1 4 5 6 7 8 Previous Next 190 Replies Latest reply: Aug 17, 2012 7:46 AM by chepin Go to original post Branched to a new discussion.
  • 75. Re: Heads Up/Warning Mac Defender
    MadMacs0 Level 4 Level 4 (3,735 points)

    Hard to say.  There are like 150 servers used by clamav.net to distribute database updates around the world.  The updater process does it's best to figure out the closest one to your location to make it easier to connect and for network balancing.  Normally it will try five different mirrors before giving up, but there could be other network issues involved.  I've never seen the entire network go down, but individual servers go down or out of date all the time.  If it hasn't cleared up in an hour or two, come over to http://markallan.co.uk/BB/viewforum.php?f=1 and we can work it out over there.  Meanwhile take a look at your update log for additional clues.



  • 76. Re: Heads Up/Warning Mac Defender
    MacJoseph Level 3 Level 3 (595 points)



    Thanks will do that.



  • 77. Re: Heads Up/Warning Mac Defender
    crm92 Level 1 Level 1 (0 points)


    I am having trouble with this program that downloaded from google. mine is not called MacDefender, but MacProtector. I tried downloading ClamXav and it asks for updates which it cant get because they are supposedly being interrupted. Since this program downloaded my other internet server, google chrome is starting on its own and is taking me to web pages which I didnt want to visit. I dont know what to do, I am worried. I hope you can help me

  • 78. Re: Heads Up/Warning Mac Defender
    MadMacs0 Level 4 Level 4 (3,735 points)

    If it's like MacDefender there is nothing to worry about until you give those people your credit card number.


    For help with ClamXav come over to the forum and somebody will help you with that.  There's a link to it in my reply at the top of this page.


    Again, if this program is the same as MacDefender then to disable it reboot with the shift key held down into safe mode.  Find MacProtector (probably in your Applications folder), drag it to the trash, empty the trash and reboot in the regular manner.


    So yesterday they started using MacSecurity and you are telling me that today it's called MacProtector?!  I don't see how we can possibly keep up if they change it every day.  At any rate, my guess is that none of the AV software folks will be able to find this new variety of MacDefender, so we need your help to get it to the folks that can take care of that.  We need to find the file that initially downloaded to your computer.  It's probably in your download folder and may still be called "BestMacAntivirus2011.mpkg.zip" or something similar.  I need you to upload it to VirusTotal and check to see if it is identified by "clamav".  If it's not then please upload it to clamav and we can get started on updating the database.

  • 79. Re: Heads Up/Warning Mac Defender
    MadMacs0 Level 4 Level 4 (3,735 points)

    That file in your download folder might now be called "Archive3.zip".  If you see anything else in your download folder that doesn't sound familiar, upload that, as well.  Best to keep your download folder clear of old files so that you will quickly see anything there that shouldn't be.

  • 80. Re: Heads Up/Warning Mac Defender
    R C-R Level 6 Level 6 (14,175 points)

    ds store wrote:

    Eric Brian wrote:

    Sophos also offers their antivirus for free for Mac home users:



    Always on anti-virus is still unnecessary on a Mac and often conflicts with OS X changes.


    Just some common sense is needed and a little more attention by Apple in preventing drive by downloads.


    Whether or not always-on AV scanning software is necessary or desirable is something very user should decide for themselves, based on their expertise & familiarity with the OS. There are no known viruses in the wild that affect OS X, but there are many other kinds of malware that can affect OS X users.


    This is especially true of trojans like MacDefender (& a new variant called MacProtector) because they trick users into installing their payloads by pretending to be something they are not. Apple can't prevent this, short of building the same kind of definition-based AV detection into the OS that stand-alone AV apps provide.


    Apple has in fact done exactly that in recent updates to Snow Leopard; however, because OS updates are released infrequently & so far Apple has included just a few older trojan variant definitions, this offers no protection for emerging ones.


    That is the primary benefit of third party AV apps: their catalogs of malware definitions are usually much more extensive & updated far more frequently, for some products within hours of the discovery of a new threat. For example, the Sophos definitions were updated to detect MacProtector less than 24 hours after it appeared. By default, the free Sophos home edition software is set to check for updates every hour, so its users would be exposed to so-called zero day attacks for less than a day.


    FWIW, I have been using the free Sophos product since last November. It has not interfered with any OS update in any way.


    Also note that common sense alone won't prevent these newer attacks from being downloaded. The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.

  • 81. Re: Heads Up/Warning Mac Defender
    jsd2 Level 5 Level 5 (6,200 points)

    R C-R wrote:

    The MacProtector variant downloads before the web page is rendered. Users still have to be tricked into installing it, but just visiting the bogus site that hosts it will place a copy of its deceptively named zip archive in the downloads folder.


    In this instance I found this to be true for Safari, but not for FireFox.


    As a test yesterday I created a new standard user account and from there tried using plain-vanilla browser environments to access a website I knew was infected with MacSecurity malware.  For Safari v5.05 my only change from the initial default preferences was to first uncheck the box for "Open 'safe' files after downloading." For Firefox 3.6.17 I made no changes to the default preferences at all, and I didn't install any extra add-ons.


