Apple

Bug in Apple’s Malware Detection Settings May Lead to Mistaken Preferences

Posted on June 1st, 2011 by

Following the release of the Mac OS X security update to protect against the MacDefender fake antivirus, Intego's security researchers discovered an interesting bug with the Security preference pane. A new preferences, Automatically update safe downloads list, was added in this security update. This setting tells Mac OS X to check every 24 hours, and on each restart, for new malware definitions in addition to the few that are already available. However, if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick. Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.



In addition, a log entry is written to the Mac's Console logs:

System Preferences[1673]	*** xprotect: SMJobSetEnabled failed with: Error Domain=kSMErrorDomainLaunchd Code=2 UserInfo=0x200260100 "The operation couldn’t be completed. (kSMErrorDomainLaunchd error 2 - An operation failed in launchdadd for reasons that you probably can't do anything about. Maybe you should reboot.)"; {
    NSDescription = "An operation failed in launchdadd for reasons that you probably can't do anything about. Maybe you should reboot.";
}

You should be aware that this bug may override settings you make to this preference, and if for any reason you've left the Security preference pane opened for more than 30 seconds, you should check again to see if the change you made has stuck.

  • Anonymous

    On Mac OS X 10.6.8 server with the latest update this option is checked and greyed out so as to imply that you can not alter the option. I imagine one can side step the issue with the defaults write combo but have not tested this yet.

    • http://www.intego.com Intego

      That’s interesting. Perhaps with the server software they don’t allow you to change it.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}