ClamXav went Commercial

[msandersen]

ClamXAV is worse than useless or no antivirus, as it gives people a false sense of security, that the scanned file is "safe". ClamAV has a very poor track record and was created basically to scan email for Windows users using Unix-like mail servers. There is no focus on Unix/OSX threats at all. A while back when one of the first OSX Trojans appeared in pirated copied of iWork, I sought it out to test on; the pirate bay listing was helpfully changed to put clear warnings all over it that it was infected, leaving it up for people like me who wanted it to test. I still have it along with a collection of Windows viruses/Trojans/worms/keyloggers.
So I tested ClamXAV along with the free Sophos virus scanner, and observed VirusTotal stats on it. Basically, despite a number of signatures being submitted to them by security experts, ClamAV can't detect it or ANY Mac Trojan I know of. It's hit rate on Windows malware is amongst the worst, if not THE worst. Occasionally I went back and checked if things had changed, it never could detect it.
People get a sense that if they scanned a file, it must be safe. When I was on Windows, I fell for that once when McAffee cleared a file sent me, but fortunately my firewall stopped it calling out once I ran it. It took a couple of hours to clean my computer. I've also been the target of an Undetectable (UD) new Trojan keylogger. I didn't fall for it, they had already tried several phishing attacks against me. When I submitted it to VirusTotal, no antivirus program detected anything. Within a day, the major ones did, and within days, almost all did. But never ClamAV.

That's why I considers ClamAV worse than no antivirus at all.

 

[Artimus12]

Interesting comment. I wonder if that'll change the minds of any of the four that have voted the first option?

 

[msandersen]

Probably not. They have probably had it for years, and it has never caught anything, so they feel safe, ironically. And it's open source, so naturally it's better, right? I do scan some received files with the free Sophos scanner, but since my testing, never with ClamXAV. But I am under no illusion it will keep me "safe", it is merely a precaution, mostly for Windows viruses I might pass on, but nonetheless there are a couple nasty Mac Trojans, though the known ones should be blocked by XProtect. But it's not a virus scanner, and Apple's system is only a rudimentary first line of defence.
It was implemented back when organised crime, presumably the Russian mafia, retooled their driveby fake video plugins on porn sites to support Macs. There was a tit-for-tat for a while as they retooled their Trojan to avoid detection, but it seemed they eventually gave up. Flash (and Java if you're silly enough to still have the plugin enabled) are the main attack vectors alongside Trojans from email or pirate software. Bugs in PDF readers are another potential attack vector used in the past; anything that can be scripted and downloaded, esp complex software with a history of bugs, like Flash and Adobe Reader, and of course Java. And they are available on Macs and Linux as well as Windows. A good security framework won't protect you from bugs in 3rd party plugins or critical system components like OpenSSH.
Funny how critical SSH bugs were found to be on all platforms, including all Desktop systems and phones, which could allow otherwise encrypted data be read by someone who knew of these flaws. And they had been there for years without anybody noticing. While Microsoft's code is closedsource, the government has access, supposedly to audit it's security for defence purposes.
As we now know from Snowden and various news reports or Wikileaks, the NSA and other national agencies will use any means necessary to hack into other countries and companies with valuable data, they all have well-resourced hacker teams with the best and brightest, whose exploits we will probably never know except when they leave residual traces, like StuxNet, and one that has security researchers in awe at its complexity and design, only traces of which has ever been found because a few computers were unplugged from the Internet when the self-destruct code was issued. A complex modular Trojans that has it's own file system hiding in the unformatted slack space at the end of every drive, undetectable and resistant to system reinstallation or even drive wipes by hiding in USB firmware or bootsectors in ways never before seen, using exploits never before documented, infiltrating in ways we don't yet understand.

