Viruses

simsaladimbamba · Mar 1, 2011

GGJstudios said:
Yes. Read the link in post #5.

Come on, software is better than common sense and you can shut down another part off your brain with that. I take software over common sense, especially since it is overrated.

Uih, I figured out your avatar. It took me only two years. Or I have already figured it out and forgot again.

mrsir2009 · Mar 1, 2011

I've never had a trojan or any of those things on my Mac, and I think AV software is for Windows users

So what if my Mac is carrying a virus? It won't effect me, and its up to the windows users that interact with me to have their own AV software to stop it.

GGJstudios · Mar 1, 2011

simsaladimbamba said:
Come on, software is better than common sense and you can shut down another part off your brain with that.

LOL! So with enough software, you can shut down your whole brain? Wait, I think some may have already done that!

mrsir2009 said:
I've never had a trojan or any of those things on my Mac, and I think AV software is for Windows users So what if my Mac is carrying a virus? It won't effect me, and its up to the windows users that interact with me to have their own AV software to stop it.

I couldn't agree more!

munkery · Mar 1, 2011

mrsir2009 said:
I've never had a trojan or any of those things on my Mac, and I think AV software is for Windows users So what if my Mac is carrying a virus? It won't effect me, and its up to the windows users that interact with me to have their own AV software to stop it.

What if that Windows malware on your system uses a Java downloader?

The Java downloader component is cross platform. The Java downloader component in Boonana allowed it to deliver payloads to Windows, Linux, and Mac. Boonana required authentication because privilege escalation exploits are rare in OS X but these type of exploits are not completely non-existent.

Windows malware that uses a Java downloader could be converted to being cross platform by the malware dev changing the contents at the dl location to include payloads for Mac. Given that priv esc is rare in OS X, these would most likely require authentication as well. But, the Java downloader does use some resources when it runs in the background.

So, leaving Windows malware on your machine may not be the best idea if you want to optimize your security.

GGJstudios · Mar 1, 2011

munkery said:
What if that Windows malware on your system uses a Java downloader?

If they followed your Mac Security Suggestion #11, as I have, it doesn't matter.

munkery said:
Boonana required authentication because privilege escalation exploits are rare in OS X but these type of exploits are not completely non-existent.

Can you give an example of one such privilege escalation exploit in the wild that didn't require authentication?

munkery said:
So, leaving Windows on your machine may not be the best idea if you want to optimize your security.

I don't think he was referring to having Windows on his Mac, but rather having files that may be infected with Windows malware.

munkery · Mar 1, 2011

GGJstudios said:
Can you give an example of one such privilege escalation exploit in the wild that didn't require authentication?

The whole point of privilege escalation, specifically a subtype of privilege escalation called privilege elevation, is to bypass the need for authentication.

Mac OS X (and Linux) users are lucky because the code where these exploits exist (kernel and system binaries) has far fewer bugs than that of Windows. Also different levels of Mac OS X (and Linux) are much better isolated from each other. Big problem in Windows is the registry (see Stuxnet).

I can't give an example of priv esc being strung together with remote code execution to produce a client-side virus or worm in Mac OS X. I can provide examples of local privilege escalation that did not require authentication prior to being patched in OS X. Here is a list.

This is an example of a server-side remote root that could have been used to create a worm if the researcher that found it was less morally inclined.

Mac OS X has far fewer of these type of exploits than both Linux and Windows.

Whitelightning · Mar 1, 2011

So being that there are trojans and other malware... is there some popular trojan/malware scanner you can run just to make sure system is clean?

On windows Spybot Search and Destroy is good and removed adware, malware, trojans, etc. that can be picked up just by going to a site that had advertisements... if there is some equivalent on Mac... that would be quite useful.

GGJstudios · Mar 1, 2011

munkery said:
This is an example of a server-side remote root that could have been used to create a worm if the researcher that found it was less morally inclined.

I'm not going to pretend to understand all of that, but since that page refers to "Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit", which was Panther or earlier, can it be correctly inferred that such an exploit would not work with more current Mac OS X (Tiger, Leopard or Snow Leopard)?