    On visiting the infected website, I got the same phony flashing display with both browsers. Safari proceeded to download the malware Zip file automatically, with no further input from me. FireFox did not download anything and instead asked me if I wanted to save the zip file:


    Screen shot 2011-05-06a  at 2.14.11 PM.png

    I haven't tested other browsers.

  • 82. Re: Heads Up/Warning Mac Defender
    edinburghlad Level 1 Level 1 (0 points)

    Hi Joseph,


    I have tried to put the MacDefender into my Trash but it will not let me as MacDefender is still running. Any ideas how to close it down?


    I am a bit of dunce when it comes to IT so an idiots guide would be appreciated.



  • 83. Re: Heads Up/Warning Mac Defender
    R C-R Level 6 Level 6 (14,175 points)

    Several posts in this & related topic mention ways to shut down (quit) MacDefender. This post (by MacJoseph on page two of this topic if the link isn't working for you) mentions one way using Activity Monitor.

  • 84. Re: Heads Up/Warning Mac Defender
    OBRA3 Level 1 Level 1 (0 points)

    Definitely got hit by google images too.  Ended up downloading the anti-malware.zip.  Of course I had the open "safe" files checked in safari prefs and the file was nice enough to open itself and open the installer.  I was of course very unhappy at this point as my computer houses a lot of sensitive information.  I closed the installer out and then ran my security software on the zip file- which houses MacProtector.mkpg.  It immediately picked up on the MacDefender trojan and cleaned it. 


    Definitely take the steps above posts.  Personally, I tried Clam but it was a little too basic and went with VirusBarrier X6 Dual Protection (provides Panda Antivirus if you're running a virtualized Windows machine) from Intego software- wasn't a big fan of Norton either- total bloatware. So far I haven't experienced any slowdowns and it does its job.  It may be overkill for some people but I'm happy as it warns me if there's anyone sniffing for open ports etc- and I can schedule full scans so they happen in the middle of the night.     


    I also went through and ritualistically cleaned out all my cookies.  Bleh- and am also scanning the computers on my network.  Ugh. 


    Biggest thing I learned- un-click the "open safe files" check box. 


    Other lessons for folks:


    1.  Unless you requested something to download and something downloads- don't trust it.  EVER.

    2.  Mac viruses/trojans are on the rise.  Get used to it and forget the "I'm ok cuz I have a Mac." 

    I've been a mac user since 91 and it's only been in the last year or two that I've taken to buying anti-virus software.

    3.  Don't open e-mail attachments/links in e-mails- A. from strangers B. from people you know if it seems out of the ordinary.  Even then if it's from your friends check and hover (in some e-mail clients) over the link and see if it goes where it says it goes.

    4.  Use a service like google mail- they're pretty good about weeding out trojan/virus e-mails- but even then some still get through.  Default to lesson 3.

    5.  Don't ever click on e-mail links from your "bank" or the "irs".  Go to the website directly by typing it in your browser.

    6.  You have not won the lottery in the UK or have a rich uncle who passed away in some far off land. 

    7.  Just be careful with your google/yahoo/bing searches. 

    8.  Update your software on a regular basis- OS X, Microsoft, Adobe.  (they have updaters included with their software).


    Best of luck out there - and don't be scammed.

  • 85. Re: Heads Up/Warning Mac Defender
    jayv. Level 4 Level 4 (1,230 points)



    I'm researching the MAC Defender issues and would love to get my hands on it, i need a website where i can download it because two days of googling and visiting some very shady websites.... i still got nothing.

    Any help greatly appreciated.



  • 86. Re: Heads Up/Warning Mac Defender
    R C-R Level 6 Level 6 (14,175 points)

    OBRA3 wrote:

    Biggest thing I learned- un-click the "open safe files" check box.

    It doesn't matter much if that option is checked in Safari or not. Either way, the malware still ends up in the designated Downloads folder, & until it is installed with an intentional click of Installer.app's "Install" button, it can't do anything more insidious than taking up a tiny amount of HD space.


    Personally, I think I might rather have the Installer app launch to let me know right then & there that something I didn't ask for had just been downloaded instead of discovering it later in the Downloads folder & wondering where it came from or maybe confusing it with something I did intentionally download.


    Regardless, the most important thing to learn from this is not to install anything that you are not completely sure of. A quick search of the web should give you a good idea about the app's legitimacy -- if it doesn't, or anything looks fishy about what you do find then don't install it.

  • 87. Re: Heads Up/Warning Mac Defender
    OBRA3 Level 1 Level 1 (0 points)

    Yup- that it is true.  It won't auto install but it still prevents the installer from opening on its own in the first place.


    I always have the downloads open all the time so I did see that something did download.


    And agreed- don't install.  

  • 88. Re: Heads Up/Warning Mac Defender
    MadMacs0 Level 4 Level 4 (3,735 points)

    Sorry, but all my sources have gone quiet and I haven't seen any reports of new infection today.  I'm sure they will show up again soon.  Maybe taking the day off (Mother's Day, Sunday, ...)?

  • 89. Re: Heads Up/Warning Mac Defender
    R C-R Level 6 Level 6 (14,175 points)

    It is pretty much the nature of the rogue web pages that pop into existence via SEO (search engine optimization) poisoning attacks to disappear again not long after they are identified as such. The few I've seen don't even have DNS names, just numeric IP addresses -- another indication that they are not a part of a legitimate web site.

1 4 5 6 7 8 Previous Next