OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Preliminary anti-virus testing comments

Published January 22nd, 2014 at 1:06 PM EDT , modified January 25th, 2014 at 9:44 AM EDT

I have been working on another round of testing of anti-virus apps. The last time I did this was one year ago, in January of 2013, so I decided it was probably time to repeat it. I have finished all the scanning, but still have a pile of work in front of me to get all the data tabulated. Still, this experience has been frustrating enough that I want to make some preliminary comments, before I have the full results in-hand.

I set out to test 24 different anti-virus apps, installing them each in a separate VM as I did last time. By the end of the process of downloading, installing and scanning with all these apps, I was thoroughly frustrated. The vendors of some of these “anti-virus” apps had best be glad that I’m not in their physical presence, as they would get a loud and lengthy dressing-down. At the moment, I’m ready to chew nails and spit bullets!

What is making me angriest at the moment are those apps that are essentially complete frauds. I get very upset when people are tricked into spending money on an app that they believe is protecting them, and it turns out that they would have been just as well protected if they had spent their money on something like a solitaire game instead! There’s a class of malware that behaves this way, after all…

As last time, MacScan was an utter failure, detecting only four of the nearly two hundred samples I threw at it. Two others, which I did not test last time, performed abysmally as well. Magician, an app that seems to be an imitation of the infamous MacKeeper, detected only one antique sample, while MaxSecureAntivirus detected absolutely none of them! (Links to these apps are purposefully not provided.) These apps live up to the prejudice that many people have against anti-virus apps, and contaminate the entire anti-virus community with their uselessness.

Other apps suffered from different problems. Bitdefender (the version from the Bitdefender web site, not the one from the App Store) would not start a scan at all… the buttons simply did not respond to clicks. Norton absolutely destroyed the performance of the system it was running in, and wouldn’t scan while disconnected from the network. (It kept insisting that it must update its definitions before scanning, despite the fact that, as far as the system it was running it was concerned, it had just been updated manually only minutes before.) Thus, I was unable to complete testing of either of these programs.

Less serious, but still a source of enormous frustration for me, is the issue of user interface. Some of these apps have truly atrocious user interfaces. Only six of them actually allowed me to save data on the details of what was detected… the others all simply displayed lists of infected files. In some cases, those lists showed woefully inadequate information, refusing to even give information on where the files resided or what malware they were identified as! The only way to save these bare dregs of information was through a series of screenshots (snap a picture, scroll down, snap a picture, scroll down, and so on). I am truly dreading the task of sifting through and organizing such low-quality data!

In all, this process has left an extremely bad taste in my mouth. I’m sure that some of these apps did a superb job of detecting the malware I threw at them, but until the data is tabulated, that’s impossible to see. All I’m really seeing at the moment is the bad and the ugly. The good – what little I suspect there will be of it – will come in the official results within a few days or so.

Updates

January 25, 2014 @ 9:39 am EST: Minor update, MacScan actually detected four of the samples, not two. Two of the samples it missed were inadvertently included as compressed archives, which caused them to be missed. This has been corrected, and those items re-scanned with all the anti-virus apps. Magician and MaxSecureAntivirus detection counts did not change.

Results will probably be posted on Monday.

Tags: , ,

21 Comments

  • Chris says:

    Wow. Disappointing. Please keep up the good work, however, as many of us look to you for advice and support!

  • bentkitty100 says:

    Wow, seriously? Not good 🙁

  • Doug says:

    I’ve installed and scanned with 4
    Kaspersky – Tested well, nice interface
    Trend for Mac – pretty much as its pc bother fails to find much of anything
    Weboot – decent for PUA/PUP, but not enough of samples to say.
    Sophos Free – interface could use a face lift, but caught almost all of the same as above for free, its always my second opinion scanner.

  • Jay says:

    I had never even heard of MaxSecure before, shows how good they are 😉 Would you be willing to send me a download URL to their product so I can have a look?

    I have found Norton 12.x to run really well opposed to their earlier versions for Mac, actually one of the least CPU and RAM intensive AV’s out there despite their size. I wonder if something has changed in the product. What resources did you give the test VM?