VTMac · Mar 1, 2011

Looon said:
Anti-Virus software usually protects your computer from having rogue processes take control of your system regardless if it's a new one or not. Maybe you should educate yourself

also, just because something is "common sense" to you doesn't mean it is to someone else. We dont all spend hours a day on the computer and have 14000 posts on a message board

You are woefully incorrect on this. This is how the AV vendors position themselves, but it's a false hood. AV works by creating "signatures" of known virus patterns. If they haven't captured a sample of the virus in their labs previously the odds that any AV software will identify it is less than 5%. PCMag did a good write up this past summer where they subjected all the popular AV to exactly this test. None -- as in 0.0 -- of them successfully identified the previously unknown viruses.

sydenham · Mar 1, 2011

Thanks GGJ. I love it when you set the record straight. This forum is a much better place with you here.

munkery · Mar 1, 2011

GGJstudios said:
I'm not going to pretend to understand all of that, but since that page refers to "Mac OS X <= 10.3.3 AppleFileServer Remote Root Overflow Exploit", which was Panther or earlier, can it be correctly inferred that such an exploit would not work with more current Mac OS X (Tiger, Leopard or Snow Leopard)?

Apple is really diligent in finding these type of exploits and patching them. If you watch Apple's security releases, two thirds of these type of vulnerabilities (privilege escalation) are credited as being found by apple rather than an external researcher.

Usually these exploits are patched prior to being released to the public. Once patched, then added to exploit databases. Researchers sell these exploits to companies, such as ZDI, that further research the exploit for security products they sell and release the details of the exploit to the vendor to be patched. Some researchers report potentially exploitable vulnerabilities directly to apple for no monetary reward.

An exploit is not malware. It is a piece that can be used to create malware. So, those items I linked to are not malware but are examples of exploits that could have been used to create malware.

All those examples are already patched but at one time represented legitimate holes in the system. Such holes will always exist but occur at a much lower rate in Mac OS X. This is most likely due to those levels of OS X being open source so that it's security can be audited by anyone with the know how that downloads the source code.

Proprietary code, of which Windows is mostly constituted, relies on security through obscurity because the source code is not freely available to be audited by users.

GGJstudios · Mar 1, 2011

munkery said:
All those examples are already patched but at one time represented legitimate holes in the system.

That was my assumption, as well, that those could no longer pose any threat. Of course we know that, as secure as Mac OS X may be, no OS is immune to malware.

munkery · Mar 1, 2011

Here is a link to the Apple Open Source page.

munkery · Mar 1, 2011

To put how few of these exploits Mac OS X has into context.

This is how many UAC bypass vulnerabilities Windows 7 had to patch in just February 2011. This image is from this Microsoft Security Bulletin.

derbothaus · Mar 1, 2011

Best AV for Macs. Now free. I say "best" because it seems to leave your machine relatively alone. It's background scanner has very nice shell tools as well. I have to use it in the enterprise. And the rep mentioned Apple corporate use it too. Sounded good to me. Been using for 2.5 Years. Not sure how prevalent in Cupertino it is. Could have been sales hype. But I have had no issues. The others I had to test have been uninstalled as they caused too many other issues for a 0.0000009% chance of infection. Better off getting little snitch as you will most likely be hacked than infected.
http://www.sophos.com/products/free...medium=Cross-link&utm_campaign=M-CL-Sitepromo

munkery · Mar 1, 2011

derbothaus said:
Best AV for Macs. Now free. I say "best" because it seems to leave your machine relatively alone. It's background scanner has very nice shell tools as well. I have to use it in the enterprise. And the rep mentioned Apple corporate use it too. Sounded good to me. Been using for 2.5 Years. Not sure how prevalent in Cupertino it is. Could have been sales hype. But I have had no issues. The others I had to test have been uninstalled as they caused too many other issues for a 0.0000009% chance of infection. Better off getting little snitch as you will most likely be hacked than infected.
http://www.sophos.com/products/free...medium=Cross-link&utm_campaign=M-CL-Sitepromo

The problem with Sophos and other AV software that runs with elevated privileges is that an exploit found in the AV software would be a remote root exploit given that AV software receives remote input and the software runs with elevated privileges.

