Snow Leopard's malware protection only scans for two Trojans

The much hyped built-in malware protection into Apple's Snow Leopard upgrade appears to be nothing more than a XProtect.plist file containing five signatures for two of the most popular Mac OS X trojans - OSX.

The much hyped built-in malware protection into Apple's Snow Leopard upgrade appears to be nothing more than a XProtect.plist file containing five signatures for two of the most popular Mac OS X trojans - OSX.RSPlug and OSX.Iservice.

Intego, the company that originally reported the new feature, has just released a comparative review of their (commercial) antivirus solution next to Apple's anti-malware function. Here are some of the highlights:

  • Apple’s anti-malware function only scans files downloaded with a handful of applications (Safari, Mail, iChat, Firefox, Entourage, and a few other web browsers) -- therefore the disturbingly modest signatures base would be undermined if the user were to download the malware from a BitTorrent application
  • Apple’s anti-malware function currently only scans for two Trojan horses, as of the initial release of Snow Leopard -- relying on such a modest set of signatures for malware variants of known OS X families, clearly indicates the premature release of the feature
  • Apple’s anti-malware function receives occasional updates via Apple’s Software Update -- in respect to malware, even Mac OS X malware, every modified variant of a known malware family enjoys a decent life cycle until it gets detected through malware signatures. In its current form the reliance on occasional Apple Software Updates compared to regular/scheduled independent signatures update, clearly increases the life cycle of a known piece of malware

Go through related posts: New Mac OS X DNS changer spreads through social engineering; Mac OS X malware posing as fake video codec discovered; New Mac OS X email worm discovered; Trojan exploiting unpatched Mac OS X vulnerability in the wild

It its current form, Snow Leopard's anti-malware feature offers nothing else but a false feeling of security. What do you think? Talkback.