oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

A Security Primer for Mac OS X
Pages: 1, 2, 3

Use and Maintain Antivirus Software

A few Mac users unfortunately sometimes think that they do not need to worry about viruses since "there are no viruses for Mac OS X."

First of all, this is not entirely true and some macro viruses can travel cross-platform. However, even if this really were the case, you should still scan your computer regularly. That way, you will not only be able to stop PC viruses before you forward them to your PC friends inadvertently but also will be able to react very quickly in the event of a massive Mac compatible infection.

Again, there are many anti-virus solutions out there and many companies sell anti-virus software with more or less identical features. However, since many .Mac members will use Virex, this is the program I am going to focus on. Would you already rely on another product, you should be able to adapt most of this advice.

The default Virex preferences are curiously set up and you may want to change them a bit.

The first thing to do is to make sure that Virex performs an "advanced scan of applications and macros." Heuristic scanning is a method of scanning the files that attempts to recognize the characteristics of viruses, even if they are not listed in the virus definitions. This slows the scan down a bit but definitely provides an extra layer of security you shouldn't live without.

Of course, no anti-virus software, even with the best heuristic scanning capabilities can protect you in an efficient manner if you do not update your anti-virus definitions. McAfee, like most anti-virus companies, updates its Mac definitions once a month--and, let's face it, this is not enough to stop PC or Unix viruses. Would you be ready to use the Terminal, there is a way to update your definitions a lot more often! Here's how.

  1. Open Virex and click on the "Virus info" button located in the toolbar
  2. This will open the Network Associates Virus Information Library in your default web browser
  3. By using the navigation bar on the left, click on "Downloads"
  4. On the page that appears, click on "DATs"
  5. Then, click on "Weekly v.4.x (DAT only)
  6. Click on the link next to "Unix"
  7. This will download to your desktop a compressed file called dat-xxxx.tar that you should decompress.
  8. Now, open the Terminal application located in your "Utilities" folder and enter "cd [path to the folder]"
  9. Hit return to execute the command.
  10. Enter this command : sudo cp *.dat /usr/local/vscanx and hit return. You will be asked to type your administrator password - no feedback will appear on the screen while you type it - and to press return once again.
  11. You should now be able to quit and re-launch Virex to use the latest definitions. In order to make sure that the upgrade was successful, just have a look at the "Results" field. It should state that your virus definitions have been updated recently.

Virex Command-Line Scanning

Note: This paragraph assumes that you are comfortable with the Terminal.

Virex allows you to automate scanning each time that you log in.... This may be convenient for some users but you may want to scan your hard drive at another time every day.

Ideally, you should scan your hard drive every day during your lunch hour : at this time, the computer is probably almost idle so the scan can go more quickly and it won't interfere with your daily routine.

Also, would Virex find an infected file, you will be able to see it almost immediately and take the appropriate steps.

Since Mac OS X is a UNIX-based operating system, it allows you to automate tasks by using a built-in component called "cron". You will need to edit the system's cron file to automate Virex.

Since this file already contains some important system information, you may want to use caution while you edit it: you definitely don't want to disable the Mac OS X maintenance tasks.

Follow these steps carefully in your terminal. In our example, the scan will run at 1 PM every day. Feel free to choose another hour, knowing that the command reads:

minutes	hours	day of the month	month	weekday

A "*" says "any"
  1. Open the Terminal application located into your Utilities folder
  2. Enter "cd /private/etc" to tell the Terminal to focus on the contents of the "etc" folder
  3. Enter "sudo pico crontab" and enter your administrator password when prompted
  4. By using the arrow keys on your keyboard, place the cursor below the last line of ext.
  5. Enter the following command :

0      13       *       *       *       root    /usr/local/vscanx/vscanx -rv
           --secure / >/Applications/virexreport.txt

Note that the stars and numbers are separated by "tabs" and not by spaces. To check if the line has been entered correctly, makes sure that it aligns perfectly with the ones already existing in the file.

Now, enter Control X to exit, then enter Y and return to save the file to the disk.

Every day at 1 PM, Virex will run in the background as root and scan your computer. Once it is done, it will create a text file in your Applications folder, containing the report. Make sure that you read it carefully every day to make sure that your system wasn't infected and to know more about what happened. Once you have read it, delete it. That way, if the next day the test crashes and does not produce a report, you will notice it instead of reading the old one, thinking that it is the latest status of your system!

Do Not Enable the Root User

Since the root user is, according to the Unix permission scheme, all powerful, most attacks and exploits are targeted at it. Therefore, for security reasons, Apple has disabled it and only allows you to temporarily gain root privileges by entering your administrator password.

Some advanced Unix users may need to enable the root account to perform some complex administrative tasks but you should not do it, even if some tutorials suggest it. Doing so is not creating a security issue in itself but will make breaking into your system much more rewarding!

To temporarily execute commands in the terminal with root privileges, simply add "sudo" in front of all the commands you want to execute with super user privileges.

