 |
SubRosaSoft FileDefense
|
|
| Click to MacZOT |
|
|
|
All successful, and most plausible, malware attacks on Mac OS X have occurred in the last 2 years with the last quarter of 2007 being particularly prolific. Market penetration and overall sales of the Mac OS X system have directly mirrored development of malware, a phenomenon also demonstrated with other operating systems such as Microsoft Windows. Based on this data there is no reason to believe the trend will not continue as Apple continues to increase their market share. The concept of the economy of scale has historically meant that malware authors have not previously considered the Mac a viable target. This protection is being eroded by the increase in size of the Mac user base. IDC analyst Chris Christiansen is warning Mac users of the growing threat.
"Most Mac users take security too lightly. In fact, most are quite proud of the fact that they don’t run any security at all," Christiansen said. "That’s an open door; at some point it will be exploited." “Apple users, your days of worry-free web surfing could be numbers. A Mac internet security and privacy software maker has discovered what is believed to be the first professionally crafted in-the-wild malware targeting the Mac Operating system.†A new Trojan attack has been linked with illegal copies of iWork ’09 Following the discovery of a trojan linked with copies of iWork ’09, the security firm says it has now found a variant, attached to pirated versions of Photoshop CS4. http://www.macnn.com/articles/09/01/26/mac.trojan.hits.photoshop/ Malware On Mac OS X – Viruses, Trojans, and Worms |
OS X without FileDefense installed:
When you run an application without FileDefense installed in the operating system, the application essentially has free reign over your personal documents. It is free to read them, write to them, or delete them. There are no restrictions for what an application to do to any or all of your files. For example, if a sinister programmer so chose, he or she would be able to write a program that corrupts all of your personal files in seconds so that they are beyond repair. Or perhaps a program may chose to silently relay your personal data to a network destination of its choice without you ever knowing. This is why viruses and trojan horses can be so devastating when they get loose – there are few safety nets in place for when an application is run. Traditionally, opening an application is like letting it loose on your system
OS X with FileDefense installed:
When you have FileDefense installed, every single file an application opens is questioned and brought to your attention, thereby limiting the damage it can do if it is malicious.
If you do not yet trust an application,
every file the application is trying to access (along with what it is trying
to do to that file) is presented to
you in a dialog, giving you the control to decide whether you want to allow
the application to be able to access the document in question. You can even
run a destructive virus with confidence that the damage it can do is limited.
As soon as it starts accessing your files you will be alerted about it, and
you will be able to force quit it and remove it from your system, all by simply
choosing Kill to force quit the application, Allow
This to restrict file access to one file only, or Allow
All to give the application free reign to access the file.
|
Traditional virus protection works by keeping a list of known malware and then scanning your hard drive for files that are known to be the same as the files in their list. Virus protection vendors who use this approach then create updates as often as possible for new viruses. This approach means that the system can only find files that it knows about, it will not stop any new infection. FileDefense is different – it uses an active defense approach. SubRosaSoft.com Inc created FileDefense in 2007 and have been distributing it since then. The software keeps an eye on all the programs running on your computer to make sure that they are only touching the things they are supposed to. If a new program is loaded onto your Mac and it tries to access files without your permission then FileDefense will stop that program and ask you if you trust this program. Active defense means that your system is protected from new malware before the anti-virus companies have time to design a new update. |
FileDefense used in 3 basic scenarios:
Scenario 1:
In this scenario you have just installed an application from a source you trust thoroughly, perhaps you have been using their software for years and it is a well reputed company. In this case you would normally click Allow All so that unnecessary dialogs do not appear asking you whether you want to allow the application to open specific files. FileDefense protection will be disabled for this application because you trust it.
Scenario 2:
In this scenario you start running some software from a source that you do not yet trust or distrust. Perhaps it is some peer to peer filesharing software. In this case you would click Allow This repeatedly for each file it attempts to access so long as you are happy to trust it with whichever files it is accessing at the time. You would continue doing this, and so long as the application does not try to access anything that you do not want it to access you could allow it to run normally, with it being able to open only the files which you have previously clicked Allow This for. If at any time it tries to access a new file that you have not granted it access to (even days later), a new dialog will appear asking you for your choice before it will be allowed to access that document. This effectively allows you to sandbox an application so you know at all times exactly what it is capable of doing based on the parameters you have set.
Scenario 3:
This scenario starts of the same as scenario 2. You run some software that you do not yet trust or distrust. However in this case, after clicking Allow This several times, it starts to open some files that you do not think it should need access to, and you question why it would want to be accessing those files. Perhaps a peer-to-peer application starts to read your private documents that should be completely unassociated with it. In this case it is accessing your personal files and you start to feel suspicious, you choose the Kill option to force quit the application, and then either do not run it again or perhaps contact the author for an explanation behind the application’s behavior. If the program did turn out to be malicious then you can be sure that any data that it did read or write is completely limited to the files that you granted it access to. And since you did not allow it to access any of the files that are precious to you, you can rest assured that the data contained in those files is still private and safe.
