Eriq wrote:Thanks for the answer Agile. I still dont know however, if sophos antivirus for mac detects iexplore.exe(the malware). Also, when i read the EULA before downloading i got another question. Can i install sophos to scan my computer at home and then uninstalll it in the same day? Also, it says its for home and sometimes i buy things for my job on my home computer. There is also academic reasearch on the computer. Does this mean i cant install it or?
In answer to your first question: Sophos detects many pieces of malware that use the iexplore.exe name -- there is no guarantee that it will detect all of them, however.
Regarding install and uninstall: yes, you can install and uninstall as often as you want.
As far as home use: if your computer is primarily used for "home" purposes, you are free to use the free version of the software. If you are running a home business, or the computer, while being in your home is the one you use primarily for acedemic research (eg, a laptop which travels to college for the purpose of presenting lectures etc). then you should probably consult your lawyer or the lawyer who handles such things for your organisation. I'm not a lawyer, so I can't provide any of this as legal advice -- but generally people know instinctively if they're using something for home use, or for some use primarily to the benifit of some organisation other than recreational use for your family. There are always edge cases.
Edit2: does sophos keep track/save what files i scan so others can see them too? Also, if i get a windows malware on a mac computer, can the virus/malware infect/spread to other files on my mac that could then send the malware to a windows computer or would it just be nonfunctioning and not do anything but exist on the mac unless moved to a windows computer?
Long answer: The Mac product has the ability to send checksums of your detected files to Sophos if you have Live Protection enabled. This could, in theory, mean that Sophos could track what files you have by finding a file matching the checksum of your submission, and then matching it against your IP address or the unique ID number of your Sophos installation. However, Sophos does not require personal information to download the product, so there's nothing to identify you as an individual, other than the checksums you submit cross-referenced with the unique ID of your particular installation.
Short answer: no, not really, and doesn't have things in place to silently enable this with the change of an EULA.
Answer 2: It depends. Two of the major sets of files we see on Macs that flag up through Live protection feedback are malicious fake videos and trojanised cracks/keygens for Windows software. We obviously have no way to tie these to the individuals storing this malware, but can see how widespread it is across the installed userbase. Most malicious software is targeted at a specific system, and will only run on that system. However, malware that checks for multiple exploits could target multiple systems (OS X Intel, OS X PPC, Windows, Java VM, Ubuntu Linux, etc.) -- most of the malware fitting this description however is server-side: SQL exploits, web server attacks, etc. As such, if you detect Windows malware on your Mac, it is likely benign unless *run* on a Windows PC -- copying it to a Windows PC is generally not enough to cause a problem.
Now where this gets tricky is with the two major sets of files I mentioned above: the fake codec or fake video malware often comes down via torrents, and shows up on a Mac as a WMV file that complains you don't have the correct codec to play the video. This will not run at all on a Mac, so the video is totally useless. However, bittorrent works by sharing in both directions -- so if a Mac user downloads or seeds such a malicious file via bittorrent, they will likely be uploading it to a Windows PC. On Windows, if this file is opened, it will download and execute malware in the background, compromising the Windows PC.
The second set of file is generally a problem for people who use a Mac, but decide for some reason that they need to use a single piece of Windows software, but don't want to deal with the DRM (because they didn't pay for the software, or they don't want to keep the DVD inserted, or some other reason). So, they run Windows in a virtual machine or dual-booted on their Mac, and download cracks and license key generators to side-step the restrictions put in place by the software developer. Unfortunately, malware authors have discovered that this is a good way to slip malware onto the system, and often make these key generators and software patchers do more than advertised -- they inject malware as well, usually adding the Windows PC to a botnet, or a bitcoin mining net, or just open a remote access tunnel for the attacker to do what they want on the computer.
Now, it doesn't matter if you're using a virtual machine, DarWINE (runs Windows software in OS X), or dual booting -- if this software is run, it will likely run the malicious payload as well as the intended function. This means that as long as the Windows software is running on your Mac, the system is operating in a compromised state. If some of this malware has a USB stick infector included, then that stick will spread the malware to any Windows PC or Windows PC Virtual Machine it comes in contact with.
Something else to note is that you often get downloaded Java, Flash or JavaScript (embedded in HTML, a PDF, or some Office document) detected as a Windows Trojan by Sophos products -- but the malware could theoretically function just as well on OS X if this platform is considered by the attacker or the attack itself is of a generic enough nature (doesn't do anything platform-specific).
Does this answer your questions?