Some security tutorials even recommend that you create another, simple user, account for your everyday work. If you feel comfortable about doing it, it may indeed be a good idea. However, it can be a real issue for users who often install or compile applications on their Macs-- since such operations require administrative privileges.

Going Further

Related Reading

Mac OS X: The Missing Manual, Panther Edition
By David Pogue

Now that your computer is properly firewalled, that you have a solid anti-virus protection and that you use secure passwords, you have achieved a security level that every single Mac user--and computer user in general--should at least have.

However, there are still ways to go a bit further without disturbing your workflow too much... If you are willing to have a look at a few other cool applications and technologies, here we go!

Use a Reverse Firewall

While you are using your Mac, many, many applications constantly try to access the internet, to either get information or send some. The problem is that some of them may, along the way, send some details that you deem confidential--or be simple Trojan Horses.

To avoid this, you can install "reverse firewalls" that monitor outgoing connections and provide you with live alerts, allowing you to accept or deny attempts.

Of course, such third-party products are not perfect since you have to trust the authors and that they too, install kernel extensions to provide you with alerts.

However, the best of them can be a real help--give it a try and you will be surprised to see how many applications try to establish connections without your permissions!

One application in this category that is widely known in the Mac community is Little Snitch--but it's not the only one and you may want to look at other options and their various feature sets first.

Before installing them, though, you should be aware that such products may sometimes interfere with Mac OS X in itself--they can prevent fast user switching from working, for example. Luckily, since their authors are at hard work to improve them, compatibility issues disappear pretty quickly.

On a more legal note, keep in mind that preventing some applications from connecting to their authors site for registration and license controlling purposes may be unlawful in your country. You may want to check with your legal advisor or the authors of the application first.

Reverse firewalls are likely to generate many alerts when you first install them. You should take the time to fine-tune their rules to ensure maximum security. For example, allowing an application to establish "any connection" can be tempting but it entirely disables the protection that you could enjoy against this application--even if the application is trusted, remember that everything is hackable.

An important point to check is whether or not your reverse firewall can protect itself against malicious applications that would try to alter its database. Most of them won't have a very secure self-check system but you should make sure that there is one to increase your security.

Use a Tripwire-Like System

Let's say that someone has broken into your computer and has begun to alter various configurations files to use your computer as a base for his unlawful activities.

Luckily, there are some applications out there that can regularly calculate the checksum of your files (see the md5 information above) and compare it with a list of known-good files. Such a system can certainly be defeated by altering the reference database but it will provide you with an extra layer of security--and can be a real life saver under certain circumstances.

Brian Hill, author of the world famous Brickhouse has released an application called "CheckMate" that acts the same way and that can check on a regular basis if any of your system files--or data files of your choice-- were altered without your consent.

Here is how to use this application.

  1. Download it from here
  2. Launch the installer and read carefully the information printed on the screen. Do not install it system-wide but instead, on a per-user basis : that way, the installer won't ask you for your password.
  3. To install CheckMate, click on the "Install" button--nothing ground breaking but there is a tip : you are likely to only hear the alert sound. This does not indicate an issue and chances are that CheckMate has indeed been installed, even if no feedback is given
  4. To set CheckMate up, open the "System Preferences" application and click on the "CheckMate" icon, located in the "Other" category.
  5. Once you have authenticated, set up the check schedule and your notification options. I would recommend to avoid sending a mail --unless you work remotely but be sure to both log it and display an alert dialog.
  6. In the Files tab, click on the "Update checksums" button : this will create a database of "considered-good" checksums. Would a file be already corrupted, CheckMate wouldn't notice the issue at this point. Would you see files for which no checksum appears, this may mean that they do not ship with Panther any more. Simply remove the file from the list. Add any files you deem important or that may hold critical data.
  7. You can now click on "Apple Settings" and exit CheckMate
  8. To perform a test, re-open it and launch a manual scan by using the "Scan" tab. In my test, CheckMate sometimes ran into an infinite loop when multiple manual scans are performed in a row but the application never has an issue with background scanning--and that's the important part.

To make sure that CheckMate runs normally, you can have a look at the system log, by using the "Console" utility.

The fact that an application like CheckMate reports an integrity check error does not necessarily mean that you have been hacked. Indeed, updating the prebinding of files--a task commonly performed by installer-- can alter the checksum and cause an alert to appear.

Before worrying about an alert, you should always ask yourself whether there was a reason for which the file was modified.

There are many applications like CheckMate and each has its own strengths and weaknesses. By going through their respective feature sets, you will be able to find the one that best fits your needs. For example, do you need a GUI or do you prefer the Terminal? How secure should the application be? And how easy to use?

Final Thoughts

Security is a never-ending quest but, thanks to Apple's attention to detail and commitment to security, we Mac users enjoy one of the most secure operating systems in the world. By following a few simple steps, we can go even further and make sure that even if the worse happens, we will remain safe and secure. By applying the same principles to online security than you would in real life, you can avoid many, if not most issues. Have the right attitude, use the right tools, and you should be safe.

FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.

Return to the Mac DevCenter