Just realized it's missing. Have looked in /System/Library/LaunchDaemons. Shouldn't this have been installed with 10.6.8? (I installed from the combo.) Have searched the entire drive using EasyFind, but nowhere to be found.
Late 2009 iMac 21.5-OTHER, Mac OS X (10.6.8), iMac G3/400 10.4.11
I applied the final combo update v1.1. I know there was an issue with the mrt LaunchDaemon hogging CPU in the delta and first combo updates. Did the final 10.6.8 v1.1 combo, somehow, not include this file? I'm wondering if I should bother reapplying the update.
Can someone please just tell me if they see this file on their 10.6.8. Preferably, but not necessarily, installed from the combo v1.1 (which I will probably just reapply.)
It's part of the Malware Removal Tool, which is deleted automatically after it runs. The idea is that you only need to scan your files once for malware, because after that you'll detect it when it's downloaded.
So I shouldn't expect to see it. Thanks, but this part I'm not quite understanding: "The idea is that you only need to scan your files once for malware, because after that you'll detect it when it's downloaded."
I thought the mrt scans and removes and the XProtect provides definitions for the mrt. Maybe I'm not understanding the relationship between the mrt and the XProtect.
Let me see if I'm getting this. The XProtect only provides alerts (this I already know) -- i.e. doesn't remove anything -- on downloads containing known malware and the mrt would have scanned only once because it was meant only for the MacDefender Trojan which is all it was established to remove? And that mrt.plist file is only present the one time it scans? After that it's deleted because there's no use for it; there's no more malware removal.
The MRT checks for installed malware -- originally MacDefender. I don't know whether it updates its recognition database first. Then it's deleted. One shot, then gone. At that point you have no known malware installed. XProtect checks only quarantined files for malware installers. Its recognition database is updated daily.
If this system worked perfectly, which of course it doesn't, and if you only acquired new files by downloading them from the network with an application that sets the quarantine attribute (some do, some don't), then in theory you'd be protected from present and future infection.
So, according to what you say, the MRT should be removing the Flashback or the Revir.A Trojans, if either is installed (the XProtect should, in theory, at least, warn if either is present as an installer in a downloaded file -- I know its definitions have been updated to include both.)
From what I've been reading in several threads here where the Flashback has been discussed, and I could be wrong, I've been getting the impression from those who were infected the MRT isn't doing much of anything.
One would think the MRT would update its database from the newly arrived XProtect defintions and then go into action, at least if those definitions matched the installed files. If not from those XProtect definition updates, how else could it be getting updated? I'm not aware of any other way.
In any case, my initial question is solved. Thanks.
Lingering question:
The MRT checks for installed malware -- originally MacDefender. I don't know whether it updates its recognition database first. Then it's deleted. One shot, then gone.
Do I have this right? Means it will never run again, even if known malware has been installed? So during the MacDefender episode it only ran once (just after the update to 10.6.8) to scan for and, if found, clean out one iteration of MacDefender and was gone? The MRT process and LaunchDaemon would never be seen again, regardless?
Thereafter, even if another of the many known versions of MacDefender had been installed -- providing a user disregarded an alert from XProtect -- it did zilch?
If this is the case, seems to me this is was a very lame Malware Removal Tool.
When files are downloaded through the following applications:
then the files are tagged with an extended attribute called com.apple.quarantine. When the downloaded file is run (automatically or manually), this triggers the use of Launch Services. Launch Services then triggers the XProtect scan of the file.
Unfortunately, if variants of these threats find their way on to your system via an application that doesn't set the com.apple.quarantine extended attribute, for example via:
XProtect is never triggered and thus these threats can run unfettered. However OSX/iWorks-A was distributed through infected torrents and so wouldn't be blocked by XProtect.
Users who have Sophos Anti-Virus installed with the on-access scanner enabled will never see this new XProtect functionality - the malware is detected by Sophos long before Launch Services gets to search for it.
http://nakedsecurity.sophos.com/2009/08/28/apples-integrated-antimalware-feature -xprotect/
http://www.cultofmac.com/15475/everything-you-wanted-to-know-about-apples-new-an ti-virus-spotter/
missing com.apple.mrt.plist