    Looking forward to your test results.

    • Thomas says:

      MaxSecureAntivirus is only available (for the Mac) through the App Store, and only for $10. I contacted the company about whether there was a demo available outside the App Store, and they offered to send me a serial number, but didn’t seem to understand that the App Store doesn’t involve serial numbers, and didn’t respond further. So I bit the bullet and purchased it. I’ve talked to Apple, and they very quickly reversed the charge, in light of the uselessness of the app.

      The VMs I’m using for all my tests are given 3 GB of RAM and 1 CPU. That’s a bit shy, so I’m not being too picky about performance issues… but with Norton, it REALLY dragged seriously. The bigger issue, though, was that it simply wouldn’t let me do a scan while offline for some reason, even when the computer clock wasn’t more than a few minutes past the last time it had been updated manually.

  • Dan says:

    I am anxious to hear the rest of the report as I am struggling with a 17″ early 2011 MacBook Pro that was broken into (despite Virus Barrier X6) into over a hotel network. To be fair I had forgotten I was using the Admin account (I live miles out into the woods, so it doesn’t come up much). The first I knew of the break-in was that on booting up again it ran the update bar across the bottom and all hell broke loose and it declared it couldn’t start “browsers.app” because it was open – then all three browsers opened and declared tat they coul not establish SSL connections. I st down the WIFI and looked at file permissions. Everything in the Java, Apple remote frameworks and flash.ept had been touched as was USBEthernet.kext.

    Since then it’s been wiped twice, once with a new hard drive and it’s still connecting to the “Ripe Database” whenever it gets the chance (I’ve taken it offline). I loaded kaspersky onto it which claimed that on at least two occasions something on the Mac was actively communicating with some email troan attachments that were sitting in a Junk folder. It also reported that MDWorker32 was doing a lot of work with SUDO privileges out of plug-ins folder belonging to Audacity.It seemed to be making Kernel changes.

    It looks to me like something like a “trojan dropper” has lodged itself somewhere it’s hard to see (like the EFI blocks, or the recovery partition) and won’t let go. I’m hoping it didn’t write itself to firmware because I don’t know if that can even be fixed. And I’m concerned it could have written itself to my time machine drive as well. I dislike the recovery process with a recovery partition because it doesn’t get wiped. I don’t think the boot blocks get wiped either but I could be wrong about that.

    The logs I looked at last suggest it was tryng to hijack the SSL links to iCloud. It had already tried to rout Google thru a bum cert in germany.

    I think it’s a “bootkit” that opens the door for other trojans to go to work. I’m not trying to save anything on the machine at this point — just trying to sanitize it to save the machine.

    • Al says:

      If you were actually hacked by somebody in the hotel and they installed some sort of spyware, then chances are none of the A-V products will find anything. I assume you had sharing turned on in addition to using your admin account, which would allow them the equivalent of physical access to the computer. MacScan is the only software to specialize in this sort of thing and we all know how bad it is at finding anything, so that may not help you either.

      If it turns out to be OSX/Crisis.C then it most likely arrived on your computer some other way and should have been cleaned up with the steps you took to wipe the drive as long as you didn’t migrate them back with your user folder. Were you able to find any of the files Intego listed?

  • Dan says:

    Just read the Intego description for OSX/Crisis.C. That’s it exactly – they describe what I’ve got perfectly.

    • Doug says:

      I’ve not seen that one in it’s gui interface, however I’d recommend reading and checking James Removal guide, chances if this got on your machine others may as well.
      http://www.thesafemac.com/arg/

      I’d personally reformat and reinstall your OS has been compromised and reintegrate data one by one to find the culprit, however I do malware removal at work and nobody ever wants to hear data backups and reformatting.

      If there is mac malware that is on your machine it’s the first case I’ve ever seen. Download the latest EFI for your mac from apple’s site, reset SMC and use a hdd wiping program that write random 0’s over 3 to 7 times.

      Best of luck!

      • paranoid android says:

        Seriously?

        EFI is not downloaded from Apple website.

        Is this case, HD secure erasing will only reduce your hard disk life.

        mdworker is the process to index documents to the spotlight database, sometimes it overload and crash on crafted documents or document parsers.

