Any one using clean my mac 2 on OS X Mawerick? Is it worth?

To be fair to Apple about this, rushing out an XProtect malware signature update before adequately testing its potential for triggering false positives would almost certainly do more harm than good.

It wouldn't be too hard to write a signature that would identify exactly the copy of CoinThief that I sent them, and wouldn't be likely to suffer from false positives. The only problem with that is that it would possibly miss variants, and I believe there are four different variants of this app. IMHO, it would be better to write a too-specific rule right now, which would protect some people now, and then revise and update the signature as additional samples were obtained. As it is, by not publishing anything, some people out there may be getting infected when that could have been prevented.

No doubt, it can be toxic. And it's gotten exponentially more toxic with a new arrival. Still, I put up with it because, on balance, I'm getting more out of it than not. But this isn't the place.

Now you've got me curious to see who the new arrival is... 😀

thomas_r. wrote:

It wouldn't be too hard to write a signature that would identify exactly the copy of CoinThief that I sent them, and wouldn't be likely to suffer from false positives.

But realistically how much good would that do? How many users will actually be exposed to an exact copy of what you obtained & sent Apple?

I'm sure you are aware of the limitations of trying to detect malware based on whole file signatures, if that is what you are suggesting. That is relatively easy to defeat, for instance by encoding the malevolent payload for distribution along with random, do nothing garbage code.

That's why (as I understand it, anyway) AV companies invest in developing proprietary algorithms that look for relatively small, difficult to obscure, characteristic code segments for their signature definitions. With a well designed detection engine, this approach can not only detect the payload in the garbage, it can often detect significantly different variants of the same malware or sometimes even different strains that were made with the same malware creation kit. Of course, the downside of this approach is that by using smaller code segments, false positives are more likely, which is why it is necessary to test the signature against a database.

For obvious reasons, nobody makes the details of how all this works public, but my point is that one submission of one variant is not necessarily enough for Apple or anybody else to write an effective anti-malware signature.

thomas_r. wrote:

I provided Apple's product security team with a copy of CoinThief on Monday at 8:36 am (EST). Here we are on Wednesday afternoon at almost 3:00 pm (EST) - almost three full work days later (okay, forgot time difference between EST and PST) - and still no definition for CoinThief in XProtect.

It's there now. Looks to have been posted shortly after 12:43 EST. Software Update was aware of it at 13:43 EST according to my install.log, but has not gotten around to download it yet. Version 2045 for Mav/ML.

Message was edited by: MadMacs0

Forgot to mention what's in it:

OSX.Abk.A

OSX.CoinThief.A

OSX.CoinThief.B

Any ideas on the first one?

R C-R wrote:

You probably know more about this than I do but as I understand it, XProtect uses a relatively simple, signature-only based malware detection mechanism. That may make it difficult for Apple to create signatures sufficiently unique to avoid that, at least not without extensive testing against a huge database of benevolent software OS X users might have on their systems.

Actually, it's a fairly advanced signature-only system. Most that I am familiar with only look for hash values or a string match. Apple's system combines this with file types, file names (not the ones that can be changed, just those that have to be a certain name, such as "info.plist") as well as the content type (e.g. installer pkg, application-bundle). That goes a long way toward eliminating false positives and speeding up scans.

Although I tend to agree that signature based malware detection is getting old in tooth, I have yet to see any proof that alternative approaches are ready to take over. Other than Little Snitch catching the biggest Flashback outbreak, all the other detections I've seen here in the ASC have been signature based.

MadMacs0 wrote:

It's there now. Looks to have been posted shortly after 12:43 EST. Software Update was aware of it at 13:43 EST according to my install.log, but has not gotten around to download it yet. Version 2045 for Mav/ML.

So far, there is no sign of anything containing the string "2045" in my install.log. The last check was run at about 5:30 AM EST on today, Feb 13. The last item downloaded was on Feb 9. It was something called "ChineseWordlistUpdate.pkg" & its version or ID string or whatever that is called was 031-2660.

FWIW, I had been seeing the 031-2660 item listed in install.log since Jan 27. However, there was no attempt to download it until the day after I enabled System Preferences > App Store > "Install system data files and security updates" (as per my earlier reply to you on page 4 of this topic).

This at least hints that the App Store preference settings might have something to do with when these files get downloaded, but if this is a bug or by design I have no idea.

Something else odd about this on my system: In the App Store preference, at the bottom of the window I see the text, "Software updates are available" & a button labeled "Show Updates." However, when I click the button & the App Store application opens to the "Updates" section, I see "No Updates Available" at the top of the window,

Each time I click the button I get 20 or so new entries in system.log (now including one mentioning a single update found with an ID of 031-3414) but nothing is downloaded. And still no mention of anything with the "2045" string in it.

MadMacs0 wrote:

Actually, it's a fairly advanced signature-only system. Most that I am familiar with only look for hash values or a string match. Apple's system combines this with file types, file names (not the ones that can be changed, just those that have to be a certain name, such as "info.plist") as well as the content type (e.g. installer pkg, application-bundle). That goes a long way toward eliminating false positives and speeding up scans.

Thanks. It is good to know Apple is using more than just a simple hash value or string match. I assume this is at least partially why it takes a while for it to develop & release new signatures.

Now, if I could just figure out why I'm not seeing these things being downloaded & installed on my system, I would not be as tempted to reinstall Sophos again. 😟

I don't know much about the details of how that app works but when I was using it, its malware detection files were updated frequently & reliably. Plus, they claim that at least some of them were capable of detecting certain new malware variants without the need to update those files, so maybe they are also using some advanced form of signature detection, although I have no idea of what it might be.

Regardless of that, I do believe in the theory that the best security is multi-layered, & since Sophos never created any problems for me worse than verbose log entries, maybe I should reinstall it anyway....

>>... a single update found with an ID of 031-3414...

That's the one you're waiting for

Now this is strange. On my 10.6, when I first checked this morning, the latest update was still the 12/5 (only for the meta.plist Flash blocking). I then force updated, which did show a new time stamp for today, but when I check, the latest is still for OSX.Leverage.a. Nothing for the bitcoin thing. If there had been nothing to update, I would have expected to see "not an increase in version."

Glad that I'm keeping all my bitcoins under the mattress.

Thomas: I should have said "relatively new."

andyBall_uk wrote:

>>... a single update found with an ID of 031-3414...

That's the one you're waiting for

It first appeared in my install.log at 5:31 AM EST today, but three & a half hours later, there is still no indication it has been downloaded.

Well, I was going to try testing my copy of CoinThief against the new definitions, just to see... but I cannot for the life of me convince my Mac OS X test system to update XProtect! 😢

thomas_r. wrote:

Well, I was going to try testing my copy of CoinThief against the new definitions, just to see... but I cannot for the life of me convince my Mac OS X test system to update XProtect! 😢

Can I assume your test system is running Mavericks, probably 10.9.1 like my iMac is? As I have been saying throughout this & the Lounge discussions, the only way I got the XProtect plist files to update was by manually downloading & running the package file (the one with the minimum Flash version update in it).

Before I did that, my XProtect plist files had not seen a single update of any kind since November 2013, when I first installed Mavericks on this iMac.

...was still the 12/5

Correction: not 12/5. 2/5

Yup, it's Mavericks. Perhaps if I restart the test system it will trigger an update... But it's not that high a priority at the moment, and restarting in Parallels is a lengthy process.