An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 2 of 2 < 1 2
Topic Options
#15850 - 06/02/11 11:03 AM Re: MacDefender malware [Re: Pendragon]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: Pendragon
Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.

If the update was confirmed five minutes ago, it would already be at least five minutes out of date.

Besides, if the malefactors can come up with new variants every eight hours (and, seeing as how there are many of them working independently, they may collectively come out with new versions even faster), and if Apple were really staying on top of the situation, you'd be getting notifications every few hours. Would you really want that?

The Mac is supposed to Just Work™. The mystique would be tarnished if it were constantly yammering "I'm still Just Working. I'm still Just Working. I'm still Just Working...". You might hear some users say "Methinks the Apple doth protest too much."

Top
#15851 - 06/02/11 11:09 AM Re: MacDefender malware [Re: ganbustein]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: ganbustein
Originally Posted By: Pendragon
Where is the file location for the malware definitions?

/System/Library/CoreServices/CoreTypes.bundle/Contents/XProtect.plist

Sorry, I answered the wrong question. I answered the question "What is the location for the malware definitions?" The correct answer to the question you actually asked, "Where is the location for the malware definitions?" is: "It's in my prior post, as quoted herein."

Top
#15852 - 06/02/11 11:11 AM Re: MacDefender malware [Re: ganbustein]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
aha, okay... apparently it's:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist

Top
#15853 - 06/02/11 11:14 AM Re: MacDefender malware [Re: Hal Itosis]
ganbustein Offline


Registered: 08/04/09
Oops.

Top
#15859 - 06/03/11 02:28 AM Re: MacDefender malware [Re: ganbustein]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Originally Posted By: ganbustein
Originally Posted By: Pendragon
Still, it does seem a bit odd that one must assume the definitions are/were properly updated, rather than having confirmation to that end.

If the update was confirmed five minutes ago, it would already be at least five minutes out of date.

Besides, if the malefactors can come up with new variants every eight hours (and, seeing as how there are many of them working independently, they may collectively come out with new versions even faster), and if Apple were really staying on top of the situation, you'd be getting notifications every few hours. Would you really want that?

The Mac is supposed to Just Work™. The mystique would be tarnished if it were constantly yammering "I'm still Just Working. I'm still Just Working. I'm still Just Working...". You might hear some users say "Methinks the Apple doth protest too much."


Indeed I had not considered things from that perspective, thanks!

And while I now can find the definitions file, alas, I no knot what I can do with data were I to access it.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15870 - 06/03/11 10:28 AM Re: MacDefender malware [Re: Pendragon]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15873 - 06/03/11 11:12 AM Re: MacDefender malware [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Originally Posted By: Pendragon

I just ran the posted command...

Code:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>LastModification</key>
        <string>Fri, 03 Jun 2011 00:13:07 GMT</string>
        <key>Version</key>
        <integer>3</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$ 


I note that my "LastModification" was at the exact same moment as the one noted in the article, i.e. approximately 20 hours ago, which indicates two things:
  1. The time-stamp does not indicate the time our Mac's were last updated, rather it's the time Apple last updated the definitions, and
  2. If the hackers can crack Apple's layer of protection within 8 hours, we're now 2, going on 3, layers of protection behind them. crazy
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15874 - 06/03/11 11:22 AM Re: MacDefender malware [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505
I just ran the posted command...

Code:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>LastModification</key>
        <string>Fri, 03 Jun 2011 00:13:07 GMT</string>
        <key>Version</key>
        <integer>3</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$ 


I note that my "LastModification" was at the exact same moment as the one noted in the article, i.e. approximately 20 hours ago,

Same here:

$ defaults read /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta LastModification
Fri, 03 Jun 2011 00:13:07 GMT




Originally Posted By: artie505
which indicates two things:
  1. The time-stamp does not indicate the time our Mac's were last updated, rather it's the time Apple last updated the definitions, and
  2. If the hackers can crack Apple's layer of protection within 8 hours, we're now 2, going on 3, layers of protection behind them. crazy

grin Agreed.

These sorts of exploits rely on 'social engineering' -- so that's the best way to defeat them.


BTW, i think that:

sudo /usr/libexec/XProtectUpdater

will also "update" the defs (as does the check/uncheck method described in the article). But —as we now see —they can only get as 'recent' as Apple's most recent defs allow.

Meh... just be vigilant when browsing, and let the "cat & mouse game" play on unattended.


Edited by Hal Itosis (06/03/11 11:35 AM)

Top
#15875 - 06/03/11 01:00 PM Re: MacDefender malware [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
> BTW, i think that:

sudo /usr/libexec/XProtectUpdater

will also "update" the defs (as does the check/uncheck method described in the article).


I ran your command and both /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist and /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist (The former shows the definitions, the latter, the definition modification time.) show the time I ran it as their last modification time, so I guess that's indicative.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15876 - 06/03/11 02:32 PM Re: MacDefender malware [Re: artie505]
artie505 Online


Registered: 08/04/09
We can all breath easy again...for a while...I think hope...

Quote:
Artie-s-Computer-4:~ artie$ more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>LastModification</key>
<string>Fri, 03 Jun 2011 20:35:23 GMT</string>
<key>Version</key>
<integer>4</integer>
</dict>
</plist>
Artie-s-Computer-4:~ artie$
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15877 - 06/03/11 05:18 PM Re: MacDefender malware [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Yeah, the "Version" also went from 3 to 4.

So, sleep well for the next 8 hours. grin lol

Top
#15880 - 06/05/11 06:45 AM Re: MacDefender malware [Re: Hal Itosis]
jchuzi Offline


Registered: 08/04/09
Loc: New York State
_________________________
Jon

OS 10.14.5, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#16102 - 06/16/11 04:28 PM Re: MacDefender malware [Re: jchuzi]
Shefftini Offline


Registered: 08/22/09
There is a nice script out that will check the current status of XProtect, and if out of date allow you to force an update. No need to use Terminal or cycle the Automatcially update safe downloads list pref.

For some folks that is necessary as there is a bug where some Macs refuse to daily update XProtect.

Here is the link to a description of Safe Download Version.

Top
Page 2 of 2 < 1 2

Moderator:  alternaut, dkmarsh, joemikeb