An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 2 of 2 1 2
Re: MacDefender malware
Pendragon #15850 06/02/11 06:03 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: Pendragon
Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.

If the update was confirmed five minutes ago, it would already be at least five minutes out of date.

Besides, if the malefactors can come up with new variants every eight hours (and, seeing as how there are many of them working independently, they may collectively come out with new versions even faster), and if Apple were really staying on top of the situation, you'd be getting notifications every few hours. Would you really want that?

The Mac is supposed to Just Workâ„¢. The mystique would be tarnished if it were constantly yammering "I'm still Just Working. I'm still Just Working. I'm still Just Working...". You might hear some users say "Methinks the Apple doth protest too much."

Re: MacDefender malware
ganbustein #15851 06/02/11 06:09 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: ganbustein
Originally Posted By: Pendragon
Where is the file location for the malware definitions?

/System/Library/CoreServices/CoreTypes.bundle/Contents/XProtect.plist

Sorry, I answered the wrong question. I answered the question "What is the location for the malware definitions?" The correct answer to the question you actually asked, "Where is the location for the malware definitions?" is: "It's in my prior post, as quoted herein."

Re: MacDefender malware
ganbustein #15852 06/02/11 06:11 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
aha, okay... apparently it's:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Re: MacDefender malware
Hal Itosis #15853 06/02/11 06:14 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Oops.

Re: MacDefender malware
ganbustein #15859 06/03/11 09:28 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: ganbustein
Originally Posted By: Pendragon
Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.

If the update was confirmed five minutes ago, it would already be at least five minutes out of date.

Besides, if the malefactors can come up with new variants every eight hours (and, seeing as how there are many of them working independently, they may collectively come out with new versions even faster), and if Apple were really staying on top of the situation, you'd be getting notifications every few hours. Would you really want that?

The Mac is supposed to Just Workâ„¢. The mystique would be tarnished if it were constantly yammering "I'm still Just Working. I'm still Just Working. I'm still Just Working...". You might hear some users say "Methinks the Apple doth protest too much."


Indeed I had not considered things from that perspective, thanks!

And while I now can find the definitions file, alas, I no knot what I can do with data were I to access it.


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
Pendragon #15870 06/03/11 05:28 PM
Joined: Aug 2009
Offline

Joined: Aug 2009


Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
Pendragon #15873 06/03/11 06:12 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: Pendragon

I just ran the posted command...

Code:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>LastModification</key>
        <string>Fri, 03 Jun 2011 00:13:07 GMT</string>
        <key>Version</key>
        <integer>3</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$ 


I note that my "LastModification" was at the exact same moment as the one noted in the article, i.e. approximately 20 hours ago, which indicates two things:
  1. The time-stamp does not indicate the time our Mac's were last updated, rather it's the time Apple last updated the definitions, and
  2. If the hackers can crack Apple's layer of protection within 8 hours, we're now 2, going on 3, layers of protection behind them. crazy


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
artie505 #15874 06/03/11 06:22 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: artie505
I just ran the posted command...

Code:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>LastModification</key>
        <string>Fri, 03 Jun 2011 00:13:07 GMT</string>
        <key>Version</key>
        <integer>3</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$ 


I note that my "LastModification" was at the exact same moment as the one noted in the article, i.e. approximately 20 hours ago,

Same here:

$ defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification
Fri, 03 Jun 2011 00:13:07 GMT




Originally Posted By: artie505
which indicates two things:
  1. The time-stamp does not indicate the time our Mac's were last updated, rather it's the time Apple last updated the definitions, and
  2. If the hackers can crack Apple's layer of protection within 8 hours, we're now 2, going on 3, layers of protection behind them. crazy

grin Agreed.

These sorts of exploits rely on 'social engineering' -- so that's the best way to defeat them.


BTW, i think that:

sudo /usr/libexec/XProtectUpdater

will also "update" the defs (as does the check/uncheck method described in the article). But —as we now see —they can only get as 'recent' as Apple's most recent defs allow.

Meh... just be vigilant when browsing, and let the "cat & mouse game" play on unattended.

Last edited by Hal Itosis; 06/03/11 06:35 PM.
Re: MacDefender malware
Hal Itosis #15875 06/03/11 08:00 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> BTW, i think that:

sudo /usr/libexec/XProtectUpdater

will also "update" the defs (as does the check/uncheck method described in the article).


I ran your command and both /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist (The former shows the definitions, the latter, the definition modification time.) show the time I ran it as their last modification time, so I guess that's indicative.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
artie505 #15876 06/03/11 09:32 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
We can all breath easy again...for a while...I think hope...

Quote:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>LastModification</key>
<string>Fri, 03 Jun 2011 20:35:23 GMT</string>
<key>Version</key>
<integer>4</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: MacDefender malware
artie505 #15877 06/04/11 12:18 AM
Joined: Sep 2009
Offline

Joined: Sep 2009
Yeah, the "Version" also went from 3 to 4.

So, sleep well for the next 8 hours. grin lol

Re: MacDefender malware
Hal Itosis #15880 06/05/11 01:45 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: MacDefender malware
jchuzi #16102 06/16/11 11:28 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
There is a nice script out that will check the current status of XProtect, and if out of date allow you to force an update. No need to use Terminal or cycle the Automatcially update safe downloads list pref.

For some folks that is necessary as there is a bug where some Macs refuse to daily update XProtect.

Here is the link to a description of Safe Download Version.

Page 2 of 2 1 2

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.053s Queries: 41 (0.046s) Memory: 0.6416 MB (Peak: 0.7653 MB) Data Comp: Zlib Server Time: 2024-03-28 16:04:35 UTC
Valid HTML 5 and Valid CSS