Apple is actively conducting an internal investigation into the Mac Defender malware attack I wrote about yesterday (here and here). An internal document with a Last Modified date of Monday, May 16, 2011 notes that this is an "Issue/Investigation In Progress."
The document (shown below) provides specific instructions for support personnel to follow when dealing with a customer who has called AppleCare to request help with this specific attack.
There are two different resolution paths, depending on whether the customer says Mac Defender / Mac Security has or has notbeen installed.
According to this document, if the caller says he or she has not installed the software, the support rep should "suggest they quit the installer and delete the software immediately." That is followed by this disclaimer:
AppleCare does not provide support for removal of the malware. You should not confirm or deny whether the customer's Mac is infected or not.
If the software is already installed, support personnel are instructed to make sure all security updates have been installed using Software Update. They are then to direct the customer to the "What is Malware?" Help document using Finder. The final step is clear:
Explain that Apple does not make recommendations for specific software to assist in removing malware. The customer can be directed to the Apple Online Store and the Mac App Store for antivirus software options.
Finally, that is followed by these four bullet points.
- Do not confirm or deny that any such software has been installed.
- Do not attempt to remove or uninstall any malware software.
- Do not send any escalations or contact Tier 2 for support about removing the software, or provide impact data.
- Do not refer customers to the Apple Retail Store. The ARS does not provide any additional support for malware.
Apple has not responded to a request for comment on the ongoing Mac Defender attack or this policy.
How do Apple's competitors handle Windows malware infections?
Microsoft provides free telephone support for security issues to all customers, regardless of whether the software was purchased at retail or as part of a new PC. Microsoft Support Article 129972 (last updated May 17, 2011) contains these instructions:
How to obtain computer virus and security-related support
For United States and Canada
The computer safety team is available for computer virus and for other security-related support 24 hours a day in the United States and in Canada.
To obtain computer virus and security-related support, follow these steps:
- Before you contact a support engineer, make sure that you run updated antivirus software and updated spyware removal software on the infected computer. For more information about how to obtain a free computer safety scan, visit the following Microsoft Web site: http://www.microsoft.com/security/scanner/. For more information about antispyware software, visit the following Microsoft Web site:http://www.microsoft.com/protect/computer/spyware/as.mspx
- Call 1-866-PCSAFETY or call 1-866-727-2338 to contact security support.
For locations outside North America
To obtain computer virus and security-related support for locations outside North America, visit the following Microsoft Web site:
A page at Microsoft's Security TechCenter includes similar information for security professionals.
Dell directs customers to third-party security software partners for removal. It also offers paid malware removal services for $129 (phone) or $229 (in person). The service uses the tag line "No fix. No fee."
HP provides a similar paid service. "Virus and spyware removal" are included in the services offered with the HP PC Tune-up Service. It's available for a one-time fee of $99 or a monthly subscription fee of $10.