Why Viruses Have Trouble Penetrating the Mac

Archived on Wed Mar 16 14:59:36 2005

It may or may not surprise you, but there are no OS X viruses (or worms or trojans), partly due to the implementation of OS X and its almost-inaccessible Root. Dr. Smoke, who gave me some advice on this subject, gives a clear explanation of how the problem should be viewed at the X Lab pages at www.thexlab.com/faqs/malspyware.html.

Most Mac users never need Root access. We use Administrator privileges, and if Root is needed for installation of an application or for alterations to the system -- what a virus would need to do -- a user must enter a password. This physically and consciously acknowledges an event (and its consequences).

Microsoft Macros

Mac naysayers would have us believe there are no viruses because there are so few Macs (this also applies to Linux  and Unix  platforms), although that could change with the Mac mini.

If the numbers of viruses for Windows keeps on growing (as of January this year, there were a total of 68,736 viruses detected, according to Symantec), the Mac may come in for some attention. There is no point spending all your time virus-writing, however, if viruses will not work.

The only problem on OS X is from macros with Microsoft (Nasdaq: MSFT)  products and from mail attachments. These do not harm the Mac environment but may damage a Windows computer if sent. As a normal precaution, I do not open attachments, and trash them instantly.

This immunity may not last. There have been experiments: last year one (one!) widely reported Unix-based package was found, but it had no method of self-propagation and no delivery system.

I almost long for the days (and simplicity) of the locally written Victor Charlie (for DoS) which examined checksums to seek out unauthorized changes. A virus signature -- the common method of virus-detection these days -- may arrive days after the event.

Signature Checkers

There is a Unix-based system integrity checker, called Tripwire, which I installed. I would not suggest installing this unless you are really comfortable working at the command line. This is one that screams out for a GUI version.

What we have left, if we are going to prepare, are the signature checkers. McAfee Virex has been around for a long time -- I used a copy in System 8 -- and can be found as part of the .Mac subscription. It was withdrawn by Apple (Nasdaq: AAPL)  in late 2004 for a brief time after a conflict was discovered, but is is now available again with .Mac and it is also on sale. Some users still report problems, however.

Norton Anti-virus for Mac 9.0 is also in the market and has a good following. A number of OS X users have also installed the products of Intego, which include VirusBarrier and NetBarrier.

A further commercial product is that of Sophos, which has a link to evaluate a copy of its application. This one is aimed at larger enterprises.

Mark Allan from the UK had been using an open-source application called ClamAV but he tired of the command line so, bless him, took it upon himself to develop ClamXav, a free virus checker (using signatures). Version 0.9.0f for OS X is a 2.8 MB download with a simple install process.

A panel allows you to update the signatures (you can also set this to update automatically) and a file browser gives you choices of which directories or files to scan. Preferences are available for some fine tuning: General, Internet and Schedule.

Quarantine Folder

The software has the ability to move infected files to a quarantine folder where they can be isolated. Items that can be scanned include mailboxes. Mark includes a warning that, for these, the isolation method should not be used. The mailbox needs to retain its integrity.

I ran ClamXav three or four times, first on a small selection of files, then some larger directories and also mailboxes. Half a dozen Word files that I had not used in about three years were shown as having Macro viruses. As I do not use Word, these had not come to light earlier (nor had they spread). ClamXav does not repair infected files: I opened them in TextEdit, copied the text information and dumped the originals. Problem solved.

Mark's Web site has some useful information on this utility and makes it clear that, although free, a donation might be appropriate. There is a "nag" screen for this that comes up occasionally.

For what it does, ClamXav is rightly getting some good reports from the online Mac community. It is never too early to lay the foundations for a warning system.


http://www.macnewsworld.com/story/41185.html