        And SSL errors on Hotel hotspot are very common due to Captive Portal redirection (asking for https -> being redirected to another domain -> warning on invalid certificate).

        But if you had been infected by gov hack tool Crisis, then yes, you should sincerely worried, at this point, you might want to change your computer 😀

        • Thomas says:

          Crisis is not capable of staying resident after a hard drive wipe. There would be no reason to get rid of the computer due to a Crisis infection. Note that I don’t believe that Dan’s problem is caused by Crisis, from the description. That’s unlikely, unless some unsavory government has an interest in him.

          • paranoid android says:

            Actuals EFI attacks are based on the hidden EFI partition on hard drives. These are erased on disk formatting (as opposed to erasing).

            But regarding EFI and SMC Read Only Memory, here you have an interesting work from Alex Ionescu at No Such Con 2013.

            Be careful, it is a PDF on HTTP 😉

        • Dan says:

          It has survived several wipes and a hard disk replacement. I think it may have been gone briefly but it came back, so it was probably just playing possum. It seems to actively look for other malware to team up with. I restored my email (not thinking about all that windows malware in the junk folder) and it woke some of them up.

          I haven’t given up yet (can’t afford to just trash a 17″ MacbookPro) but it’s not looking good. BTW sharing was not on and the Intego firewall was on. From what several AV companies said after, it looks like it drops whether or not you’re running as admin and just waits around for the next time you do log in as admin to finish the job. This thing just loves calling back to the RIPE database with whatever it collects and yes, if I found the guys behind it… Well, not pretty.

          I have seen the black hat presentations that write to firmware… Apples new all net based installs are playing into their hands because you never really start with a clean slate.

          BTW – if we’re going to encounter this sort of thing on a regular basis I don’t see how everyday computing can survive.

          • Thomas says:

            I still really don’t think you’ve got malware. I didn’t really want to get into a lengthy discussion here, but note that the progress bar at startup is a sign that your Mac has (or had) some serious problems… but not malware-related problems. See:

            http://support.apple.com/kb/ts3148

            I’m not sure what the “Ripe Database” you have referred to is, or how you have seen the machine trying to connect to it. In general, you’ve provided a lot of unspecific information.

            I’d advise starting a post on the Apple Support Communities to discuss this, rather than filling up the comments with a discussion that really can’t be carried on very effectively here.

  • Andy Clark says:

    Hi Thomas, for what it is worth and just to let you know, I think what you do completely off your own back and with your own time for us in the Mac Community is quite extraordinary. I for one subscribe to your RSS feeds and your twitter posts. I have been involved working with Macs on a professional basis for the best part of thirty years now – predominantly in the print and publishing industries. Whilst it was always a much pronounced and mouthed boast that ‘Macs don’t get viruses’ that never held much water in professional IT environments and that attitude could cost you your job. I follow your work with avid interest and if I see you have posted something and it appears in NetNews Wire, it is the first thing that grabs my attention. If I am ever asked about anti-virus/malware software for the Macs, I always take customers to your web site and use it as my resource of choice. I can’t thank you enough for your professionalism and due diligence. For those of us out here using Macs and are keen to ensure that our expensive hardware and software are protected from those that ultimately wish us harm, your advice is second to none. Thank you!

  • Ne0s1s says:

    Keep up the good work! It is very much appreciated!

  • Ted says:

    Run a Dr Web Live CD on your Mac, and also a Avira Live CD. I have spotty luck with Kasperskey Live CDs booting on my Macs. While I question if they use any Mac definitions in these ISOs, I would still throw them at what appears to be a problem whether or not real or perceived with your Mac.

  • Darren Kehrer says:

    In the latest update of ClamXav, it would appear that the owner has a fix in place for getting Mac threats addressed more quickly.

    Version History
    Version 2.6.2 – 25th January 2014
    ClamAV engine updated 0.98.1 *
    Added ability to force engine re-installation by holding option/alt key at launch
    Added ability to download additional signatures from ClamXav.com for greater protection †

This post is more than 90 days old and has been locked. No further comments are allowed.