The lackluster function only scans for malware in files downloaded with certain applications, Intego says

Sep 3, 2009 07:40 GMT  ·  By

Hot on the heels of Sophos reporting vulnerabilities with the Snow Leopard upgrade, Intego has posted a security memo on “how the anti-malware function in Apple’s Snow Leopard works.” The find was reported last week by the Mac security specialist, which is now providing an in-depth look at the feature.

First things first, Intego bluntly says that, “Apple has added an anti-malware function to Mac OS X 10.6, Snow Leopard.” So far so good. However, “This function only scans for malware in files downloaded with certain applications,” the security firm asserts. “Apple's anti-malware function doesn't scan for malware when files are copied in the Finder, from CDs, DVDs, USB thumb drives or network volumes,” Intego reveals.

Moreover, users shouldn’t completely rely on this feature, Intego suggests, as it “currently only scans for two Trojan horses. Apple does not detect all variants of the most common Trojan horse [and] doesn't scan meta-package (.mpkg) installer packages.” “Apple’s anti-malware function does not repair infected files or infected Macs [and] does not offer Mac users serious protection from viruses and malware,” the advisory says.

Noting that Apple uses a ‘quarantine’ in Safari, Mail and iChat, Intego says, “This function spots when files are downloaded, received as attachments to e-mail messages, or received during chats, and sets an extended attribute (data not visible to users) on such files containing information about when a file was downloaded and with which application.” According to the company, “Apple can detect only 15 of the 17 variants of the RSPlug Trojan horse. Unfortunately, the RSPlug.A nor the RSPlug.C variants are not detected by Snow Leopard’s antivirus function.” Review image

Snow Leopard anti-malware function example

Credits: Intego “In addition, Apple's anti-malware function incorrectly identifies the variants it finds, since, in all cases, the alert displayed for any RSPlug Trojan horse variant states that the RSPlug.A variant was detected,” the security memo reads.

As far as protected apps go, Intego mentions web browsers (Internet Explorer, Firefox, OmniWeb 5, Opera, Shiira, Mozilla Navigator and Camino) and e-mail clients (Entourage, Seamonkey and Thunderbird), as well as Apple's own Safari, Mail and iChat.

“[...] For now, applications and other executables (such as scripts) are flagged, as are installer packages. Some other file types get flagged, but Trojan horses masquerading as files that are not applications can slip through the net,” Intego concludes.