Apple isn't sharing malware definitions with third-party antivirus firms, new analysis suggests

A fresh look at malware intended to spy on people in the Middle East indicates that Apple isn't sharing definitions of existing threats with third-party antivirus (AV) companies, at least not consistently.

In publishing an analysis of "Meeting_Agenda.zip," a file containing the malware, Mac security specialist Patrick Wardle noted that only two antivirus providers, Kaspersky and ZoneAlarm, were able to properly flag it. Searching for related files on VirusTotal — a site commonly used by security professionals — Wardle uncovered four more, but three weren't detected by any AV platforms and the last was caught by just two.

"The fact that the signing certificate(s) of all the samples are revoked (CSSMERR_TP_CERT_REVOKED) means that Apple knows about this certificate... and thus surely this malware as well...yet the majority of the samples (3, of 4) are detected by zero anti-virus engines on VirusTotal," Wardle wrote.

Based on this, it's believed that Apple isn't sharing data according to standard industry practices. macOS has had its own anti-malware defenses since an update to 2009's Snow Leopard, but providing definitions to third parties increases the chances of catching and killing code, preventing its spread.

The malware analyzed by Wardle is neutered, Ars Technica commented, as even if a Mac is infected the control servers the software tries to reach are no longer online. When it was active, it would attempt to bypass macOS defenses to steal documents or screenshots for a group known as Windshift.

14 Comments

EsquireCats 1268 comments · 8 Years

About 5 years ago

On a slight tangent. If all of this information is public and mainstream enough to be written up by Forbes, then why do all of these anti-virus companies suck so bad.

Go figure Apple rolled their own.

lenn 36 comments · 6 Years

Of course. Apple gets their panties in a twist when someone doesn't tell them about a vulnerability in their stuff but they act in the same way when they find something.

christopher126 4366 comments · 16 Years

Apple is in the process of producing an "iLife" like suite of applications that will safeguard against, Malware, Virus' create strong passwords and all other crap that is on the internet.

For iOS 13 and MacOS 'Bakersfield' all Apple products will be anonymous to miscreants including Google, Facebook, twitter and all third part Apps that harvest data! :)

You heard it here first! :)

Best.

lowededwookie 1175 comments · 16 Years

lenn said:

Of course. Apple gets their panties in a twist when someone doesn't tell them about a vulnerability in their stuff but they act in the same way when they find something.

There's a difference between finding an OS level exploit and a software level exploit. OS controls everything and so it's in Apple's best interest to want to find these vulnerabilities from every level.

This article proves well and truly why we shouldn't buy virus checkers. In fact the number one thing I tell people who buy Windows machines is to uninstall the 3rd party virus checker installed on their new machines because A) they'll kill the machine when their licence has expired - dick move virus checker manufacturers, why the hell kill the freaking printer ball bags? B) they're not even needed when the ones built into the OS are actually great, don't suck the life out of the machine, and don't nag you all the time either?

I'm glad Apple doesn't share because there should be no virus checking software on a Mac. Who cares if we share viruses with Windows, their stupid fault for buying a Windows machine in the first place.

riverko 247 comments · 9 Years

lowededwookie said:

This article proves well and truly why we shouldn't buy virus checkers.

And someone is still buying something that he can get in basic version (and from my experience very well working) for free?