Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 3212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

does sophos actually detect any mac viri or threats?

ed_andrews

prior to osx there were a few actual mac viruses [8 if i remember]

these would only be found in old mac files and software

does sophos detect them?

i have a library of old mac software which is updated periodically and need this ability

post osx there was reportedly one trojan [reported by an av company but never seen by anyone else i know]

does sophos detect it

does sophos detect when facebook, google or some other ant-social network starts following me around the net and collecting data about me?

and does sophos detect any threats that actually currently affect me as a mac only user

by this i don't mean theoretical future possible threats

so far it seems to only detect pc stuff

:1000497


This thread was automatically locked due to age.
  • 0

    To answer your questions:

    Prior to OS X, there were 16 well known Mac virus families, plus rogue Applescripts, Word macro viruses, trojan applications, etc.

    MacHomeAV detects these, plus other less-known families and variants.  To verify, run MiniVmac or Basilisk II with a classic OS, and run Disinfectant and Gatekeeper over your library, and compare the results to what you get with MacHomeAV.

    Since the advent of OS X, there have been a number of malware families, most notably DNSChanger, RSPlug and the recent Boonana.  There are also a number of other OS X-specific and cross-platform pieces of malware that Sophos detects.

    Sophos also detects malware targeting Microsoft Windows, UNIX, and various other platforms, as we use the same detection engine across our entire product line, and detect for all platforms on all platforms.

    Sophos does not capture personal information about you, and so is unable to determine if other parties are doing so.  However, our engine does detect malicious iFrames, JavaScripts, Flash, and other "web bugs" of a malicious nature.  To get more control over your web browsing, you would need a third party tool or purchase our Web Appliance.

    To answer your final question, yes -- Sophos detects the malware families I mentioned above that are currently affecting OS X users worldwide. 

    Examples (from the past 4 weeks):

    You will notice that the results include forum posts from people who have been infected with the mentioned malware.

    Likely the reason it seems to only detect PC stuff is that there is so much more PC stuff to detect.  Also note that PC malware can affect you as a Mac user; just because your computer didn't get affected by it doesn't mean that you can't pass on infected files to people you know who are PC users.

    :1000511
  • 0
    Agile wrote:

    … our engine does detect malicious iFrames, JavaScripts, Flash, and other "web bugs" of a malicious nature.  To get more control over your web browsing, you would need a third party tool or purchase our Web Appliance. …

    This is a really interesting topic

    (kudos given :-)

    I'm curious. If neither edition of Sophos Anti-Virus for Mac OS X scans network traffic to the browser, then how are those web bugs detected by the engine?

    My limited understanding is that SAV for Mac scans only what's on disk.

    Does the engine hook into browser APIs, or system APIs, to detect threats without writes to disk? Something like that? 

    AFAIR on my Mac there was one threat in a cached WebHistory file, which sparked my curiosity but beyond that, this sort of stuff is fairly mysterious to me. 

    It'd be good to see a user-friendly explanation in one of the Sophos blogs. Not giving away the crown jewels of Sophos ;) just enough to cast light on a grey area …

    Many thanks

    :1000537
  • 0
    grahamperrin wrote:
    Agile wrote:

    … our engine does detect malicious iFrames, JavaScripts, Flash, and other "web bugs" of a malicious nature.  To get more control over your web browsing, you would need a third party tool or purchase our Web Appliance. …

    This is a really interesting topic

    (kudos given :-)

    I'm curious. If neither edition of Sophos Anti-Virus for Mac OS X scans network traffic to the browser, then how are those web bugs detected by the engine?

    My limited understanding is that SAV for Mac scans only what's on disk.

    Does the engine hook into browser APIs, or system APIs, to detect threats without writes to disk? Something like that? 

    AFAIR on my Mac there was one threat in a cached WebHistory file, which sparked my curiosity but beyond that, this sort of stuff is fairly mysterious to me. 

    It'd be good to see a user-friendly explanation in one of the Sophos blogs. Not giving away the crown jewels of Sophos ;) just enough to cast light on a grey area …

    Many thanks

    As far as I know (and I'm definitely not an expert on the SAV internals), you are essentially correct in your assumption; there is no browser API hooking, etc. going on in the product.

    However, network scanning for an endpoint isn't all that necessary; if you want something that scans network activity, you do that further upstream, not on the target endpoint system.  After all, on the system there are only two places data can reside: in memory, or on disk.  "Network monitoring" becomes a red herring, because what you're really monitoring is where the data goes after the endpoint has received it... which is either into memory or onto disk.

    Those web bugs almost always start by causing the browser to download something... an HTML file, a Flash ad, a Java applet or similar, which gets cached on disk and then read into memory.  With on-access scanning, these get detected as soon as the system attempts to access the malicious code.  With on-demand scanning, the temporary cache files that have been left behind (for example in the Java cache directory) get scanned.

    I'll reiterate: network traffic doesn't go to the browser -- it goes to the OS, which opens up a filehandle the browser can read from.

    For the more technically minded, open up a terminal and type lsof (ell ess oh eff - or LiSt Open Files) -- you'll see all the open filehandles, which point not only to data files stored on local media, but also filehandles connected to network ports, pipes to other local processes, and lots of other goodies.  Note that while running this command will not harm your computer in any way, jumping to conclusions as to what the contents of the results are and taking the wrong action based on those conclusions can lead to Bad Things.

    While in some situations data can be read directly off a network port into memory without touching your hard disk, for such data to be executed (barring buffer overflows) it needs to be read as explicitly executable from disk.  Memory protection on OS X is fairly robust, so the final landing site of almost all malicious code will be on permanent storage, prior to execution -- and of course both on-access and on-demand scans will detect it there.

    :1000649
  • 0
    Agile wrote:

    As far as I know … no browser API hooking, etc. going on in the product.

    … on the system there are only two places data can reside: in memory, or on disk.  "Network monitoring" becomes a red herring, because what you're really monitoring is where the data goes after the endpoint has received it... which is either into memory or onto disk.

    Those web bugs almost always start by causing the browser to download … cached on disk and then read into memory.  With on-access scanning, these get detected as soon as the system attempts to access the malicious code. With on-demand scanning, the temporary cache files that have been left behind (for example in the Java cache directory) get scanned.

    I'll reiterate: network traffic doesn't go to the browser -- it goes to the OS, which opens up a filehandle the browser can read from.

    … Memory protection on OS X is fairly robust, so the final landing site of almost all malicious code will be on permanent storage, prior to execution -- and of course both on-access and on-demand scans will detect it there.

    That's great, thanks. Much clearer now. 

    Most reassuring (for users such as us, gaining protection from products that focus on permanent storage) is "the final landing site of almost all malicious code will be on permanent storage, prior to execution".

    Incidentally the expression network traffic to the browser came from SophosLabs in response to a question about the HTTP data stream. Origins of that conversation probably included Adobe Responds... Sort Of and http://www.diigo.com/bookmark/http%3A%2F%2Fwww.sophos.com%2Fblogs%2Fsophoslabs%2Fv%2Fpost%2F7407?tab=comment&uname=grahamperrin

    Defocusing from SAV Home Edition, re: some upstream stuff I'm slowly kicking the ball around at http://discussions.apple.com/message.jspa?messageID=12545569#12545569 in a topic Complements to Safari 'fraudulent sites' warnings and Google Safe Browsing. (Inevitably, much advice re: on-disk creeps into a topic that's explicitly focused on "through-the-web threats that do not necessarily involve writes to disk".)

    :1000655