Yes, Macs can in theory get malware of various kinds, even with antivirus installed; all computers can and some of those by national agencies we might never know about. But antivirus software is an exercise in cost-benefit analysis, weighing risk to the cost and hassle of using one.
For me, the risk is low, it is not worth the system resources, hassle or money to have commercial antivirus on my Mac. I will scan occasional files, but not run one permanently in the background. That is one thing from the Windows world I don't want to revisit, as they embed themselves so deeply in a system they can cause some serious trouble, apart from bogging a system down. I think it was McAfee on Windows who accidentally issued an update that flagged a critical system file, which made Windows unbootable. Oops. Firewalls by all means, automatic scanning of email fine, but frankly for me I don't want to pay the ransom again if I can help it. It pissed me off when they decided it was just them being helpful when they started to automatically renew lapsed subscriptions without asking. And to cancel, you had to do it a month in advance, or you would be billed again. And they made it notoriously difficult to cancel. My parents-in-law gets billed by two antivirus companies, one product which was supposed to be a free version, and they can't figure out how to cancel either. They're in their 70s and not tech-savvy. I'm in another state unfortunately. They still spam me years on, despite not having used Windows for a long time.

 

[Weaselboy]

The site The Safe Mac has pretty good info on Mac security and a little over a year ago did a test on malware detection using available AV Packages. The article is here, and the results summary below.

 

[msandersen]

Interesting article. Doesn't surprise me VirusBarrier was top, nor that iAntivirus is near the bottom, though quite how bad it is is surprising. Don't think I ever heard anything good about it. Didn't know McAfee had a Mac version, this sure isn't a good advertisement for them. Low 70s for ClamAV is about what I'd expect. But frankly, I haven't looked into it in a few years. I hope the day never comes when it truly becomes a necessity on Mac. I don't begrudge ppl who do use one, as long as they have some perspective on what "secure" is.
Flash is slowly dying, as media players are going all HTML5. it has its uses like games or animation, but not in the mainstream web. I remember when people wanted to build whole sites with it. Totally opaque from a SEO perspective. But I guess easier to protect copyright content.

 

[msandersen]

I was wondering about Mac-specific detection, and came across this test from AV-Test from April of this year:
https://www.av-test.org/en/news/new...-attack-10-security-packages-put-to-the-test/

Of the top 10 products tested, The top 5 got 100% of Mac malware, while the rest, bar ClamXAV, got between 98.7% and 88.7%. ClamXAV got only 39.6%.

 

[Traverse]

@Weaselboy The only problem with some of the better software packages are that they require constant use whereas others can be use just as on-demand scanners.

I don't want Avast or any other software running in any capacity at all times or installing boot field like Avast does. I just want an app that remains dead until I launch it, update it, and scan something.

 

[ardent73]

I just want an app that remains dead until I launch it, update it, and scan something.

Step 0: Buy DeLorean (DMC-12), install Flux Capacitor (FC-1) and travel to 1995.
Step 1: I haven't tried it but maybe you want to install to a USB flash drive? Could work or not...

 

[msandersen]

I'm all for the DeLorean idea, but I can't find a working Flux Capacitor...

 

[MisterMe]

corrected that for you.

There are currently no OS X viruses and there never have been any OS X viruses in more than 14 years after MacOS X 10.0 came to market.

For those who don't remember the Mac before MacOS X 10.0, there were 26 Mac-specific viruses up through MacOS 9.2.2. Most of those date back to System 6. In the years leading up to MacOS X, there were fewer than one new Mac-specific virus per year.

 

[SlCKB0Y]

If it uses CalmAV code then it would be a derivative work covered by the GPL. The developer can certainly charge for the program but would still need to abide by the GPL source code requirements in the license and provide that free of charge.

https://www.clamxav.com/thirdPartySoftware.html

ClamXav comes bundled with some 3rd party software for your convenience: gfslogger and ClamAV®.

This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Please see the GNU General Public License for more details.

Both of these tools are called in binary form only and at arms length. ClamXav does not link to LibClamAV and is not a derivative work of ClamAV or gfslogger.

Source code
In line with the requirements of the GNU General Public Licence, the source code for both of these packages is available below:
ClamAV - instructions for compiling this can be found here.
gfslogger - instructions for compiling can be found within the archive

What a total scumbag.

