#filecheckerd
is: an improvement to the built-in XProtect malware detection system included with Mac OS X.
because: after reading Sarah Edwards' excellent presentation on reverse-engineering Mac malware, I became aware of some very obvious shortcomings with XProtect.
###Specifics:
| XProtect | filecheckerd |
|---|---|
| only things downloaded via the quarantine API | any new or changed files |
| only known Mac malware | all known malware, irrespective of platform[1] |
| definitions irregularly updated | definitions updated all the time (uses cymru.com API) |
-
we live in a dual- (or multi-) boot world. To exclude Windows or Linux malware commits the same sort of error ("But the Mac is only 10% of the market!") that people previously used to justify igorning the Mac market. I personally railed against this kind of thinking for years. I used to make my living arguing the other side of that.
-
if you like filecheckerd, please, please consider using the link below to donate to the good folks at cymru.com, upon whose backend API this product relies.
- filecheckerd is a GCD-modified (that is, multi-threaded) version of Amit Singh's excellent /dev/fsevents code, with some additional bits thrown in.
- any creation/change/touch/chmod/chown is a trigger
- files with executable permissions or the "wrong" file extensions (exe, com, js, etc.) are hashed.
- it also uses DiskAribtration to detect the mounting of volumes to /Volumes.
- files on the newly mounted volume are then also recursively hashed.
- hashes are dispatched to cymru.com's API; matches are quarantined in the currently logged-on user's .Trash folder.
ideally, you'd get this from github, build it, and be on your way. if that's not your style, though, you can get it pre-built from me at http://www.gogg.in. eventually.
- I don't know what will happen if more than one users is logged in w/r/t to where the hashed file will be quarantined.
- could use some preferences and/or a preference pane.
- you'll need to download & build the XNU source. http://shantonu.blogspot.de/2012/07/building-xnu-for-os-x-108-mountain-lion.html or http://shantonu.blogspot.de/2013/10/building-xnu-for-os-x-109-mavericks.html for details.
filecheckerd is Copyright 2014 Terence Goggin. Portions are Copyright Amit Singh.
- Source released under the GNU GENERAL PUBLIC LICENSE (GPL) Version 2.0.
- See http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt for details.
[1] seriously. I tested by downloading conficker.