPlug.A Trojan Horse first discovered in 2007 and the OSX.iService malware embedded in the pirated iWork installer mentioned above. However, Apple told Macworld that the list of definitions can be updated via Software Update.
If you try to open an infected file, Snow Leopard will present you with a stronger warning, saying that the file may damage your computer and suggesting you move it to the trash. As with the download validation dialog, you'll have the option to continue or cancel, but if the file is on an disk image, there's a button to eject the image--if, on the other hand, the file is already on your hard drive, that button instead invites you to move it to the trash. If you've enabled Safari's "Open 'safe' files after downloading" preference, you will automatically be prompted with the dialog when the download completes and the file opens. Unlike the more general warning, the malware warning doesn't go away after the first time you open the file--it will continue to appear any time you open the file.
File Quarantine seems to serve mainly as a gatekeeper for files downloaded from untrusted sources: think of it as a layer between the user and the untamed wilds of the Internet. Snow Leopard defines an expanded list of applications for which it "quarantines" downloaded files (marking that they've been downloaded from the Internet). So if you download a file via your Web browser--including Safari, Internet Explorer, Firefox, OmniWeb, Opera, Mozilla, Camino, and more--or an e-mail client--Mail, Entourage, or Thunderbird--or receive a file via iChat, then it will be checked for malware when you open it. However, if you grab an infected file from another source, such as an FTP site, a file-sharing service like Bit Torrent, or through a program that's not covered by Apple's system, you're out of luck: the system won't detect it.
Most importantly, Apple's system appears to contain no way to clean malicious software off your Mac after it's been infected. For that, it seems you'll still need to turn to third-party anti-virus products.
Does it work?
In our tests, the malware system successfully detected the OSX.RSPlug Trojan upon trying to open a file infected with it. The dialog box appeared regardless of whether the file was located on a disk image or the computer's hard disk, as long as it was a file that been downloaded onto that computer via one of the applications that Apple's system checks.
Since Apple uses the com.apple.quarantine extended attribute--that's metadata stored on the file--to record the information about malware, that information can actually travel from Mac to Mac. However, it depends on how exactly the file is transmitted. If it's copied via OS X's file system--to a flash drive, for example, or via the Finder's built-in file sharing--then the malware mark will stay emblazoned on it like Hester Prynne's big red A. However, if you transfer it through another method--say, via FTP--that metadata will be lost. (There is one exception: Zipping the file using OS X's built-in compression tools will keep the quarantine attribute present even if you transfer it via FTP.)
Of course, malware protection is only as good as its definitions. It's unknown how often Apple plans to update the virus definitions in Snow Leopard: it could be bundled into Security Updates and point releases as security patches currently are, on an ad hoc basis as new threats arise, or even as a more regular set of updates delivered through Software Update. Apple has taken criticism in the past for its lack of rapid response on the security front, so it remains to be seen how it will handle this new system.
What does it all mean?
So now that OS X has built-in malware support, what does that mean for Mac users? Well, here are a few things it doesn't mean.
It doesn't mean that scads of malware will be magically appearing for Mac OS X in a downpour of diluvial proportions. Yes, Apple's integration of an anti-malware system serves as a tacit admission that Mac OS X is far from immune to malicious software, but it's more of a responsible precaution than a reaction to an encroaching tide of evil software.
It also doesn't mean that Mac users can go about downloading files willy-nilly, with no regards to safety. As always, there are certain precautions that every computer user should take, regardless of platform: download files from trusted sources; don't open e-mail attachments from unknown senders; make sure you have strong passwords for your accounts. Malware prevention software can keep you from being caught unaware, but it doesn't give you carte blanche to be irresponsible, any more than a car alarm means you should go out of your way to park your car in a dangerous neighborhood.
And it doesn't mean that third-party anti-virus software makers like Symantec and Intego are going out of business. That's often a concern when Apple jumps into an established software field, but as the company told Macworld, "The feature isn't intended to replace or supplant anti-virus software, but affords a measure of protection against the handful of known Trojan horse applications that exist for the Mac today." Snow Leopard's protection is more of a preventative than a cure for malware.
In sum, this is a good thing for most Mac users, especially those who have long eschewed anti-virus software: we now have an additional level of protection that we didn't have before. It's not bulletproof, and it's not perfect, but the next time you look a gift horse in the mouth, at least you'll know if it's full of Greek warriors.