Today, Intego announced of a new trojan designed for the Mac dubbed “DevilRobber”.
You can read Intego’s site (or many other sites posting about this trojan), but I wanted to remind everyone that there is a built-in anti-virus software within updated versions of Snow Leopard (version 10.6.7 with Security Update 2011-003 OR greater) and Lion called XProtect.
Xprotect is enabled by going to System Preferences => Security => General tab and check the “Automatically update safe downloads list”. If you ever want to update your list, just uncheck / recheck the option.
(Notice, my settings may look different from yours as I have FileVault enabled along with other MCX settings. The safe downloads list is what’s important for this article.)
However, let’s get a little more information from Xprotect.
If we run to following command “today” (11/1/2011 @ 11am Eastern), we get the following results:
$ /usr/libexec/PlistBuddy -c "print LastModification" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist > Tue, 11 Oct 2011 16:20:51 GMT
This tells us that our anti-virus dictionary file has not been updated since Oct 11th of 2011. In order to update your dictionary, you can use the above check / recheck method or:
You will notice that as of right now the XPotect meta file timestamp has not change. I assume Apple will soon update this file to protect Mac users from DevilRobber, or any other future trojan/virus that gets created. We’re just dependent on Apple to update their dictionary just the same as Intego / Sophos / etc users are dependent on their paid software to update their dictionary file. Once the file is updated, you should get a similar result for MacDefender.
$ cat /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist | grep MacDefender
XProtect.plist file has been updated as of Nov 1st, 2011, and if you grep for “Devil” you will get a response of “OSX.DevilRobber.A”. Pretty quick (and automatically done) as the announcement was on Nov 1st.
Don't just accept the default options for Configuration Profiles in your JSS, make your own by mcxToProfile! Continue reading