A month after the first customers called its support lines for help, Apple responded to the Mac Defender outbreak with a security update that attempts to block new infections and remove malware that's already been installed. But the bad guys haven't been standing still. They've renamed their hostile software (Mac Shield) and produced at least 15 new versions, forcing Apple to respond with a new set of definitions every day this month.
For more details, see "Has Apple done enough to fight malware on Macs?"
Security Update 2011-003 arrives via Apple Software Update. It provides a new feature that updates anti-malware signatures daily.
For more details, see "Has Apple done enough to fight malware on Macs?"
The XProtect definition file is accompanied by this metadata file, which includes a version number. Apple has been delivering a new update roughly once a day, and the size of the definition file has swelled from 5K to more than 22K in that time.
Every variation of Mac Defender gets its own set of definitions in this XProtect file. Each signature in this XML file is specifically designed to identify a known malware variant, using file names and unique strings found within the file. This snippet is part of the definition for Mac Defender version K.
This version of the Mac Defender downloader was released on Friday morning, and the Friday evening signature from Apple successfully detects it. The Move To Trash option is the default.
It's hard to believe that Apple is serious about security when this dangerous setting remains the default for Safari. If you download an installer package using the default OS X browser, Safari, with its default settings, the Mac Defender installer opens automatically and waits for the victim to click Continue. Other browsers force you to download the file, extract it, and run it separately.
The Security Update 2011-003 bulletin does not mention this setting.
The check box in the middle of this preferences dialog box is new, added as part of Security Update 2011-003. If you clear the box and then click it again, OS X will automatically retrieve the latest anti-malware definition file.