Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 3214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

does sophos actually detect any mac viri or threats?

ed_andrews

prior to osx there were a few actual mac viruses [8 if i remember]

these would only be found in old mac files and software

does sophos detect them?

i have a library of old mac software which is updated periodically and need this ability

post osx there was reportedly one trojan [reported by an av company but never seen by anyone else i know]

does sophos detect it

does sophos detect when facebook, google or some other ant-social network starts following me around the net and collecting data about me?

and does sophos detect any threats that actually currently affect me as a mac only user

by this i don't mean theoretical future possible threats

so far it seems to only detect pc stuff

:1000497


This thread was automatically locked due to age.
Parents
  • 0
    grahamperrin wrote:
    Agile wrote:

    … our engine does detect malicious iFrames, JavaScripts, Flash, and other "web bugs" of a malicious nature.  To get more control over your web browsing, you would need a third party tool or purchase our Web Appliance. …

    This is a really interesting topic

    (kudos given :-)

    I'm curious. If neither edition of Sophos Anti-Virus for Mac OS X scans network traffic to the browser, then how are those web bugs detected by the engine?

    My limited understanding is that SAV for Mac scans only what's on disk.

    Does the engine hook into browser APIs, or system APIs, to detect threats without writes to disk? Something like that? 

    AFAIR on my Mac there was one threat in a cached WebHistory file, which sparked my curiosity but beyond that, this sort of stuff is fairly mysterious to me. 

    It'd be good to see a user-friendly explanation in one of the Sophos blogs. Not giving away the crown jewels of Sophos ;) just enough to cast light on a grey area …

    Many thanks

    As far as I know (and I'm definitely not an expert on the SAV internals), you are essentially correct in your assumption; there is no browser API hooking, etc. going on in the product.

    However, network scanning for an endpoint isn't all that necessary; if you want something that scans network activity, you do that further upstream, not on the target endpoint system.  After all, on the system there are only two places data can reside: in memory, or on disk.  "Network monitoring" becomes a red herring, because what you're really monitoring is where the data goes after the endpoint has received it... which is either into memory or onto disk.

    Those web bugs almost always start by causing the browser to download something... an HTML file, a Flash ad, a Java applet or similar, which gets cached on disk and then read into memory.  With on-access scanning, these get detected as soon as the system attempts to access the malicious code.  With on-demand scanning, the temporary cache files that have been left behind (for example in the Java cache directory) get scanned.

    I'll reiterate: network traffic doesn't go to the browser -- it goes to the OS, which opens up a filehandle the browser can read from.

    For the more technically minded, open up a terminal and type lsof (ell ess oh eff - or LiSt Open Files) -- you'll see all the open filehandles, which point not only to data files stored on local media, but also filehandles connected to network ports, pipes to other local processes, and lots of other goodies.  Note that while running this command will not harm your computer in any way, jumping to conclusions as to what the contents of the results are and taking the wrong action based on those conclusions can lead to Bad Things.

    While in some situations data can be read directly off a network port into memory without touching your hard disk, for such data to be executed (barring buffer overflows) it needs to be read as explicitly executable from disk.  Memory protection on OS X is fairly robust, so the final landing site of almost all malicious code will be on permanent storage, prior to execution -- and of course both on-access and on-demand scans will detect it there.

    :1000649
Reply
  • 0
    grahamperrin wrote:
    Agile wrote:

    … our engine does detect malicious iFrames, JavaScripts, Flash, and other "web bugs" of a malicious nature.  To get more control over your web browsing, you would need a third party tool or purchase our Web Appliance. …

    This is a really interesting topic

    (kudos given :-)

    I'm curious. If neither edition of Sophos Anti-Virus for Mac OS X scans network traffic to the browser, then how are those web bugs detected by the engine?

    My limited understanding is that SAV for Mac scans only what's on disk.

    Does the engine hook into browser APIs, or system APIs, to detect threats without writes to disk? Something like that? 

    AFAIR on my Mac there was one threat in a cached WebHistory file, which sparked my curiosity but beyond that, this sort of stuff is fairly mysterious to me. 

    It'd be good to see a user-friendly explanation in one of the Sophos blogs. Not giving away the crown jewels of Sophos ;) just enough to cast light on a grey area …

    Many thanks

    As far as I know (and I'm definitely not an expert on the SAV internals), you are essentially correct in your assumption; there is no browser API hooking, etc. going on in the product.

    However, network scanning for an endpoint isn't all that necessary; if you want something that scans network activity, you do that further upstream, not on the target endpoint system.  After all, on the system there are only two places data can reside: in memory, or on disk.  "Network monitoring" becomes a red herring, because what you're really monitoring is where the data goes after the endpoint has received it... which is either into memory or onto disk.

    Those web bugs almost always start by causing the browser to download something... an HTML file, a Flash ad, a Java applet or similar, which gets cached on disk and then read into memory.  With on-access scanning, these get detected as soon as the system attempts to access the malicious code.  With on-demand scanning, the temporary cache files that have been left behind (for example in the Java cache directory) get scanned.

    I'll reiterate: network traffic doesn't go to the browser -- it goes to the OS, which opens up a filehandle the browser can read from.

    For the more technically minded, open up a terminal and type lsof (ell ess oh eff - or LiSt Open Files) -- you'll see all the open filehandles, which point not only to data files stored on local media, but also filehandles connected to network ports, pipes to other local processes, and lots of other goodies.  Note that while running this command will not harm your computer in any way, jumping to conclusions as to what the contents of the results are and taking the wrong action based on those conclusions can lead to Bad Things.

    While in some situations data can be read directly off a network port into memory without touching your hard disk, for such data to be executed (barring buffer overflows) it needs to be read as explicitly executable from disk.  Memory protection on OS X is fairly robust, so the final landing site of almost all malicious code will be on permanent storage, prior to execution -- and of course both on-access and on-demand scans will detect it there.

    :1000649
Children
No Data