Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Some Insight into Apple's Anti-Virus Signatures - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Some Insight into Apple's Anti-Virus Signatures

Now with Apple pushing out its first daily update to combat the latest MacDefender variant, its a good time to take a closer look at "XProtect", the Snow Leopard Anti Malware engine (or to use the Apple euphemism: "safe download list").

OS X heavily relies on XML files for configuration. These "plist" files are easy to read. The same is true for the XProtect configuration, which includes the currently valid signatures. Two files are used:


This file appears to track XProtect versions, and when they got applied.


This is the actual signature file. For example, one of the MacDefender entries looks like:




[ ... 3 more 'dict' sections deleted ...  Also, the string is appreviated to fit ]
It is essentially pretty obvious how these signatures work. For each malware sample, we find a set of string matches like the one above. 
Using the xpath utility, we can get a list of all malware names currently covered:
xpath /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist 
Checking the file date will also give you and idea as to when the file was last updated.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4511 Posts
ISC Handler
Jun 2nd 2011

Sign Up for Free or Log In to start participating in the conversation!