R C-R wrote:
I chose it over ClamXav in part because the latter is sometimes a bit slow to be updated (including for the 'drive-by' variants of Flashback).
That has certainly been true in the past, but at some point during the MacDefender outbreak it improved a great deal. I have documented a few examples of variants which were updated in the clamav database before either Sophos or Apple. Part of the explanation seems to be a broader willingness to share samples via services like VirusTotal and a willingness for the signature coders at clamav to take on OS X signature writing with the same priority they have previously reserved for Windows malware.
ClamXav also is somewhat limited in its "always on" capability: that feature (called Sentry) was introduced in the new 2.0 version (& still missing from the Mac Apple Store Version) & must be set up to scan specific folders to do anything.
Not that it matters, but Sentry came along way before v2 and has been part of ClamXav from the time I first started using it. I don't see it ever being included in the AppStore version as long as Apple rules remain as strict as they are, in fact I suspect the Sandbox requirement has made that even more difficult. The fact that you must set it up is considered to be a feature by the author who insisted that ClamXav do nothing that wasn't specifically requested by the user. Makes things more difficult in the beginning, but at least you know everything it's doing which is not true of other A-V software.
There is also a potential issue with ClamXav if you try to scan the entire HD; for this reason its maker recommends that you not do that.
True, but it's been fixed for most users and for others there is a work-around.
- don't use two AV programs on your system; they are likely to conflict.
Actually, as long as you only use one of them for real-time scanning, my experience has been they get along just fine these days. I currently have four installed, but all are used only in manual mode, except during testing. There are also conflicts between the four or so apps that all use the same clamav scan engine, but install it differently.
R C-R wrote:
That has certainly been true in the past, but at some point during the MacDefender outbreak it improved a great deal. I have documented a few examples of variants which were updated in the clamav database before either Sophos or Apple.
Are you talking about actual detection capabilities or database updates? As I understand it, they are not quite the same thing, since some A-V software uses a combination of techniques to detect malware, not all of which are based on updated definitions. That's one of the reasons VirusTotal says not to use it to compare one A-V product to another -- since VirusTotal uses just the basic "detection engine" for its automated tests the results may be different from what the complete product does in actual use.
Not that it matters, but Sentry came along way before v2 and has been part of ClamXav from the time I first started using it.
Thanks. I did not know that.
The fact that you must set it up is considered to be a feature by the author who insisted that ClamXav do nothing that wasn't specifically requested by the user. Makes things more difficult in the beginning, but at least you know everything it's doing which is not true of other A-V software.
Also good to know. Personally, I want "always on" scanning to look everywhere it can for signs of malware, with the option to opt out of scanning specific places of my choosing (kind of like the privacy pane in Time Machine), & that is how Sophos works, but I can see that some users might want it to be opt in only, even if that is potentially less thorough or harder to set up.
Choice is good.
True, but it's been fixed for most users and for others there is a work-around.
For the sake of completeness, I should also mention that there is a somewhat similar issue with Sophos version 8 & Lion. It doesn't result in an endless loop but it does slow down the scanning speed for users that encounter it & currently requires a workaround to eliminate it.
R C-R wrote:
...I have documented a few examples of variants which were updated in the clamav database before either Sophos or Apple.
Are you talking about actual detection capabilities or database updates? As I understand it, they are not quite the same thing, since some A-V software uses a combination of techniques to detect malware, not all of which are based on updated definitions.
I was referring to database updates by all three.
Apple has no other techniques. ClamXav's are modest. The only one I have dug into is the Heuristics.phishing process. At least they document theirs to some extent. I have no idea what Sophos does, for as you said they only talk in vague terms about it. I would have to say that they are less than the ones used by VirusBarrier judging by the number of background processes involved, most of which cannot be easily disabled. What I can observe is that I've never observed any A-V detections on my Mac, in this forum or in any of several e-mail lists I'm subscribed to that would indicate anything other than a signature detection, with one possible exception. If you count Little Snitch as anti-malware software, then it did alert the community to the existence of the Flashback "K" variant several days before anybody published of it's existence let alone get their databases updated. I really don't think any of the current crop of A-V software on the Mac side of the house has anywhere near the sophistication necessary to do the job of finding suspicious activity.
That being said, it is paramount that A-V break away from signature based detections for all but legacy malware. The bad guys can now change signatures daily, if not more often and will soon be able to deliver a different signature to each an every infected user (that's already happening on the PC side of the house). I've attended a couple of webinars on the subject, but so far there's a lot of talk, but nothing seems to be coming of it.
The bad guys can now change signatures daily, if not more often and will soon be able to deliver a different signature to each an every infected user (that's already happening on the PC side of the house).
It is my understanding (which could be wrong) that malware definitions in A-V software these days are typically not CRC or similar whole-file "signatures" but one or more binary sequences of variable length that appear in the malware. They are generated partially by hand & checked against a database of software sequences that appear in legitimate softwares to make (reasonably) sure that they won't produce false positives.
The idea is that even if the bad guys change large parts of their code, there may still be a set of segments common to multiple variants, for example in an algorithm that decodes an obscured segment of the payload or something characteristic of use of a specific crime kit. So it is sort of a "spy vs. spy" thing: the bad guys (including the crime kit authors) have to change whatever code sequences the A-V guys come up with to avoid detection & the A-V guys then have to add new binary sequences based on the changes.
