Earlier this week we got a little excited about Snow Leopard's new malware-blocking skills. Upon closer examination, however, it looks like the malware blocker is a bit underwhelming. We're talking "I block two trojans" underwhelming.
The two trojans it watches out for: OSX.RSPlug and OSX.Iservice. In addition, the malware blocker only scans downloads coming from a few applications. ZDNet reports the findings of Intego, an OS X antivirus company (hardly an unbiased source, but their findings seem perfectly legit), which found the malware tool half-baked in many ways. For example:
- Apple's anti-malware function only scans files downloaded with a handful of applications (Safari, Mail, iChat, Firefox, Entourage and a few other web browsers) — therefore the disturbingly modest signatures base would be undermined if the user were to download the malware from a BitTorrent application
- Apple's anti-malware function currently only scans for two Trojan horses, as of the initial release of Snow Leopard — relying on such a modest set of signatures for malware variants of known OS X families, clearly indicates the premature release of the feature
- Apple's anti-malware function receives occasional updates via Apple's Software Update — in respect to malware, even Mac OS X malware, every modified variant of a known malware family enjoys a decent life cycle until it gets detected through malware signatures. In its current form the reliance on occasional Apple Software Updates compared to regular/scheduled independent signatures update, clearly increases the life cycle of a known piece of malware
ZDNet concludes that Snow Leopard's anti-malware application, in its current form, offers nothing but a false sense of security, and we're inclined to agree—especially when most of you've never run antivirus apps on your Mac to begin with. The could certainly update and improve the application going forward, but for the time being, it looks like it's a dud.
Update: As readers have pointed out, Apple didn't promote the malware tool as a major feature in 10.6, and that's true. We're not criticising the effort altogether, and as I said, with any luck, this is just a start that will be updated in the future. We're just giving readers a heads up that the previously mentioned tool doesn't actually offer a lot in practice.