Halfway into a million-file scan, it's another two-plus hours to a clean bill of health

You want your Mac security tools to behave like Columbo, or Inspector Plodder from the play Sleuth. Not the fastest of detectives, but one that will not miss a detail. So it goes with the newest VirusBarrier X6 anti-virus and firewall product from Intego. You can set it and go, but you might as well go far away at first. Its initial inspections will take awhile.

On our 2.83 GHz iMac with 4GB of memory, that was more than four hours to do a full scan of our 150 GB of occupied hard disk. Full scan is a choice that the VirusBarrier setup prods you toward once you complete the easy install. Too bad that it’s so easy to send the tool into such thorough paces. VB X6 skips over the “check my malware file for updates” stop, so you notice that your file is “35 days out of date” amid a lengthy scan. We’d lead a user into NetUpdate, the VB checker for updated files, before starting a scan. This is also an “install and force a restart” program, not among our favorites.

A complete scan can be a once-in-a-great-while event, however. VB X6 has got one-0ff scan options for fresh files, or scan the folder, or whatever you want to drag onto nifty interface. The inspector is thorough enough to try to catch malicious scripts, the latest ploy in penetrating you Mac’s defenses. We were glad to see attention paid to a very long list of intrusion techniques like this. Drive-by attacks come out of scripts. You have to hope the malware file gets freshened up plenty to believe VB gets the job done. There’s good reason to believe it’s about 30 days or so between updates.

That’s because we’ve used the Intego products here since their V4 releases and watched NetUpdate finding fresh files at Intego HQ. VB X6 is one of those anti-virus products that arrives with 12 months of update subscriptions and collects a fresh $29.95 for the year that follows your first. By the time you’ve owned VB X6 for three years, you’ve bought the product twice. Of course, by 2013 there will be an X7, and you’ll have that year’s malware files included, if you buy it. (To recap: about $40 a year in cost of ownership, counting the updates, for Intego’s two-computer license.)

The genuine novelty of VirusBarrier comes from its extended controls over the Mac’s firewall. This was once called NetBarrier, just months ago, but now it’s included in the VB X6 package and called Network Protection. Intego used to charge $49.95 for NetBarrier all by itself. We know, because we bought it in December. By February Network Protection was included. While the upgrade to the X6 remains free until April for users who purchased late last year, if we’d waited two more months it would have been free and included.

We were not amused to learn that our X5 products that we’d bought in December got auto-updated to X6 during the install. If X6 had been a bust, we’d be reloading the older versions from a backup. How much nicer to leave an installed program alone and just load up a newer version.

The challenge in making firewall extenders like VB’s useful: You need to know your usual suspects when it comes to invasions of your Mac’s network. Intego does a much better job of explaining who to question than in previous releases in its online documentation. (Um, there are no docs if you can’t get online, like when you suspect an intrusion and want to pull your Web plug while you try to brace up your doors to the outside world.) The logs fill up with messages if want to watch over Inspector Plodder’s shoulder and suggest a new line of questioning. Deciphering them is beyond the average user’s ken, but we’ve got security whiz Steve Hardwick to do our decoding. You may not be so lucky.

This simple animation of your firewall's settings are the most likely view that business users will take of VB's Network Protection

Of course, these worrisome cases of attack are the best reason to invest in a thorough and plodding tool for protection. A MacScan study of our full system was complete in less than half the time, so we’re puzzled about whether VB X6 is more thorough or just eager to look at every single file. It was a puzzle how to tell VB not to examine those packed up download files the Mac expands to install software, or skip the acres of system preferences and files that only Apple installs on your system. You can shorten the time VB spends with all of these, but not eliminate them.

That’s symptomatic of the program’s downside — the need to tinker with its settings to tune up security. You can accept the defaults to get going, and tell VB to do a complete scan regular-like via a calendar. But you’d want to do this overnights. A good alternative is to rely on the “Real-Time Scan” feature, since it chews on about 10 percent of your Mac’s power all the time anyway. Anti-virus tools become a bog sometimes, the tar pit that your Mac tries to climb above while it stays safe — something like body armor you can’t sprint in while you wear it around.

The Web has become a combat zone, a place where a business can see hours killed off after a virus infection or a network home invasion. Nothing’s perfect, but it looks like if you want a beefy utility belt of security tools, and have the patience, budget and know-how to use them, VirusBarrier X6 will track down files with a criminal intent, and bar the door to unwelcome users.

Meantime, be careful where you browse in the course of your business. Steve got attacked while shopping for business travel at Expedia. You should always look extra closely at any dialog box on the Mac that advises you to update for security reasons. Apple’s software will never use this language, just advise you an available software update.

By Steve Hardwick, CCISP

Should you be worried about a Web drive-by attack? First off, what is it?

