Snow Leopard : Xprotect Revealed

by Jago Maniscalchi // September 8, 2009 // Exploits and Malware // No comments

xprotect

Intego, a MacOSX only anti-virus vendor last week released some early details of Xprotect – the anti-malware system released by Apple with the Snow Leopard version of OSX.

Since then, Sophos have done some analysis of Xprotect and discovered that it is activated by an extended file attribute – com.apple.quarantine. This attribute is set by downloader applications like Safari, Mail, Firefox and Entourage.

BitTorrent, however, responsible for the propagation of the OSX.Iservice / OSX.Iworks trojan, does not tag downloaded files and so they won’t be scanned.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.