For example, McAfee Linuxshield Remote Root.

Use ClamXav or VirusBarrier Express. These two Mac AV softwares do not run with elevated privileges.

derbothaus · Mar 1, 2011

I have had nothing but problems with Intego stuff. I will never use them again. One of my companies bought a year and we used it 3 months. Support was awful for the enterprise. I can't use Clam because it is free with no support. Just the way it is. Sophos was the best at that point. Never had a great deal of faith in Clam's live scanner functions. But an exploit directly through your AV apps code would be sadly hilarious.

munkery · Mar 1, 2011

derbothaus said:
I have had nothing but problems with Intego stuff. I will never use them again. One of my companies bought a year and we used it 3 months. Support was awful for the enterprise. I can't use Clam because it is free with no support. Just the way it is. Sophos was the best at that point. Never had a great deal of faith in Clam's live scanner functions. But an exploit directly through your AV apps code would be sadly hilarious.

VirusBarrier Express does not have on-access scanning so it does not seem problematic like their other offerings. Obviously, business best practices require some level of on-access scanning.

The interesting thing about Clamav is that it is included in Mac OS X server by default to scan email. Mac OS X Lion is hybrid client/server release so home users may begin to have Clamav installed in their system by default as well.

I wonder if any of the beta testers noticed if Clamav is included by default?

Clamav, in general, is biased towards malware threats spread via email given its most common usage (Linux servers - email service) so not surprised often not approved for use in business setting for non server use. True, the on-access scanning of ClamXav can't monitor as many entry points. But, most AV software is not very good at detecting drive-by-downloads anyway.

munkery · Mar 1, 2011

GGJstudios said:
If they followed your Mac Security Suggestion #11, as I have, it doesn't matter.

Java downloader components also get on your system via files, such as documents, received via email. Viewing the file would initiate the launch of the Java downloader just like clicking the video in your web browser. Turning off Java in Safari will not prevent this from occurring. So, hardening Safari is not complete protection from Java downloaders.

GGJstudios · Mar 1, 2011

munkery said:
Java downloader components also get on your system via files, such as documents, received via email. Viewing the file would initiate the launch of the Java downloader just like clicking the video in your web browser.

Any example of this happening in real world on Mac OS X?

munkery · Mar 1, 2011

GGJstudios said:
Any example of this happening in real world on Mac OS X?

Obviously, I am referring to a hypothetical scenario that could occur. Just because it hasn't, doesn't mean it can't. Boonana is an example of this occurring via another common vector.

virusblaster · Apr 8, 2011

well their are just a few viruses but their are mostly trojans for the mac operating system and you can still carry windows virus so it would probable be a good idea to use anti virus.

Myrm · Apr 8, 2011

I use an antivirus on my MacBook Pro for two reasons;

1) Because it just makes me feel a little more comfortable (I was a Windows user for 11 years up until 2 weeks ago, and old habits die hard).

2) Because I can!

>.<

GGJstudios · Apr 8, 2011

virusblaster said:
well their are just a few viruses but their are mostly trojans for the mac operating system and you can still carry windows virus so it would probable be a good idea to use anti virus.

There are exactly zero viruses that run on Mac OS X, not "just a few". Read the Mac Virus/Malware Info link I posted earlier. Windows users should be running their own anti-virus, to protect them from malware, no matter what the source, rather than depending on a Mac user to protect them.

Eddyisgreat · Apr 8, 2011

ugh dang noobs bringing up controversial zombie threads w/o substance.

Viruses

Guest

macrumors 604

macrumors Westmere

macrumors 68020

macrumors Westmere

macrumors 68020

macrumors regular

macrumors Westmere

macrumors 6502

macrumors 6502

macrumors 68020

macrumors Westmere

macrumors 68020

macrumors 68020

Attachments

macrumors 601

macrumors 68020

macrumors 601

macrumors 68020

macrumors 68020

macrumors Westmere

macrumors 68020

macrumors newbie

macrumors newbie

macrumors Westmere

macrumors 601

Our Staff