System Requirements:
FileDefense is programmed to run on the following minimum specification:
- Apple Macintosh G4 800 MHZ or faster or an Apple Macintosh Intel computer
- Mac OS X Tiger version 10.4, Leopard version 10.5, or newer.
- 512 MB of RAM
|
When you are ready to get the most active anti-virus and anti-malware solution for your mac please visit our site (click here) or visit the product page for FileDefense (click here). SubRosaSoft.com Inc |
A Preview for This Thursday’s ZOT? – Yes.
January 29th – “Fliq”
With Fliq for Mac, a standalone app for Mac OS X, anyone can easily and quickly beam, or ‘fliq’, photos, notes and contacts to friends, classmates, family and co-workers on the same network.
Select any photo in your iPhoto album, or choose to send an image file on your hard disk. Beam a contact from your Address Book. Choose a memo from Mark/Space Notebook (included) to Fliq to a friend. Thousands of people worldwide are using Fliq every day, and thousands more are downloading Fliq every week. Its a sharing revolution!
…AND NOW!!! the moment you’ve all been waiting for!
The Winner of Yesterday’s First macZOT Photo Contest is
FINE ARTS
by John Innes
John is the winner of the First macZOT Photo Contest. John retains ALL rights to his photo, excluding appearing on macZOT for the day. Thanks John – And thanks to all 22 of you who participated!
Next time around we’ll get permission from all of you to add your photos to our OFFICIAL macZOT Flickr page.
If you’d like your photo added Today to this page, email me again, and I’ll put it up and you can get a glimpse of some of the other Fantastic Photos!
Very difficult to decide…I will likely post some other of our favorites during today’s ZOT also.
The Criteria for choosing? – Which one did I like best.
– Mike Biskup
Someone had to do it. :)
January 27th, 2009 at 4:39 am
John – Nice photo! Care to share the camera settings at the time?
January 27th, 2009 at 5:01 am
Makes me wonder what the software authors do in their spare time, they always scare us into needing this type of software by referencing the “porn” virus when trying to sell their software.
It always comes down to behavior. Since I don’t visit those sites, since I don’t install ‘unknown’ downloads (come to think of it, I can’t think of any software that I haven’t downloaded intentionally that wanted to install anything), since I don’t download pirated software, I don’t worry about needing this type of software and let those who visit porn sites and pirate software fend for themselves.
If you engage in the above mentioned activities (I’m not implying the Zotters here do), I’m sure you need this Zot.
Yawn, next Zot.
January 27th, 2009 at 5:18 am
After reading today’s Zot description, the first question that had come to my mind was how does FileDefense compares to LittleSnitch. At first thought, FD does for files what LS does for network, i.e., you got finally a GUI access control for each app running.
Scenario 1: What if that our fully trusted app has got infected?
FD will be presumably disabled for all our beloved file managers, which can be so targeted for malware infection. Only when that malware code starts to “phone home” is that LS (and not FD) would bring you an alert message. See, scenario 1 is also where we are, running whichever app before we start using FD. We are only asked for administrative privileges, or when trying to access files belonging to another user.
Scenario 2 and 3: So FD is active for apps that you don’t trust at all. In this situation, why are you running untrusted apps? Peer-to-peer software, besides when trying to debug some beta app, are really good examples. Sooner or later you may feel just forced (fingers crossed) to use it. In this case you can change your user login, give it a spin, and return to your default login. But sometimes that will take some planning effort like creating groups to put your files to be exposed during your test using your temporary login. Had you tried running ‘lsof’ on a terminal to see how many files are kept opened by the running apps on your Mac? Be prepared for a huge list.
Unix access control is user oriented. MacOSX user’s experience is application oriented. FD is about having application oriented access control, and that’s where FD may help us Mac users in particular.
However I have to try FD to value _how_ it works (and not only what it can do for you) to see if I can afford its price, even zotted.
January 27th, 2009 at 5:35 am
@Mike and John
Photo contest winner well deserved. Nice shot, I’ve liked specially the expression on the face of that little girl kind of looking for something (a book being inferred by the focused context gives another plus for the scene) and just passing by… ;) Congratulations John!
January 27th, 2009 at 6:32 am
Yeah. Good choice for the winner. I like the balance of dynamic and static.
January 28th, 2009 at 7:55 am
I’d tried FD and I would only recommend it for those that _really_ need this extra layer of protection, as IMHO FD has a great concept but a poor GUI.
The file being accessed is reported with its full path, there is no icon of neither the program being audited nor the type of file being accessed, any clue to help us identifying who/what kind of access is being checked without reading the full text. Not only that, more than one time the file being accessed was reported in a “wrong/confused” location, i.e., an “Info” file located inside “WriteRoom/Info”.
By the price, I’d expected a more mature GUI program.
Summing up, I’d passed this Zot, but I will keep an eye to see if the next FD version comes up in a way hopefully not so inconvenient to be used.