 

[DKZ]

MisterMe & some others (include yourself here DKZ) of longstanding Mac ownership continually refuse to admit the possibility - no matter how unlikely the scenario may be, and this sets alarm bells ringing for me ...it's deceitful.

I don't remember having written anything about the possibility of a future virus. Of course it's possible. My understanding though is that the way modern OSs are build, any of them, makes it very hard to build an actual effective virus.

If you want to spend your time and energy now on something that might happen in the future, be my guest, but I agree with others that it's entirely pointless, since if you're reading this, chances are very big that you'll be one of the first to read about it, should an actual virus hit the Mac OS eco system.

 

[Ulenspiegel]

Yes, but like with the MAS version, how do you know you're getting ALL the updated definitions and how long until you don't?

I am sorry, Traverse, that I didn't come back to you earlier. For the time being it gets the updated definitions (the progress of dowloading is visible in the lower part of the app window). For how long? I have no answer. The moment the definitions are not updated I will delete the application. Most probably I may do it even earlier. I run this software rarely, so no big deal.

 

[Traverse]

I am sorry, Traverse, that I didn't come back to you earlier. For the time being it gets the updated definitions (the progress of dowloading is visible in the lower part of the app window). For how long? I have no answer. The moment the definitions are not updated I will delete the application. Most probably I may do it even earlier. I run this software rarely, so no big deal.

I wanted to let you know that I am having problems getting updates now on my old MAS version. Excuse the bad screenshot, but I'm running at 1920x1200 right now and took it full screen to get the bottom part of the screenshot.

 

[Dirtyharry50]

Avira offers a highly rated antivirus that is free with frequent definition updates automatically applied. I'm running it here with no problems. Maybe I already mentioned this now that I think of it. I am getting old...

 

[Artimus12]

There are currently no OS X viruses and there never have been any OS X viruses in more than 14 years after MacOS X 10.0 came to market.

For those who don't remember the Mac before MacOS X 10.0, there were 26 Mac-specific viruses up through MacOS 9.2.2. Most of those date back to System 6. In the years leading up to MacOS X, there were fewer than one new Mac-specific virus per year.

I don't remember having written anything about the possibility of a future virus. Of course it's possible. My understanding though is that the way modern OSs are build, any of them, makes it very hard to build an actual effective virus.

If you want to spend your time and energy now on something that might happen in the future, be my guest, but I agree with others that it's entirely pointless, since if you're reading this, chances are very big that you'll be one of the first to read about it, should an actual virus hit the Mac OS eco system.

I don't mean to be inflammatory, but a few days later and the above posts are instantly out-dated ...Voila

http://thehackernews.com/2015/08/mac-os-x-zero-day-exploit.html

Back on topic: I'm now using Avira and find it much less intrusive than Avast.

 

[Dirtyharry50]

Just an FYI for those reading this thread who I'm sure would be interested in this news:

http://www.computerworld.com/articl...lic-bug-to-plant-adware-on-yosemite-macs.html

I consider it a good idea to have Adware Medic by Malwarebytes installed and run it periodically to hopefully catch issues such as the above and to be prepared to fix anything that might crop up. Once again though, this trojan could probably be largely avoided by safe surfing and care in deciding what to download and open not to mention ensuring that downloads come from trusted reputable sites.

Adware Medic is free and can be downloaded from the company's website here: https://www.malwarebytes.org/antimalware/mac/

Avira Antivirus for Mac (also free) can be had here: http://www.avira.com/en/free-antivirus-mac

I've had good experience with both of these not causing any issues or slowdowns as well as being quick in their scans. While it remains far less likely that we'd be attacked it is possible and it does happen so it certainly doesn't hurt to put up these defenses which cost zero and are both highly regarded products.

 

[DKZ]

I don't mean to be inflammatory, but a few days later and the above posts are instantly out-dated ...Voila

http://thehackernews.com/2015/08/mac-os-x-zero-day-exploit.html

Back on topic: I'm now using Avira and find it much less intrusive than Avast.

Ya, you do. Otherwise you'd have taken your time to actually read the article, and noticed that this is just more adware, requiring user actions and not a virus.

