I really ought to be working towards some really urgent deadlines, but I can’t resist a quick comment on the antimalware detection feature in Snow Leopard – darn, I’m going to have to upgrade to get a proper look at it – since several AV people, including our own Aryeh Goretsky have commented.
I have to agree that it’s a positive step for Apple to have recognized the reality of Mac-specific malware, however trivial the threat might seem by comparison to the deluge of Windows-specific malware that we see. After all, it’s not many months since Apple decided not to recommend that Mac users make use of anti-virus after all, and their support staff were telling end users that they weren’t aware of any Mac malware, while some of their advertising is still based on the "Macs are secure out of the box" fallacy. (That should guarantee me another deluge of hatemail from fanboiz…)
There is also a negative side to this, though. Back in the 1990s, I did a presentation (actually, it was at Apple’s offices in the UK!) in which my conclusion was that I didn’t really want to see an Apple equivalent of Microsoft Anti-Virus (the horrible object shipped with MS-DOS 6, many years before Microsoft started to gain real credibility in the anti-malware industry). Not because I didn’t want Apple scrumping in the AV industry’s orchard, because at that time I was earning my crust in the medical research sector.
But I am concerned that:Apple may not take the threat seriously enough to produce and maintain a consistently effective defence: while you can argue that any defence is better than none, the likelihood is, in the long run, that mediocre protection would do more harm than good. That’s because Apple’s customer-base will tend to overestimate the effectiveness of any measure Apple do take, the same way that they already overestimate the value of the free anti-malware tools already available.
There’s a historical precedent for this, too, going back at least as far as the 90s, when macro viruses started to become a major problem in the Mac arena. Macro viruses rarely delivered a working payload on Macs, but most of them infected documents just fine, if the victim was using a vulnerable version of Microsoft Office (i.e. Word 6, at that time), Most Mac users were relying on Gatekeeper and Disinfectant (an excellent utility, by the way), which were totally ineffective against that particular threat, and for a while were the Typhoid Mary of the macro virus, spreading infected documents left, right and centre…
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/
Author David Harley, We Live Security