Home Forums Networks & Cross-Platform Networking list of "undesirable" browser extensions?

I decided to throw together a malware removal tool that can go through a computer and dig out ALL traces of ALL known malware for the mac.

I've got the app coded and it works nicely, but I'm finding problems getting complete information. On numerous occasions I'm finding instructions like "open this folder and remove anything that looks sort of like "this"...." or "remove the xyz plugin from this folder". Without giving me actual filenames, I can't really code it.

I *could* scan files and look for things though. For example, macdefender is well-known to go by many names. It's not difficult to just quickly check all the files in /Library/LaunchAgents" for a keyword or the path to the malware to identify and remove the agent, regardless of its name. But again I need to know what to look for.

The biggest problem I have right now is so many places recommending removing browser plugins, by simply going to the safari plugin list and removing anything that "looks like xxx". So again I don't really have a proper complete name.

I had someone come in here a few weeks ago that may have quite possibly had all of the mac malware installed on her macbook. It took me about 1/2 hr to get it all removed by hand. I kinda wish I had taken some sort of snapshot of it before I started, so that I'd have more to go on with this script. Tempts me slightly to fresh image a mac and go "looking for trouble" and then see what I have to sort out.

fyi here is one of the bigger sources I was using:
http://www.thesafemac.com/arg-identification/

Too bad you can't put together a list of identifiable malware "signatures" like the anti-virus people do. But that would probably require a full time staff just to keep track of the varying signatures.

Shot in the dark... Would it be feasible to back-door it?

Could you compile a list of known safe plugins and delete all others, or are there simply too many possible safe ones?

That's a debate between whitelisting and blacklisting. Generally you go with the smaller list, or the more reliable list. (or the one of the two you KNOW) In this case, the malware list is substantially smaller, isn't unmanageably unreliable, and ought to be fairly well-known, so blacklisting is probably the best approach.

Signatures tend to be highly-specific, so a single character change to a file could change its signature. Considering malware tends to be actively developed, the signatures require high maintenance. But they're very reliable, and almost immune to false-positives, so most of the AV companies go that route. I'm looking for more of a "windows defender" approach. Heuristics and generalized scanning.

On the other hand, though, whitelisting is preventive, or, if you will, anticipatory, whereas blacklisting leaves your tool vulnerable to the future.

If the whitelist isn't totally, out of the question unmanageable both today and ongoing, a one-time effort would leave you better prepared down the road.

I'm wary of things that can cause new problems without my intervention. If something new comes out that's not on my whitelist, my tool will nuke it. A bit over a year ago here, Malwarebytes pushed an update to definitions. Our campus was subscribed, and pushed the updates at 2am. By 6am, THOUSANDS of windows computers on campus were trashed, most of them requiring a complete rebuild. "the ultimate network admin's nightmare". It's simply referred to as "the malwarebytes incident" around campus today, say that and everyone knows what you're talking about.

That's the general danger. Whitelisting generally puts you at greater risk for such catastrophe than does blacklisting. At 2am Apple pushes an update. By 4am most of the computers on campus are KP'ing. That would not be pleasant for me or any of the mac users here.