Most Internet users are not familiar with the concept of a Web drive-by attack. The one I recently encountered was scary because of its simplicity and how it preys on security fears. It also underlines how easy it is to create attacks that are targeted to specific operating systems. Mine took place in Windows, but it would be easy enough to target the Mac OS, too.

To be able to infect a computer in a drive-by, the hacker has to trick the end user into loading a piece of malicious code. In the past this was done using e-mail attachments and other applications that were used for file transfer. However there is a growing threat where your Web browser (Firefox, Safari) is used to trick you into downloading and running the virus code. Here is a walkthrough on what I recently encountered as it gives a good understanding of this type of attack. (For anyone who wants a much more in-depth explanation, Virus List is great site to visit.)

I was going to various sites, trusted sites that I have used in the past without any problems. As I arrived at Expedia.com, one of my favorite travel sites to look at air fares, the following screen popped up. When I saw it, my first thought was that I had a virus on my system.

The screen displayed on top of the browser looked identical to Microsoft Forefront Client Security interface, which is the antivirus software (A/V) installed on my PC. Even the progress bars moved on the display and the virus list was populated. To all intents and purposes it looked and felt like I had a bad case of several viruses on my system. After the virus list had been completed I got the two more screens.

Fortunately I am well-versed in security products. As soon as I was asked to run a program outside of my A/V application the alarm bells started to ring. I also noticed that the file had been downloaded to my PC from a Web site I did not recognize. This is not usual behavior for an anti-virus program. So I decided to hit cancel. When I tried to close any screen I saw the screen above.

Now I was definitely concerned.

I took a quick look at my process monitor and I saw there were three browser windows open. Each one of the these two new “Windows” screens was a Web page. Plus the warning message was also a Web page. This told me that that my antivirus was not sending these messages. They were specially-constructed Web pages. I looked at the “Forefront” page and got the source URL The I took a quick visit to www.samspade.org and found out that this was a site out in France and not a site that I knew to be good. So I now knew it had nothing to do with the travel site I had gone to, or Microsoft Forefront. To stop this whole chain of events I had to shut down the browser application using my process monitor. (On the Mac, you’d do a Force Quit from the Apple menu, and you should.)

So how did this happen? Some technical details follow.

First the hacker constructed a simple set of Web pages to emulate ForeFront and trick the user into downloading a virus program. The virus progam was automatically downloaded as soon as the “Forefront” page came up. Once the user clicks OK to run the bogus “clean up” file the virus is installed and the hacker is in business.

The next thing is to load the Web pages and the virus on a Web site. In this case it was n6-scanner.com. It would take some skill to bypass the Web site security and load it, but on the whole this can be relatively easy to do. Web sites can be a very fertile ground for unpatched operating systems. (Ed. note: A very good reason to update the Mac OS with Security Updates — if only Apple would supply them sooner.) The hacker’s last step, the hard part, is to get you to go to a second Web site to load the code to direct the end user to the target site. This can be a simple HTML redirect, or a more sophisticated script line of code. The attack works best if this is a well-visited site, which is why it is harder. Once this last step is completed the hacker’s work is done. Just wait for the virus to distribute and take effect.

Why is this a very dangerous attack?

Well, the first reason is that it is relying on end user behavior. As soon as the user sees that there is a virus reported on their machine their first instinct is to get rid of it. The thought that the screen they are seeing is not the antivirus software is not immediately obvious. Most Windows users are now used to seeing virus attacks and want to get them off their system as soon as possible. Consequently many would click straight through these bogus screens without a second thought.

Next, the attack had bypassed the antivirus system. Hopefully, the A/V would have thrown something up after the viral payload was executed, but it may not have. The affectivity of the A/V is only as good as the last update. So if it is a recent virus, and the user had not updated their A/V definitions, then anything could happen.

The Web pages can be tailored to specific operating systems. In my case I saw a Windows based application. Your machine will send a lot of information back to the Web server about what you are using. If you want to see what you are sending out, go to Shields Up on https://www.grc.com and run the Browser Headers check. You may also want to run some of the other tests just to see how secure you are. So it would be fairly easy to construct an attack that was design to attack an Mac based system — that is, to switch the screen the user viewed and the downloaded payload. This is what came back on my system

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0

Finally, the Web pages and the launching script can be placed on multiple Web sites. The attack codes can be put on different sites too – they do not need to be collocated on one site. The launch code can be added to multiple Web pages on a single site. So a Web page on a trusted site can get infected. One day the site is safe, the next it is infected.

What you can do to protect against this type of attack

Many users are not familiar with their antivirus software. Take a quick look at your software’s manual (I know, that sounds unpleasant).

