Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

#filecheckerd

is: an improvement to the built-in XProtect malware detection system included with Mac OS X.

because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.


###Specifics:

XProtect vs. filecheckerd

XProtect filecheckerd
only things downloaded via the quarantine API any new or changed files
only known Mac malware all known malware, irrespective of platform[1]
definitions irregularly updated definitions updated all the time (uses cymru.com API)
  • we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.

  • if you like filecheckerd, please, please consider using the link below to donate to the good folks at cymru.com, upon whose backend API this product relies.

Technical stuff

  • filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
    • any creation/change/touch/chmod/chown is a trigger
    • files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
  • it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
    • files on the newly mounted volume are then also recursively hashed.
  • hashes are dispatched to cymru.com's API; matches are quarantined in the currently logged-on user's .Trash folder.

Download

ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at http://www.gogg.in. eventually.

Issues

filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.


[1] seriously. I tested by downloading conficker.

About

Improved malware detection for Mac OS X

Resources

Releases

No releases published

Packages

No packages published