Skip to content

pktmterenceg/filecheckerd

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

#filecheckerd

is: an improvement to the built-in XProtect malware detection system included with Mac OS X.

because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.


###Specifics:

XProtect vs. filecheckerd

XProtect filecheckerd
only things downloaded via the quarantine API any new or changed files
only known Mac malware all known malware, irrespective of platform[1]
definitions irregularly updated definitions updated all the time (uses cymru.com API)
  • we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.

  • if you like filecheckerd, please, please consider using the link below to donate to the good folks at cymru.com, upon whose backend API this product relies.

Technical stuff

  • filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
    • any creation/change/touch/chmod/chown is a trigger
    • files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
  • it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
    • files on the newly mounted volume are then also recursively hashed.
  • hashes are dispatched to cymru.com's API; matches are quarantined in the currently logged-on user's .Trash folder.

Download

ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at http://www.gogg.in. eventually.

Issues

filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.


[1] seriously. I tested by downloading conficker.

About

Improved malware detection for Mac OS X

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published