jman79 wrote:
Could you provide a source for first-party documentation of the Max OS X built in malware detection
That's a very tall order. I'm sure that any such documentation is firmly locked up by Apple Security and I doubt that anybody here would be able to discuss it even if they knew. As you can imagine, all A-V software vendors publish very little about the actual operation of their software to prevent the bad guys from easily defeating it. Even the open source ClamAV information is somewhat limited, especially as regards bugs, limitations and deficiencies.
The key to OS X protection is in the Quarantine system which came with Leopard, IIRC, with improvements in each upgrade. Every new file brought in from outside is flagged with a date/time and where it came from. Initially it was only used to warn the user the first time it is launched/opened with that information.
The XProtect system took that a step further in that anything that contained executable code was scanned and matched against the definitions signature database. This can be either a hash identifier or a telltale hex character string (normally translated from ASCII text). The Lion and Mountain Lion XProtect systems will also disable blacklisted Java and FlashPlayer versions.
The current database contains 21 entries representing different variants of most all modern day OS X malware, most have multiple definitions for various components of that malware variant, which prevents false positives. Note that all of these definitions are targeted to find the initially delivered file since that's where the most immediate threat is. For that reason, any malware that was allowed to install or subsequently downloaded won't be detected. Since Apple was late deploying preventive majors on two occasions, they had to deploy a Malware Removal Tool (MRT) for MacDefender at the same time they rushed to add XProtect to Snow Leopard (I suspect it was already in the works for Lion and they moved it forward) and again for this years Flashback Trojan/Backdoor when they were late to patch Java to prevent it. Quarantine (and therefore XProtect) only deal with installed files and Flashback was using Java applets in RAM, which can't be quarantined or detected. The MRT cleaned up all the common payloads left by MacDefender and Flashback before the fixes were made.
Thomas Reed's catalog of Macintosh Malware lists 30 unique types of malware, but most of these were patched long ago, either in the OS or application they infected, so are no longer a threat to anybody with an up-to-date system/application suite.
how often it updates its definitions?
It updates definitions immediately, as required, and the database is checked by all Macs running OS X 10.6.7 or above each time they boot and every twenty-four hours thereafter, unless they are asleep at the time, in which case they check at wake-up.
As somebody that checks to see if there has been an update at least once a day, I can tell you that they are currently as good and sometimes better than the commercial vendors. That wasn't always the case, but there seems to be a lot more cooperation these days. I've seen ClamAV beat them by a few hours once or twice, but most of the time they, along with the vendor blogs came out the same day.
Since new threats to OS X don't come out daily, there is no attempt to do it nearly that often. By far the majority of definitions released by commercial vendors are for Windows and cross-platform threats which don't impact OS X. XProtect does nothing to attempt to detect these, and since there is no manual scan capability, there is no reason to include definitions for most installed payloads. Another area that it doesn't deal with is e-mail content (other than attachments). It relies on junk/spam filtering both by the e-mail client application and the e-mail ISP's server to catch those. The OS X Server software comes with ClamAV to check any mail server being run on it. There is no known e-mail malware that can impact OS X when reading it. Most of these threats involve phishing or spoofed URL's which users need to be cautious of. XProtect does nothing about this and filters aren't always effective, either.
XProtect has not been used against vulnerabilities (CVE's) as they would prefer to issue a Security update to patch the vulnerability. Instead they use XProtect to counter any threat that attempt to exploit these vulnerabilities. Some commercial vendors check for files that appear to be attempting an exploit, which produce quite a few false alarms and are not removed when the vulnerability has been patched on that particular platform.Lifehacker's
Non-Alarmist’s Guide to Mac Malware Protection calls the built-in malware detection service "months behind the databases provided by security firms like Sophos."
I don't recall ever seeing months behind, although there have been times when it was a week and as I said, somehow things have improved greatly. I'm guessing that Apple just wasn't tied into the right sample sources initially and it took them some time to develop the right relationships. In the MacDefender days they were coming out with updates within hours of the time the malware developer deployed a new variant.
It took Apple weeks (at least) to update the built in software to detect Flashback
Again, I don't recall that. Only the variants before Feb 2012 are detected. The delay on the Java based variants was due to Apple's being late to update Java (which is a legitimate gripe against Apple) and their inability (even today) to detect applets that are downloaded and executed from RAM. As far as I know, no A-V software has that capability today, but some use an active watch capability to observe packets received from the Internet which could catch it, and OS X does not have such a capability. Many users were saved by Little Snitch from being completely infected by the variant that made all the headlines with perhaps 600,000 infected Macs. The download component was caught phoning home for instructions by LS so most such users were able to shut down the process before it did any real harm. Again, this was only fixed by updating Java, not by doing anything with the database.