Malware + Security & Privacy

With the MacDefender (and MacProtect, MacSecurity and MacGuard) fake antiviruses targeting Mac users, and being quite effective in tricking them into installing the software and giving up credit card numbers, Apple has released a security update for Mac OS X 10.6 Snow Leopard to block this malware. The update is in three parts:

File Quarantine: The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article.

File Quarantine: The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the “Automatically update safe downloads list” checkbox in Security Preferences. Additional information is available in this Knowledge Base article. This option is turned on automatically, and only users with administrative accounts can disable it.

Malware removal: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article.

We’ll have more information later when we’ve been able to test this system with the many variants we have. One thing to point out, however, is that only users of Mac OS X 10.6 are protected; the malware check in the file quarantine system does not exist in older versions of Mac OS X.

This security update is 2.1 MB, and, interestingly, it does not require a restart after installation.

UPDATE: Intego has confirmed that Apple’s update detects all existing variants of the MacDefender fake antivirus. However, it does not currently detect a variant released shortly after Apple’s security update.