Does anyone know a good command line malware/antivirus checker for Mac? (Paid is fine.) I do not want the antivirus to run in the background continuously (which affects performance) yet want to have ability to run nightly scans to ensure that the machine is not infected.<p>Almost all traditional antivirus products want to deeply integrate with the system and affect the performance a lot. Also some of these companies are know to make questionable decisions like trying to intercept HTTPS communication, etc.
Is there a good on-demand antivirus for Mac?<p>The only two I know of is Malwarebytes and Kaspersky.<p>The former installs with root privileges, runs on boot and cannot be ever closed, despite the fact that it is only an on-demand scanner. I've written to them to request an explanation, and did not get any response.<p>Kaspersky has had a fair share of rumors against it, and I am not in a position to evaluate if they are trustworthy.
Reminds me of the "Induc" virus.<p>This virus infected Delphi installations, injecting its code and compiling it into a system library. All programs using the infected library contained the virus, including some popular ones.<p>Because they came straight from the developer, and the virus didn't do anything unless you had Delphi installed they were often considered false positive when they weren't. Originally, it had no malicious payload beside its replication mechanism.
> Affected developers will unwittingly distribute the malicious trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.<p>To understand why this happens, it's important to know how massive a typical .pbxproj file looks:<p><a href="https://opensource.apple.com/source/CommonCrypto/CommonCrypto-24911/CommonCrypto.xcode/project.pbxproj.auto.html" rel="nofollow">https://opensource.apple.com/source/CommonCrypto/CommonCrypt...</a><p>Ostensibly it's human-readable, but because it's generated by Xcode and filled with inscrutable UUIDs, people treat it like a binary file, and they're trained to do so:<p><a href="https://stackoverflow.com/questions/2004135/how-to-merge-conflicts-file-project-pbxproj-in-xcode-use-svn/2007358" rel="nofollow">https://stackoverflow.com/questions/2004135/how-to-merge-con...</a><p>Even the React Native team apparently allowed the file to be treated as non-diffable for some time: <a href="https://github.com/facebook/react-native/pull/11047" rel="nofollow">https://github.com/facebook/react-native/pull/11047</a><p>And note the large number of commits on all types of projects that essentially say "whoops forgot to update pbxproj" - there are likely far more. <a href="https://github.com/search?q=update+pbxproj&type=Commits" rel="nofollow">https://github.com/search?q=update+pbxproj&type=Commits</a><p>So why does this matter? Because the brilliance of this attack is how it "jumps the blood-brain barrier" between a developer's machine and their canonical codebase. Usually, code review and auditing of what goes into a commit prevents this kind of attack from leaping to VCS. But Apple makes the pbxproj so inscrutable, and does such a good job at hiding all its complexity behind (usually well-designed) wizards and dropdown menus, that people take it for granted. If code shows up there, people <i>believe Apple intended that to be the case</i> even if, say, your last commit was a small change in Interface Builder (or whatever they call it nowadays). Your code reviewer might just skip the file entirely, because they've been trained to expect the same.<p>And that's scary.<p>At the end of the day, this is just another way of exploiting the lack of a mature and centralized CI ecosystem in the modern package distribution world. There's no organization running a security-minded linter on pbxproj files as a general rule. But, then again, there doesn't need to be a linter on package.json or project.clj or Makefiles because there was never a history of hiding complexity - if that file changes, you'd better darn well know what you're doing. What we have here is a perfect storm of move-fast-break-things package management, a file designed to slip through code reviews, and a pretty creatively designed malware payload.<p>EDIT: Perhaps another way to look at it is that having one file responsible for both compilation <i>logic</i> and non-compilation-related IDE-specific <i>file status</i> can be problematic. It's like your Makefile also needs to be your .gitignore-but-only-top-level-is-allowed-and-all-files-need-to-be-whitelisted. Of course, this is very much an Apple thing to do.
Wow, the way it spreads is fascinating, reminiscent of Reflections on Trusting Trust.<p>I'm a bit confused about<p>>two zero-day exploits: one is used to steal cookies via a flaw in the behavior of Data Vaults, another is used to abuse the development version of Safari.<p>Malware on the local machine can steal data from Safari on the local machine. Is that a surprise? Does Safari have a threat model that it intends to protect against locally running malware?
For those curious, the two Xcode projects they found infected on Github were:<p><pre><code> ragulSimpragma/twitterTask
yimao009/MVC-MVP-MVVM
</code></pre>
Fortunately they look like personal projects so the spread seems minimal so far.