• Find out what your A/V software does should it hit a virus: what messages it displays and what operations it will take to quarantine and remove any viruses it finds.

• Take a careful look at ANY program that is launched on your system from a Web visit. Make sure you know where it came from. If in doubt, do a quick Web search on the file name. In many cases this kind of program contains a virus payload. In some cases, especially a drive-by, the file name may be automatically generated. You will have to rely on looking up the URL of the source site. Sam Spade is a great site to get information on who owns the Web site.

• A great fundamental protection is to add another user account on your system, even if you’re the only user of your Mac. Your first is an administrative account and the other is a user account with no administrative rights. The second account is the one that you use most of the time. It does not have rights to install new programs. This may block this type of attack and stop the program load. The administrative account would be used when you want to load a safe application.

• Lastly, you can active a security scanner to your browser to detect dangerous sites. Firefox checks for these, working from a list of known dirty sites. Google’s Chrome, when it is released for the Mac, will have this capability, too.

Steve Hardwick has over 10 years of information security experience. He has worked with different environments from military customers, financial institutions, healthcare organizations and Fortune 1000 companies, as well as conducting security assessments for large and small corporations. He is currently Partner Manager at Mobile Armor Inc. providing cost effective solutions for securing and protecting mobile data.

This month I’ve installed the latest Version 5 of Parallels, as well as a trial copy of Fusion 3, on the Mac I use as a test system. (It’s a Mini with 3GB of memory, one that accesses the Internet though a wireless network port, since the Mini comes with a built-in Airport card. The 3GB is essential, since these Windows emulators suck up memory.) I can report the Fusion installation is smoother and tinkers less with a Mac’s user environment. Fusion uses McAfee anti-virus software, quite the brand name among Windows users. Parallels replies on the Kapersky Anti-Virus suite. Parallels seems to offer a half-dozen ways of using Windows alongside your Mac environment, but this slight of hand goes so far as to install folders on your Dock to speed up access to Windows programs. This trick erased a couple of useful Dock icons for my databases on the Mac side, demonstrating that Parallels Version 5 is like so many other versions of the software: buggy, with lots of fixes (long downloads) needed for stability.

Another thing that gets tricky about using these products is the constant updating that Windows users endure. Microsoft seems to add patches on a weekly basis to Windows (I use XP Home, very affordable) — so if your Windows use is infrequent, every startup of these environments will include downloads and restarts to get Windows into a secure state.

The anti-viral tools need their own updates religiously, too. This is a separate set of updates. In my tests I’ve found there’s an order to be recognized here: get the anit-virals updated first, even though Windows will ask you to restart itself before the anti-virals get their updates downloaded.

The process of running Windows on a Mac, essential for any programs you may need for your business that don’t have Mac versions, is an eye-opener about security. Don’t believe the Apple commercials about viruses, no matter how entertaining they are: Macs run on a variant of Unix, an operating system with plenty of security holes. Visiting the Windows world with Parallels or Fusion makes you aware how lucky we Mac users are, simply because there are fewer of us. We present a smaller target to the virus hackers, so we enjoy Security by Obscurity.

While there isn’t a wave of religion about security on the Mac yet, spyware and bot-ware can infect a system in surprising ways. Javascript, which drives so many Web sites, has become the most popular culprit. A simple visit to a popular Web site like Expedia for travel arrangements can get you infected. There are a handful of good Mac security tools to ensure that if anything jumps from your Windows environment to the Mac, you will know you’re being infected. Eradicating the dirty work is another matter.

ClamXav is a freeware viral solution for the Macs. You can download it and update its databases — the signatures of known viruses — but you’re relying on volunteer efforts to stay secure. Probably not the best choice for a business Mac user.

Intego Software sells Virus Barrier and NetBarrier software, at about $50 each, to cover both the gateways into your Mac (NetBarrier) and neutralizing the viruses and malware that might get inside. On that latter task, Intego also offers a new, standalone tool, Washing Machine. This program, included with NeBarrier X5, erases data that Web browsers store automatically — so hackers have less chance of infecting your system.

Washing Machine can clean five types of items: Bookmarks, Caches, Cookies, Download Histories, and Browsing Histories. It works with most web browsers, and many utilities or other programs that store information behind your back. It even cleans up after some programs that you would never think are storing data. But Washing Machine knows about them, and is ready to clean up after them.

There’s also a fine security suite that controls the power of the Mac’s built-in firewall. DoorStop X Security Suite is $79 and even includes a comprehensive instruction manual about security for the Mac. Things are safer on a Mac than on a Windows system, but on the doorstep of 2010 it’s folly to think anybody can surf and work securely without some of this help. At the least, download and use Clam Xav. Cleaning up a hack will cost you more lost time than buying all of these tools together.