The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


MacScan disappoints

Posted on February 12th, 2013 at 5:53 PM EDT

After testing many different anti-virus programs over the last few months, I found something that disturbed me greatly. MacScan, made by SecureMac, is one of only a very few Mac-only anti-malware tools. It has a long history with the Mac, having been around since the very first versions of Mac OS X. Unfortunately, it failed my tests abysmally! The question that came to mind immediately was: why?

After my first test, I contacted SecureMac for comments. They had some legitimate concerns about some of the malware in that test. Other companies had expressed concern about the same items. For most of the rest of the samples, I was told that MacScan did not detect them because they were just parts of the malware, not the whole thing as found in the wild. However, the problem with that argument was that the VirusTotal links I provided to the samples used in my test often only identified a portion of the malware, while in some cases a full installer or app was actually used in testing. In the interest of fairness, though, I reserved judgement until after my second round of testing.

In my next test, I changed my methods a bit. I removed some samples from testing, and the list of samples I published made it more evident exactly what I was testing against. In a number of cases (though not all), testing was done with the complete malicious installers, applications, plugins or scripts, as found in the wild. In this testing, most anti-virus software benefitted from the larger and more thoroughly-researched sample set, with a significant increase in detection rates. However, MacScan remained in the neighborhood of around 5% detection. (The actual numbers were 4% in the first test and 6% in the second.)

A close examination of what was detected shows that, as expected, MacScan only detected the full, “in the wild” malware. However, there were also many “in the wild” samples that were missed. Some of these were things that an anti-spyware program ought to protect against, but to be fair, MacScan’s spyware list page does not claim that it detects. However, a number of the items that were missed actually were on the list.

In addition, it should be noted that many of the “partial” samples are files that may be installed in a variety of places all by themselves, and thus they are not so partial. The only difficulty is that the name of the files and the metadata (like creation and modification dates) were changed by inclusion in VirusTotal. The file content is the same. And therein lies the problem.

All anti-virus software uses what are called “signatures” for detecting known malware. A signature is a set of criteria that describe what a particular piece of malware looks like. When anti-virus software scans files, it compares them to these signatures, and if it matches a signature, it’s considered malware. Most of the time, these signatures use complex, and often dynamic, comparisons of the contents of the file. In the case of MacScan, however, the signatures are simple: creator code (Mac-specific metadata that has become obsolete), file creation date and file modification date.

If this sounds too simple to you, you’re on the right track. Even if creator codes had not been abandoned by Apple years ago, the creator codes for the vast majority of MacScan’s signatures are blank, meaning that the signatures rely almost entirely on creation and modification dates. Those dates are very easily changed through fairly normal processes, meaning that a file that is exactly identical to malware that the MacScan developers are aware of may easily be missed due to nothing more than the method by which is was copied onto the system. A hacker could even intentionally change the dates to keep MacScan from detecting their malware. In addition, other files can easily – and innocently – have the same creation or modification dates, leading to false positives.

Worse is the fact that this detection method means that MacScan cannot detect any malware that the MacScan developers haven’t seen. Most other anti-virus software can catch minor variations of malware, even if the developers haven’t actually seen it before. This is a very serious issue, as it means that each new variant of malware is completely new – and, thus, undetectable – to MacScan, while it may be picked up automatically without any additional effort by some other anti-virus software.

For these reasons, I feel compelled to recommend against using MacScan. Ultimately, SecureMac is charging people for software that does not – and cannot, in its current implementation – provide the protection that it advertises. This can result in people having a false sense of security, believing that they are safe because they scanned their hard drive with MacScan and didn’t find anything. The unfortunate reality, however, is that this kind of confidence in MacScan is misplaced. MacScan could actually facilitate infection by causing users to behave less cautiously, believing that they are protected from harm. And that’s just not cool.

Tags: ,


14 Comments

  • aalien says:

    Very bad indeed!

    Even worst if we think that possibly there’s someone out there relying in this software.

    In would prefer not developing it than just keep it as it is… The point is that this program is only for mac malware (not even involving windows territory)…

  • f kra says:

    Thomas,

    In another article, you suggested Sophos Anti-Virus for Mac Home Edition. Is that still your thought?

    And what about Sophos UTM Essential Firewall or Sophos UTM Home Edition?

    Thanks.

    • Thomas says:

      I have very high regard for Sophos Anti-Virus for Mac Home Edition, yes. As to the other two Sophos products, I have no first-hand experience with either, but note that they are designed to run on a dedicated network device (such as a spare computer). They are not meant to be used on your personal computer, and are in a completely different class of software altogether.

  • Simon says:

    Good Afternoon Thomas,

    I am running Avast for Mac Free Edition, but I have no idea of its effectiveness. Have you reviewed it & what were your conclusions ?

    Regards…..

  • Someone says:

    Simon, Thomas ran two different anti-virus software tests. In the most recent one, Avast did exceptionally well.

  • Someone says:

    So now that you’ve specifically written about MacKeeper, iAntivirus, and MacScan, are you going to review Norton?

  • Simon says:

    Thankyou for your response, I’m glad to hear that.

  • Someone says:

    You’re welcome. But thank Thomas, not me… I’m too terrified of destroying my computer to ever, ever test AV software on it :-)

  • Simon says:

    Thank you Thomas. Is it possible for you to test a product called Protect Mac it is not a free product, but as with most companies these days offer a free trial:

    http://www.protectmac.com/

  • Simon says:

    Thanks very much for the link, and congratulations on your new website. I’m sure it will be of great value to many a reader especially as Mac Malware will only inevitably increase as time goes by.

  • Jacob says:

    Hello Thomas,

    Just recently found this site and your posts are quite interesting and understandable even for a student! These tests and avast’s performance are useful to me, as I have avast, but don’t actually run it much, since I always thought that I was pretty safe with a Mac! I guess the internet is getting more dangerous even for Apple’s heavily armored Macs… better get on my protection, thanks!

  • Someone says:

    I believe, however, that Thomas has said that an up-to-date Mac running 10.8.2 is pretty darn safe… But still, it’s good to be careful. I personally use Sophos on my Mac

  • Brittany says:

    I tried Sophos and it royally screwed up my install. So I had to do a fresh install. I won’t touch it now. I now use Avast and have had no problems with it or my computer in general. I use Avast on my home PC’s (parents laptops) and it works well. I guess stick with what works :) I was running 10.8 or 10.8.1 at the time I installed Sophos if it matters.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.