I read an academic paper about this that focused mostly on ways of improving the definition creation process, in part by trying to come up with algorithms that could identify unique code sequences when fed a large number of legitimate & malicious samples. I didn't understand a lot of it but I got the impression the techniques were similar to those used in latent semantic analysis. It is (if I got that part right) sort of a heuristic technique, but it doesn't take place in the end product, so it would not show up as a background process on a user's computer.
I also don't know if this has been put to practical use or not. (The paper was several years old when I read it.) About all I know for sure is that Sophos claimed it was detecting at least one of the later, Java exploiting Flashback variants with the same techniques/definitions that detected some of the earlier ones (IOW, without an update specifically for the new one), for whatever that is worth. Plus, A-V companies typically name malware variants based on the definitions they create that detect them. That varies from company to company, not just in name but also, like apparently for Sophos, in how many variants a particular definition can detect.
Admittedly, there is a lot of guesswork in this but that seems unavoidable. A-V companies aren't ever intentionally going to reveal enough about how their products work to help the bad guys figure out how to defeat them. The bad guys certainly aren't going to make public the details of how their stuff works. The claims of the crime kit authors can't be trusted completely even by the criminals that buy their work. There is secrecy & probably considerable deception, misinformation, & misdirection almost anywhere one looks.
I don't know what to do about this, other than adopting a multi-level security strategy. I keep my systems updated with the latest security patches from Apple, am as careful as I can be about what I install, & all that. I run Little Snitch & Sophos. I know that all this still isn't a perfect defense, but nothing is.
I run none of those. However, once every couple of months I repair the disk with Disk Utility and check the directories with DiskWarrior. Every six months or so, I check them again with TechTools Pro 6. I don't sleep desktop computers or their HDs, just their displays, and run 24/7 except when I switch boot volumes or install updates/upgrades.
I use Onyx to clean catches only when I have an issue that points to a corrupted cache. I do not use it for any periodic or routine "maintenance" -- the OS doesn't need it.
The one thing I do that could be considered routine maintenance is to run Disk Utility's Verify Disk or Repair Disk on every hard drive that was powered up when a power failure occurs (a relatively frequent event in thunderstorm season in Texas). I do this ASAP after the power comes back on.
That's because sudden power interruption is a major cause of file system corruption & the sooner you catch & correct it, the less damage it does.
Thanks for everybody's info on this. I have been a little worried about not having A-V since removing Sophos due to using too much of my CPU and serious overheating. I haven't been able to use ClamXav always-on scanning either, because of too much demand on my CPU. I have a mid-2011 11" Macbook Air with 256 SSD, 1.8 GHZ Intel Core i7 and 4 GB 1333 MHz DDR3 - it normally is very speedy handling multiple applications. Now I still don't know what to do, but at least I know that people who understand these things aren't sure what to do either! I am surprised at the assertion that there have been no Mac viruses outside of the Flashback trojan - I have read otherwise, but perhaps I have misunderstood.
I haven't been able to use ClamXav always-on scanning either, because of too much demand on my CPU. I have a mid-2011 11" Macbook Air with 256 SSD, 1.8 GHZ Intel Core i7 and 4 GB 1333 MHz DDR3 - it normally is very speedy handling multiple applications.
Using any A-V software to do a complete scan is not normally something you want to have going on in the background while trying to do other tasks. It's almost always best done while nothing else is going on. Once a month is probably more than adequate for most users.
ClamXav is highly configurable, and I'm not certain how you are trying to use it, but I encourage you to visit the ClamXav Forum for fast and efficient information from other users about any issues you may be having.
I am surprised at the assertion that there have been no Mac viruses outside of the Flashback trojan - I have read otherwise, but perhaps I have misunderstood.
I'm not certain who said that, but they were incorrect on two fronts.
- A Trojan is not technically a virus in that it doesn't infect and spread all by itself. Rather, it requires user action to accomplish one or both. There was a period of time in the Spring where it was able to infect by simply visiting a web site with Java left on in the browser, which is the closest thing to a virus seen on the Mac in a very long time. Apple was able to stop it, but it's alleged that over 600,000 Macs were already infected by that time.
- Thomas Reed has documented over 30 examples of Mac Malware in his Macintosh Malware Guide (and Catalog). The point is, none of them can currently impact a fully up-to-date OS X 10.6.8 and above, as far as anyone knows.
As far as Java goes, I see people recommending to disable it, but there are certain things I do that seem to require it. It's included in Mac OS Lion, isn't it? Why would they include it if it's unnecessary and dangerous, as some people assert?
Actually, it is not included with the standard Lion and Mountain Lion installations, but can be optionally installed if needed. It's not really "dangerous" right now, but it does have many documented vulnerabilities that a determined malware developer could exploit in the future. That's why people recommend it be disabled.
There are two places that Java is used.
- There are a handfull of applications that need Java to run. So far, there have not been any known exploits developed for that.
- Flashback and a few other lesser bits of malware that are still floating around expliot browser plugins for Java, which can be separately disabled. That's what most of us suggest be disabled except when you find yourself needing to use a web site that requires it, but only for the time you spend on the site. Again, there are currently no known exploits of the latest updates to Java, just known vulnerabilities that could be exploited with little or no notice to the average user.
Bottom line: If you don't need Java, don't install it. If you only need it for an app or two, then disable it in your browsers. If you need it for a specific, trusted web site, only enable it for the time you spend there.
As far as Java goes, I see people recommending to disable it, but there are certain things I do that seem to require it.