If you want to worry about something, worry about this.

http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

 

[Dirtyharry50]

Ya, you do. Otherwise you'd have taken your time to actually read the article, and noticed that this is just more adware, requiring user actions and not a virus.

If you want to worry about something, worry about this.

http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

I had read about this recently elsewhere myself. I was glad to read in your quoted article that some vulnerabilities have already been patched. Hopefully the remaining known ones will be soon as well. Just the same, patching after the fact of exposure isn't going to cut it by any means. It's just a matter of time before a significant incident drives an industry change. If this is anything like other known problems of the past (pick one) we'll have to get burned badly before there is a substantial response unfortunately. I hope I am wrong here but you see this kind of thing happen over and over all over the place (not just the tech world) and it does not exactly inspire confidence in people being smart enough to do what needs to be done before the fire starts.

 

[Artimus12]

Ya, you do. Otherwise you'd have taken your time to actually read the article, and noticed that this is just more adware, requiring user actions and not a virus.

If you want to worry about something, worry about this.

http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/

Really? What percentage of Windows viruses require some user interaction to execute their code? and what makes it a requisite that Mac malware needs to passively activate before it's considered a viable threat?

Your link only serves to strengthen my point and weaken your claim that anti-virus software isn't necessary on OS-X.

Thank You.

 

[DKZ]

Really? What percentage of Windows viruses require some user interaction to execute their code?

Well, none. Seeing as then they wouldn't be viruses.

Your link only serves to strengthen my point and weaken your claim that anti-virus software isn't necessary on OS-X.

Yes, I am aware, that you probably think that. But there is still no real world threat involved, so it's just a continuation of the ongoing issue, just more scary.

 

[Dirtyharry50]

Actually, the article you linked points out a scenario that an antivirus product could potentially mitigate where delivery to the target could go as follows:

"An attacker could first remotely compromise the boot flash firmware on a MacBook by delivering the attack code via a phishing email and malicious web site."

The code the malicious web site could attempt to execute on the system could be intercepted. Thus, an antivirus product could be beneficial in this scenario. This does not solve all problems nor prevent all attacks and it doesn't work at all until a given attack becomes known and coded for but it could still be useful and is certainly better than not having this defense up at all.

 

[throAU]

See, that's what I didn't want: Sentry. As of right now, I don't feel the need to have something continuously scanning or running. I only ever visit the same set of websites, I don't torrent, I've disabled safaris open safe files option.

You're the prime type of user to get owned when say, the Macrumors forum (or one of the other sites you frequent) gets hacked and starts hosting malicious javascript that exploits your browser and owns your system.

The point is, you can't trust any site. Even "trusted" sites, if they get hacked (as this place has been before if i'm not mistaken - as have plenty of other high profile sites) - they can potentially host malicious content (javascript, malicious HTML that exploits browser bugs, etc.) that users like you will not scan and blindly trust until the compromise becomes known.

 

[Traverse]

You're the prime type of user to get owned when say, the Macrumors forum (or one of the other sites you frequent) gets hacked and starts hosting malicious javascript that exploits your browser and owns your system.

The point is, you can't trust any site. Even "trusted" sites, if they get hacked (as this place has been before if i'm not mistaken - as have plenty of other high profile sites) - they can potentially host malicious content (javascript, malicious HTML that exploits browser bugs, etc.) that users like you will not scan and blindly trust until the compromise becomes known.

But unless I install an infected application, how exactly will I be owned? There are proof-of-concept viruses and worms, but right now there are only Trojans.

True, if a virus suddenly comes to life that can silently break through any browser or OS' security, I'll be vulnerable, but so will you. The current OS X virus protection packages will be ineffectual at stoping a zero-day exploits because they don't know what to look for. They're better on Windows because there is a long history of viruses and an understanding of how they work.

I'm not opposed to AV programs, but they seem more trouble than they're worth at the moment.

 

[Traverse]

@Dirtyharry50

I don't think even an AV package will protect against a firmware attack. That is something that will need to be patched on the root level by Apple