Some Suggestions for Guarding Against Malware on Macs

By Graham K. Rogers


I had intended to wrap up the look at some useful utilities last time, but recent reports of malware aimed at OS X had me looking at problems and solutions in the first few days of June.

I have written before about malware and I repeat, There are no viruses for OS X. Other threats do exist,like phishing, identity theft and Trojans. All require help from the user to do their work.

A number of online sources reported that certain screensaver files would download spyware during the installation. Once installed it would ask the user to take part in a survey and asked for password details. That would end things for me.

Passwords open doors; and the doors opened here reportedly allowed some serious data to be accessed. According to MacOS XHints, we can check by running Activity Monitor and searching for "PremierOpinion". In the unlikely event that it is there, look for the PremierOpinion folder in Utilities, trash it, empty Trash and restart. [Later entries on that MacOS XHints item suggested that this may not be an effective solution - but then you have to get this in the first place. Little Snitch (see below) is also quoted as a useful means of defense. ]

As the initial source of the warning was a security company, Intego, and they are pushing their Virus Barrier software, this threat may not be totally credible. One download site named in a MacWorld article, wrote, "The only application leading to the installation of the spyware . . . is a converter - 'MishInc FLV To Mp3.'"

Nonetheless, some users may be concerned and will think about protection. As these threats require user cooperation, the first line of defense is not to enter passwords unless sure. We must also be careful about what we download, and from where.

OS X has a firewall. It is turned on in Security Preferences. We may also use the Advanced settings to make the computer appear invisible when online. Logs in Console show that our computers are constantly being probed. Checking the "appfirewall" log for 1 June I saw that as well as my ISP almost constantly probing, Amazon, Apple, Google had all come a-calling which was normal and probably benign; but there was also an online advertising company in Canada, plus an unknown site in the Netherlands.

Firewalls stop incoming attempts, but many applications send data out: usually for proper purposes and to known destinations. I check using an application called Little Snitch. Intego also had Net Barrier, but this has now been incorporated into its virus suite.

Little Snitch

Little Snitch alerts users when an outgoing connection is tried. The user has options on the panel displayed to select ports that may be used, or to allow the connection: "Until Quit", "Forever", or "Never". It may initially appear inconvenient to keep having the panel appear, but safe, regular connections can be allowed always, allowing the user to take more note of the unusual ones.

Settings may be easily changed: blocked access may be unblocked, once-only can be changed to forever. In use, the most inconvenience is at my office where proxy settings appear to change the connections, so there are warnings more often. These can also be tuned out for the safe links.

I do have a virus checker, ClamXav, created by Mark Allen, but I do not often use it. It is not installed and I store it as a disk image file (.DMG). It uses the ClamAV Open Source virus engine and has a tidy Mac-style interface. The only thing it ever found before was a suspect mail message (phishing) and an old macro virus in a file a student sent me. When first started it installs the virus engine and each time thereafter can check for malware signature updates.

The latest scan found a number of examples of malware, most of which were attached to email and already isolated in Junk mail: almost 50 in a single day. A lesson here: empty Junk mail before a scan. Others were attachments that were easily deleted. It is not a good idea to use the Quarantine feature for email as mailbox integrity is important. I tracked them down individually. All were .EXE files and not a danger for OS X users.


I was not worried about this result as I had already seen the files. With OS X, the feature known as QuickLook can be adapted to show contents of .ZIP files with a file called Better Zip. Once installed, restarting the Finder allows us to look inside these .ZIP files and malware can be more easily spotted.

Quick Look

There is also a Unix command that allows us to look inside folders using QuickLook. By using Terminal and entering the command

defaults write com.apple.finder QLEnableXRayFolders 1

this can be turned on. The same command with a 0 at the end will turn it off.

Not one of the malware files found would affect the Mac, and in any case they would need me and my password to work. The main dangers for Macs are from phishing and Trojans, which need user assistance to do their work.

See Also:

  • New Users (1): Use of Accounts and Passwords
  • New Users (2): Disk Contents and Some Pitfalls
  • New Users (3): The Kernel Panic: Something Many Users will Never See
  • New Users (4): Preventative Maintenance and Disk Warrior
  • New Users (5): Some Utilities for OS X
  • New Users (6): Some More Utilities for OS X
  • New Users (7): A Few More Useful Maintenance Utilities

  • advertisement


    Made on Mac

    For further information, e-mail to

    information Tag information Tag

    Back to eXtensions

    To eXtensions: 2006-07
    To eXtensions: 2004-05
    To eXtensions: Year Two
    To eXtensions: Year One
    To eXtensions: Book Reviews
    Back to homepage