Recently, I've been testing the free anti-malware options for Mac. At the moment, none of them are perfect. But there is progress! Below are posts I made this week over at the VersionTracker.com sites regarding iAntiVirus, ClamXav and MacScan:
I) MacScan Is Unreliable:
I've tested MacScan several times over the course of several versions. The results are consistently flaky. It is impossible to get it to detect items reliably. Instead you have to run it over and over and over and over to get the thing to pick up everything.II) iAntiVirus Is Basic, Not Perfect, Mostly Works:
For some purposes, like detecting the full raft of 'legal' Mac Spyware and Tracking Cookies, this is the only show in town. But OMG does it suck. IMHO MacScan requires an entire rewrite in order get a rating better than one star. The developers have done some nice things like providing some sort-of working removal tools for current Trojans. So they aren't evil. They're just lousy programmers.
Keep in mind that this thing is FREE:Addendum: I should note that iAntiVirus also fails to detect RSPlug.I and .L.
Despite some outright dishonest flame reviews of iAntiVirus here at VT, it actually does work, mostly. I let it loose on a folder full of Trojans a friend shared with me and it successfully found MOST of them:
Trojan.OSX.RSPlug.C, D & F
Trojan.OSX.iServices.A & B
Problems:
1) It did NOT find Trojan.OSX.RSPlug.E, of which I had a number of copies in my folder-full-of-Trojans. That is upsetting.
2) It also uses wrong names for the iServices Trojans. But sadly, despite a clear naming convention for malware, hardly anyone bothers, which is of course pathetic.
3) The app only gives you two choices when it finds malware: Either remove the malware or nothing. There is no sophistication to this app whatsoever.
Maybe the 'Pro' version is way better. I don't know. The PC Tools website certainly 'claims' iAntiVirus detects all the current Mac malware. Judging from the free version, it only finds some Mac malware. Maybe I'll test the Pro version some time.
In the meantime, I own Intego VirusBarrier, which frankly is the ONLY anti-malware app for Macs I can recommend. It works great, detects everything, is updated daily, is entirely reliable, is never a CPU hog, and has all the bells and whistles you could want.
If you want to stick with free stuff, the best idea is to use BOTH iAntiVirus AND ClamXav. Between the two of them you're probably just fine. This is thanks to the fact that the excellent author of ClamXav went out of his way to convince the ClamAV project to accept contemporary Mac malware sample definitions. *Applause*
III) ClamXav: Progress! But Still Waiting For Full Mac Malware Detection:
Recently, ClamXav developer Mark Allen went out of his way to convince the ClamAV project to accept contemporary Mac malware samples for definition integration. *Applause*--
However, my testing today shows only partial progress from the ClamAV project.
MY TEST: A friend provided me with a large collection of recent Mac Trojan horses including all the iServices and RSPlug malware. There were 18 samples in all. I used them as my testing ground.
RESULTS: ClamXav, via the latest engine and definitions of ClamAV, found 10 of them and successfully put them into my quarantine folder.
As my control, I used Intego VirusBarrier, latest version with current definitions. It found all but one of the malware. (The undetected malware was a .pkg with the payload inside a .bom file).
What ClamXav, via ClamAV, didn't detect:
DMG files containing:
RSPlug.D
RSPlug.E
RSPlug.F
RSPlug.I
RSPlug.L
I'm testing iAntiVirus, (runs on Mac OS X Leopard only). But it too is unable to detect RSPlug.E [as well as .I and .L].
CONCLUSIONS:
1) ClamXav is the best of the free anti-malware application options. But the ClamAV database of current Mac malware is still not completely up to date. However, it is far better than it was a couple months ago thanks to Mark Allen's work.
2) Even with the combination of ClamXav and iAntiVirus, it is still possible to have a current Mac Trojan sneak by. But then again, Intego VirusBarrier missed one as well, possibly due to the way the Trojan was packaged.
A high quality paid anti-malware application remains the best way to go for professional use. But for casual use, ClamXav is the best, despite remaining ClamAV deficiencies. I would combine it with iAntiVirus as well if you are running Mac OS X Leopard.
No comments:
Post a Comment