Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!
Posted on February 12th, 2013 at 5:53 PM EDT
After testing many different anti-virus programs over the last few months, I found something that disturbed me greatly. MacScan, made by SecureMac, is one of only a very few Mac-only anti-malware tools. It has a long history with the Mac, having been around since the very first versions of Mac OS X. Unfortunately, it failed my tests abysmally! The question that came to mind immediately was: why?
After my first test, I contacted SecureMac for comments. They had some legitimate concerns about some of the malware in that test. Other companies had expressed concern about the same items. For most of the rest of the samples, I was told that MacScan did not detect them because they were just parts of the malware, not the whole thing as found in the wild. However, the problem with that argument was that the VirusTotal links I provided to the samples used in my test often only identified a portion of the malware, while in some cases a full installer or app was actually used in testing. In the interest of fairness, though, I reserved judgement until after my second round of testing.
In my next test, I changed my methods a bit. I removed some samples from testing, and the list of samples I published made it more evident exactly what I was testing against. In a number of cases (though not all), testing was done with the complete malicious installers, applications, plugins or scripts, as found in the wild. In this testing, most anti-virus software benefitted from the larger and more thoroughly-researched sample set, with a significant increase in detection rates. However, MacScan remained in the neighborhood of around 5% detection. (The actual numbers were 4% in the first test and 6% in the second.)
A close examination of what was detected shows that, as expected, MacScan only detected the full, “in the wild” malware. However, there were also many “in the wild” samples that were missed. Some of these were things that an anti-spyware program ought to protect against, but to be fair, MacScan’s spyware list page does not claim that it detects. However, a number of the items that were missed actually were on the list.
In addition, it should be noted that many of the “partial” samples are files that may be installed in a variety of places all by themselves, and thus they are not so partial. The only difficulty is that the name of the files and the metadata (like creation and modification dates) were changed by inclusion in VirusTotal. The file content is the same. And therein lies the problem.
All anti-virus software uses what are called “signatures” for detecting known malware. A signature is a set of criteria that describe what a particular piece of malware looks like. When anti-virus software scans files, it compares them to these signatures, and if it matches a signature, it’s considered malware. Most of the time, these signatures use complex, and often dynamic, comparisons of the contents of the file. In the case of MacScan, however, the signatures are simple: creator code (Mac-specific metadata that has become obsolete), file creation date and file modification date.
If this sounds too simple to you, you’re on the right track. Even if creator codes had not been abandoned by Apple years ago, the creator codes for the vast majority of MacScan’s signatures are blank, meaning that the signatures rely almost entirely on creation and modification dates. Those dates are very easily changed through fairly normal processes, meaning that a file that is exactly identical to malware that the MacScan developers are aware of may easily be missed due to nothing more than the method by which is was copied onto the system. A hacker could even intentionally change the dates to keep MacScan from detecting their malware. In addition, other files can easily – and innocently – have the same creation or modification dates, leading to false positives.
Worse is the fact that this detection method means that MacScan cannot detect any malware that the MacScan developers haven’t seen. Most other anti-virus software can catch minor variations of malware, even if the developers haven’t actually seen it before. This is a very serious issue, as it means that each new variant of malware is completely new – and, thus, undetectable – to MacScan, while it may be picked up automatically without any additional effort by some other anti-virus software.
For these reasons, I feel compelled to recommend against using MacScan. Ultimately, SecureMac is charging people for software that does not – and cannot, in its current implementation – provide the protection that it advertises. This can result in people having a false sense of security, believing that they are safe because they scanned their hard drive with MacScan and didn’t find anything. The unfortunate reality, however, is that this kind of confidence in MacScan is misplaced. MacScan could actually facilitate infection by causing users to behave less cautiously, believing that they are protected from harm. And that’s just not cool.