Monday, July 6, 2009

Quickie Reviews of ClamXav, iAntiVirus and MacScan

--
Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:

I) MacScan Is Unreliable:
I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.

For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.
II) iAntiVirus Is Basic, Not Perfect, Mostly Works:
Keep in mind that this thing is FREE:

Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:

Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B

Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.

Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.

In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.

If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*
Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.

III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:
Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*

However, my testing today shows only partial progress from the ClamAV project.

MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.

RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.

As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).

What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L

I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].

CONCLUSIONS:

1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.

2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.

A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.
--

4 comments:

  1. hi!
    i tried clamxav and iantivirus. both wont recognize that driveguard.exe malware which is currently on my usb stick. i think it wont harm my mac but it will infect any windows pc. any suggestions? you can write me to potzblitz .a.t. gmx com

    thanks
    stefan

    ReplyDelete
  2. Hi Stefan. My focus is strictly on Mac malware. But I can tell you that iAntiVirus is only for Mac malware. So cross that one off. ClamXav, however, covers all Windows malware that has been submitted to the ClamAV group for which they have provided a malware signature/definition. The only method I know of for checking whether a particular malware is detected is to use the search page at:

    http://clamav-du.securesites.net/cgi-bin/clamgrok

    These searches are very slow. So bring a book. Right now I putting 'driveguard' into the search engine and going off to have a snack.

    [Later that day...]
    Sorry, but I got no useful results using that name or the usual variations there of. So I Googled it to find what other name/names it may have in the field. I found it is called "Worm.Win32.Autoit.au" according to Kaspersky, as discussed at this blog page:

    http://ladingmerah.blogspot.com/2008/08/driveguardexe-or-flashguardexe-virus.html

    When I put "autoit" into the ClamAV search engine I get a long list of hits. As to which specific version of this worm you have, I can't tell. Apparently there are 39 versions at this time.

    Why ClamAV (via ClamXav) didn't find it, I won't know. If you are daring, you could subscribe to the ClamAV users support list and ask them your question. You can subscribe here:

    http://lists.clamav.net/mailman/listinfo/clamav-users

    They have archives of past correspondence here:

    http://lurker.clamav.net/list/clamav-users.html

    There is a search box at the bottom of the archive page.

    If by chance you run into any, how do I put this, not-nice people on the ClamAV list, simply ignore them. I am assured there are helpful people somewhere on the list. Be sure to use the formal name/names of your malware in your messages to the list as opposed to 'driveguard.exe'.

    Hope that helps!

    ReplyDelete
  3. I thought macs have no virus like windows.Is this true?

    ReplyDelete
  4. Hi Jerry. True. Using the strict meaning of the term 'virus', there are indeed no viruses for Mac OS X. (There were a few for the previous version of Mac OS versions 1 - 9). There are no other types of malware for Mac OS X either, except:

    Currently there are 22 Trojan horses for Mac OS X. I have documented them all here at my blog. They all require the user to specifically install them, providing them with an administrator's password. As long as that does not happen, every Mac user is safe from malware.

    Note, however, that there are several 'legal' spyware programs that any administrator can install onto a Mac under their care. What makes them 'legal' is that they are either commercial or shareware.

    Every computer on the Internet has to contend with Tracker Cookies. Whether they qualify as malware is debatable. But they are an invasion of privacy by (to be kind) over-enthusiastic marketing organizations such as Google. The best way to block them is set your web browser to never accept cookies from third party sites. I also dump all my cookies on a regular basis.

    Note that, like any operating system, Mac OS X has security holes that are discovered on a regular basis. The same is true of a lot of software that is run on any operating system. Therefore, it is important to keep up with the latest security updates of both Mac OS X and any software you use. Apple's Safari browser and QuickTime have not had the best of reputations for security. Typically their vulnerabilities involve the catastrophic mess known as JavaScript/JScript/ECMAScript.

    http://en.wikipedia.org/wiki/ECMAScript

    And of course all computer users can be tricked by Phishing where by fake websites are used to lure users into giving away their IDs, passwords, bank account numbers, life savings, first born children, etc. to the phisher scum. It's called identity theft, one of the most prolific crimes in the world these days.

    Hope that helps!

    ReplyDelete