Greetings folks, This is a reply to a thread started way back in April of 2008 (when it used to have the unfortunate subject line "Non-Windoze Viruses").
Concerning the controversy about whether Clamav has definitions for Mac OS X malware, I managed to find the answer is YES, but only sort of. I has been remarkably hard to find what malware are in Clamav's Definitions List. Persistent pounding of the net provided me with the answer, which was embedded in the earlier thread. You can to do a search for what you want here: http://clamav-du.securesites.net/cgi-bin/clamgrok At last having a way to search for Mac malware I put in the name of the Trojan discovered last week, officially called "OSX.Lamzev.A", aka "OSX.TrojanKit.Malez" by Intego. It's not there. Clamav has not caught up with it, presumably because no one has provided them with a definition for it yet. This most likely is because Clamav is not a member of the group of commercial Mac anti-malware providers who share definitions as new malware is discovered. This is extremely unfortunate. But it gets worse. I did find one and only one of the current three Mac malware in the database. That malware is known officially as Trojan OSX.RSPlug. The Clamav definitions database mistakenly calls it OSX.DNSChanger. I have to assume that this definition is only for the 'A' variant of this Trojan. We are currently up to the 'E' variant. My guess is that variants 'B' through 'E' are NOT detected by Clamav. The original 'A' variant was discovered in September 2007. If my assumption is correct, this puts Clamav over a year out of date regarding Mac malware. What then is the benefit of Clamav on the Mac platform? During the period of proof-of-concept only Mac malware, Clamav was a free, up-to- date and courteous way to prevent the sharing of Windows malware from Macs to Windows users. With the appearance of Trojan OSX.RSPlug.A it was hoped that Clamav could be a free and up-to-date method of removing all Mac malware as well. Apparently this is not the case so far. I am going to write directly to the folks in development to discuss the possibility of obtaining and providing to them up-to-date Mac malware definitions. I personally have no access to any Mac malware. I may know someone who does and I will write to him as well for advice. I'd like to help get the ball rolling. :-Derek PS: 1) I also found definitions for harmless proof-of-concept Mac malware: Trojan.Leap.A, aka OompaLoompa Trojan.Apple.Amphimix.A 2) Also missing from Clamav Definitions: OSX.Trojan.PokerStealer > [Clamav-users] Re. Non-Windoze Viruses > sydz > Tue, 01 Apr 2008 21:14:30 -0700 > Seemingly, it may not be directly related to this forum but the > debate going > on in tidbits should be of interest to posters here who by the look > of it > are in the thick of it all and probably experts in the field. They > should > look especially at item 23 by Randy B Singer of March 31, 2008. > > . . . > > As a result no one appears to be > consistently adding new definitions for Mac malware to ClamAV's > database. > > > You can search the ClamAV database here: > http://clamav-du.securesites.net/cgi-bin/clamgrok > As a test, do a search for, for instance, for "Macintosh" . . . > and see if anything shows up. (Nothing will.) > What this means is that ClamXav doesn't look for much in the way of > Macintosh-specific malware. > > . . . > > I fear that ClamXav lulls many Mac users into thinking that they are > protected from all Mac malware, when they aren't. It isn't even > clear that, if a very malicious and highly infectious Mac virus were > to suddenly appear on the scene, that there is anyone who would be > adding a definition for it to the ClamAV database. > > . . . > > ClamXav has the potential for filling the niche once > occupied by Disinfectant. But until folks in the Mac community get > behind it, it is sort of a paper tiger.] > > The whole discussion can be read at [incorrect URL provided] The TidBITS discussion thread "Should Mac Users Run Antivirus Software?" can be found here: http://emperor.tidbits.com/webx?230@@.3cbfbb6d =================== :-Derek Currie [EMAIL PROTECTED] =================== _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
