Author Topic: Avast for Mac detection questions  (Read 10509 times)

0 Members and 1 Guest are viewing this topic.

Ilgaz

  • Guest
Avast for Mac detection questions
« on: March 29, 2008, 03:08:31 PM »
Hi,

Congratulations for bringing competition to OS X security market. I have some questions.

1) Does Avast detect keyloggers (blackhat or white hat) no matter if they are open source or not? As you know, Keylogger with a kernel extension can be used for good or very bad things. Does Avast for Mac detect them no matter what they do or user launches them on purpose? If not, they should be really detected. I use a competing product and almost shocked that it didn't spot a keylogger which can be installed to my mac while I am not around. keylogger is coded for good purposes but of course it can be used in a very evil way.
2) Does Avast do heuristic analysis especially about launch services and the Safari downloads, launching other things if "open 'safe' files" selected? Does it watch "what opens what, what gets into startup, does the program try to hide itself?" kind of checks?
3) Does Avast decompress Mac widely used (in DTP business especially) .sit and .sitx files?
4) Does Avast have definition for a "system preference" file which came distributed with a popular p2p client (2 builds only, old) which can be easily called "first OS X spyware"? I am speaking about this http://preview.tinyurl.com/3ydlwp (I am giving tiny URL since company does google search for their name )
5) What about OS X specific issues like users home folder, wrong permissions in home folder (seen too many home folders shared to planet) etc.?

These are questions and can be called feature requests. These are things which are missing from OS X security market which leads to users treating security products as "joke" or "snake oil".

I have tried the Avast for Windows (home edition) inside Virtual PC 7 installed Windows XP SP2 (running on G5 PPC) and can't say a word about how impressed I am since it spotted an undetected (by 3-4 vendors) spyware all by heuristics. If Avast for Mac have these features or they are planned, I can subscribe for 3 years straight.

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
Re: Avast for Mac detection questions
« Reply #1 on: March 29, 2008, 05:53:34 PM »
I Might can answer one or two, but one of the Developers can answer the rest

Quote

1) Does Avast detect keyloggers (blackhat or white hat) no matter if they are open source or not? As you know, Keylogger with a kernel extension can be used for good or very bad things. Does Avast for Mac detect them no matter what they do or user launches them on purpose? If not, they should be really detected. I use a competing product and almost shocked that it didn't spot a keylogger which can be installed to my mac while I am not around. keylogger is coded for good purposes but of course it can be used in a very evil way.

The Mac version has the same Engine capabilities as the windows product.


Quote
3) Does Avast decompress Mac widely used (in DTP business especially) .sit and .sitx files?

I Don't Think so. A list of packers that are supported can be seen in the scanner tab of the Preferences. But Stuffit Files have been on the Decline for years now and are nowhere near as popular as they were in the Classic OS days.
« Last Edit: March 29, 2008, 05:57:11 PM by .: Mac :. »
"People who are really serious about software should make their own hardware." - Alan Kay

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Avast for Mac detection questions
« Reply #2 on: April 01, 2008, 03:39:35 PM »
I'd leave the details to zilog, but I'd say:
1. I don't think the source codes are detected
2. No
3. Certainly not, and I don't think it's likely to change (I don't think the formats are that widely used these days anyway - even Apple itself doesn't have/support it).

Offline zilog

  • Avast team
  • Advanced Poster
  • *
  • Posts: 957
  • or #f0; daa; add a,#a0; adc a,#40
Re: Avast for Mac detection questions
« Reply #3 on: April 07, 2008, 11:48:03 AM »
Hallo,

1) keyloggers - depends on the malware samples that are available to us and that known to be (ab)used for such purposes. in general, we can detect them, so it's matter of the database contents and availability of samples.

2) nope, the detection is (at the moment) based on exact-matching - no such heuristic is performed. in other words, we must know that there's certain malware pattern, and then, we can report it as a virus.

3) sit and sitx are highly proprietary formats. their popularity-peak was few years ago because they were able to keep mac-FS's oddities in an archive natively, nowadays their importance declines a bit.

4) 5) oddities in user home-folders are warnings in general (it might be intentional configuration), and thus, it doesn't fit well to the current idea of "exact matching".

All the OSX-security is quite overrated - the lack of MacOS (X) malware was caused by low interest between malware creators - but, unfortunately, this is going to change.

PC
May's Law: Software efficiency halves every 18 months, compensating Moore's Law. (David May, INMOS)