Inside Snow Leopard's hidden malware protection

File Quarantine is Mac users' first line of defense against malicious software

While malware has long been an almost daily annoyance for Windows PCs, Mac users have become accustomed to not worrying about malicious software. Threats arise from time to time -- in January of this year, for example, a Trojan horse made the rounds in pirated copies of Apple's iWork software -- but most Mac users these days are probably running without virus protection software.

Apple's encouraged that, too, by frequently touting the Mac's resistance to malware in its advertising materials, especially when compared to Windows. But with the release of Mac OS X Snow Leopard, Apple's finally decided to subtly step up its game when it comes to malware, much as it has done in the past with phishing in Safari. For the first time, the Mac OS contains a built-in system that detects malicious software and attempts to protect users from inadvertently damaging their computers.

How does it work?

Since Mac OS X 10.4, Apple has built a download validation system called File Quarantine into its operating system. Beginning in Leopard, this manifested most frequently as a dialog box that popped up when a user first opened a file that was downloaded from the Internet via Mail, Safari, or iChat. The warning displayed what application downloaded the file, from what site, and at what time. It gave the user the option to continue opening the file, cancel, or view the Web page from which it had been downloaded.

In Snow Leopard, Apple has enhanced File Quarantine to also check files against known malware, pulling from a list of malware definitions at System/

Library/Core Services/CoreTypes.bundle/

Contents/Resources/XProtect.plist. At the time of this writing, the file contains only two definitions: the OSX.RSPlug.A Trojan Horse first discovered in 2007 and the OSX.iService malware embedded in the pirated iWork installer mentioned above. However, Apple told Macworld that the list of definitions can be updated via Software Update.

If you try to open an infected file, Snow Leopard will present you with a stronger warning, saying that the file may damage your computer and suggesting you move it to the trash. As with the download validation dialog, you'll have the option to continue or cancel, but if the file is on an disk image, there's a button to eject the image. If, on the other hand, the file is already on your hard drive, that button instead invites you to move it to the trash.

If you've enabled Safari's "Open 'safe' files after downloading" preference, you will automatically be prompted with the dialog when the download completes and the file opens. Unlike the more general warning, the malware warning doesn't go away after the first time you open the file -- it will continue to appear any time you open the file.

File Quarantine seems to serve mainly as a gatekeeper for files downloaded from untrusted sources: Think of it as a layer between the user and the untamed wilds of the Internet. Snow Leopard defines an expanded list of applications for which it "quarantines" downloaded files (marking that they've been downloaded from the Internet).

So if you download a file via your Web browser -- including Safari, Internet Explorer, Firefox, OmniWeb, Opera, Mozilla, Camino, and more -- or an e-mail client -- Mail, Entourage, or Thunderbird -- or receive a file via iChat, then it will be checked for malware when you open it. However, if you grab an infected file from another source, such as an FTP site, a file-sharing service like Bit Torrent, or through a program that's not covered by Apple's system, you're out of luck: The system won't detect it.

Most importantly, Apple's system appears to contain no way to clean malicious software off your Mac after it's been infected. For that, it seems you'll still need to turn to third-party anti-virus products.

1 2 Page 1
Page 1 of 2
How to supercharge Slack with ‘action’ apps
Shop Tech Products at Amazon