Skip to content
Improved malware detection for Mac OS X
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
filecheckerd.xcodeproj
filecheckerd
.gitignore
Info.plist
README.md
in.gogg.filecheckerd.plist

README.md

#filecheckerd

is: an improvement to the built-in XProtect malware detection system included with Mac OS X.

because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.


###Specifics:

XProtect vs. filecheckerd

XProtect filecheckerd
only things downloaded via the quarantine API any new or changed files
only known Mac malware all known malware, irrespective of platform[1]
definitions irregularly updated definitions updated all the time (uses cymru.com API)
  • we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.

  • if you like filecheckerd, please, please consider using the link below to donate to the good folks at cymru.com, upon whose backend API this product relies.

Technical stuff

  • filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
    • any creation/change/touch/chmod/chown is a trigger
    • files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
  • it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
    • files on the newly mounted volume are then also recursively hashed.
  • hashes are dispatched to cymru.com's API; matches are quarantined in the currently logged-on user's .Trash folder.

Download

ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at http://www.gogg.in. eventually.

Issues

filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.


[1] seriously. I tested by downloading conficker.

You can’t perform that action at this time.