Eriq wrote:Thanks for the answer Agile. I still dont know however, if sophos antivirus for mac detects iexplore.exe(the malware). Also, when i read the EULA before downloading i got another question. Can i install sophos to scan my computer at home and then uninstalll it in the same day? Also, it says its for home and sometimes i buy things for my job on my home computer. There is also academic reasearch on the computer. Does this mean i cant install it or?
In answer to your first question: Sophos detects many pieces of malware that use the iexplore.exe name -- there is no guarantee that it will detect all of them, however.
Regarding install and uninstall: yes, you can install and uninstall as often as you want.
As far as home use: if your computer is primarily used for "home" purposes, you are free to use the free version of the software. If you are running a home business, or the computer, while being in your home is the one you use primarily for acedemic research (eg, a laptop which travels to college for the purpose of presenting lectures etc). then you should probably consult your lawyer or the lawyer who handles such things for your organisation. I'm not a lawyer, so I can't provide any of this as legal advice -- but generally people know instinctively if they're using something for home use, or for some use primarily to the benifit of some organisation other than recreational use for your family. There are always edge cases.
Edit2: does sophos keep track/save what files i scan so others can see them too? Also, if i get a windows malware on a mac computer, can the virus/malware infect/spread to other files on my mac that could then send the malware to a windows computer or would it just be nonfunctioning and not do anything but exist on the mac unless moved to a windows computer?
Long answer: The Mac product has the ability to send checksums of your detected files to Sophos if you have Live Protection enabled. This could, in theory, mean that Sophos could track what files you have by finding a file matching the checksum of your submission, and then matching it against your IP address or the unique ID number of your Sophos installation. However, Sophos does not require personal information to download the product, so there's nothing to identify you as an individual, other than the checksums you submit cross-referenced with the unique ID of your particular installation.
Short answer: no, not really, and doesn't have things in place to silently enable this with the change of an EULA.
Answer 2: It depends. Two of the major sets of files we see on Macs that flag up through Live protection feedback are malicious fake videos and trojanised cracks/keygens for Windows software. We obviously have no way to tie these to the individuals storing this malware, but can see how widespread it is across the installed userbase. Most malicious software is targeted at a specific system, and will only run on that system. However, malware that checks for multiple exploits could target multiple systems (OS X Intel, OS X PPC, Windows, Java VM, Ubuntu Linux, etc.) -- most of the malware fitting this description however is server-side: SQL exploits, web server attacks, etc. As such, if you detect Windows malware on your Mac, it is likely benign unless *run* on a Windows PC -- copying it to a Windows PC is generally not enough to cause a problem.
Now where this gets tricky is with the two major sets of files I mentioned above: the fake codec or fake video malware often comes down via torrents, and shows up on a Mac as a WMV file that complains you don't have the correct codec to play the video. This will not run at all on a Mac, so the video is totally useless. However, bittorrent works by sharing in both directions -- so if a Mac user downloads or seeds such a malicious file via bittorrent, they will likely be uploading it to a Windows PC. On Windows, if this file is opened, it will download and execute malware in the background, compromising the Windows PC.
The second set of file is generally a problem for people who use a Mac, but decide for some reason that they need to use a single piece of Windows software, but don't want to deal with the DRM (because they didn't pay for the software, or they don't want to keep the DVD inserted, or some other reason). So, they run Windows in a virtual machine or dual-booted on their Mac, and download cracks and license key generators to side-step the restrictions put in place by the software developer. Unfortunately, malware authors have discovered that this is a good way to slip malware onto the system, and often make these key generators and software patchers do more than advertised -- they inject malware as well, usually adding the Windows PC to a botnet, or a bitcoin mining net, or just open a remote access tunnel for the attacker to do what they want on the computer.
Now, it doesn't matter if you're using a virtual machine, DarWINE (runs Windows software in OS X), or dual booting -- if this software is run, it will likely run the malicious payload as well as the intended function. This means that as long as the Windows software is running on your Mac, the system is operating in a compromised state. If some of this malware has a USB stick infector included, then that stick will spread the malware to any Windows PC or Windows PC Virtual Machine it comes in contact with.
Something else to note is that you often get downloaded Java, Flash or JavaScript (embedded in HTML, a PDF, or some Office document) detected as a Windows Trojan by Sophos products -- but the malware could theoretically function just as well on OS X if this platform is considered by the attacker or the attack itself is of a generic enough nature (doesn't do anything platform-specific).
Does this answer your questions?
