Apple confirms malware protection in Snow Leopard (Updated)

Although it's not advertised on any of its Snow Leopard pages (1, 2, 3) Apple has confirmed a report by Ryan Naraine on his Zero Day blog that Mac OS 10.6 includes malware protection. As it turns out, it's not entirely new though.

Naraine notes that Apple's new malware blocker, discovered by Intego, appears to be scanning installation packages for signs of known Mac malware.

In this screenshot Snow Leopard flagged a Trojan horse called “OSX.RSPlug.A" Few details are available about how Apple is handling the package scans for signs of malicious software but Naraine has confirmed that Apple is not using the open-source ClamAV engine to handle the scans indicating that Apple may have licensed the technology from a commercial anti-virus company.

Yesterday The Loop confirmed that Snow Leopard uses Apple's File Quarantine technology to check for known malware signatures in files downloaded by Safari, iChat and Mail and that it first appeared in Mac OS X Tiger (Mac OS 10.4). When malware is found, Snow Leopard will recommend moving the file to the trash, as seen the the screen shot from Intego (above). Snow Leopard is also be able to download updated malware signatures via Software Update.

It's ironic that Apple is promoting the Mac's immunity to malware at the same time as they add OS-level scanners for it.

Update: 9to5Mac (via Danco Danchev) reports that the malware protection in Snow Leopard comes in the form of a XProtect.plist file containing five signatures including two for the most popular Mac OS X trojan horses: OSX.RSPlug and OSX.Iservice. While just an initial step, Apple can update the signatures as new vulnerabilities are found via the software update plumbing that's built into Snow Leopard.