Bugs & Fixes: Troubleshooting Apple's malware protection

If you’ve installed Snow Leopard’s Security Update 2011-003, you have the benefit of Apple’s protection against various malware attacks, most notably the recent Mac Defender Trojan Horse variants. This protection will locate and, in some cases, delete malware that shows up on your drive.

What happens when new malware attacks appear on the scene? That’s part of the beauty of Apple’s approach. Apple can automatically update the malware definitions on your drive, without requiring any action on your part. That way, there’s no need to download a new Security Update each time. To enable this feature (assuming that giving Apple this authority doesn’t make you more nervous than the threat of malware), turn on the “Automatically update safe downloads list” option in the General tab of the Security System Preferences pane.

This updating is a great convenience—except when it doesn’t work. In theory, after Apple releases a definitions update, the changes should be pushed to your Mac within the next 24 hours. Additionally, if you restart your Mac at any time, this should force an install of the latest update. In practice, things have not always gone so smoothly.

When I checked with a group of colleagues, only about 50 percent of us had gotten an update within the expected 24 hours. For those of us who did not get the update (which included me), the reason was not related to whether our Macs were asleep at the “wrong” time. Even when a Mac was set to never go to sleep, the update did not arrive. Similarly, if we restarted our Macs, supposedly forcing an update, nothing happened.

In most cases, if we simply waited long enough (48 or even 72 hours), the update would eventually arrive. On at least one occasion, however, I had not received an update that had been out for four days.

I am convinced that there is a bug in play here, apparently one that affects only a subset of users.

What can you do about this bug? You can force an update by unchecking and rechecking the above-mentioned option in the Security System Preferences pane, as detailed in a Macworld article from last week. When I tested this out, it worked. However, it is not a permanent fix. The next time a definitions update is released, you still won’t get it within the expected 24 hour time frame. At least that’s the way it has worked for me.

A more convenient alternative (although also not a permanent fix) is to use Safe Download Version, a free app developed by Adam Christianson at the Mac Observer. With this app, simply click its Update Definitions button and the most recent update is installed. Done.

XProtect.plist viewed in Property List Editor

Apple has been a busy beaver with these definitions. As of this writing, they are already up to version 10, with a new update seemingly released every couple of days.

For those of you who want to peer under the hood, here’s how all of this works:

The malware definitions list is stored in a file called XProtect.plist. To access this file from the Finder, from the Finder's Go menu select Go To Folder (Command-Shift-G) and enter: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/. From the window that opens, scroll down until you find the XProtect.plist file. Double-click it. If you have Apple’s Property List Editor installed, it will open in that app. Otherwise, it should open in a text editor. The contents list each malware definition for which Apple offers protection.

While you’re visiting this folder, check out the adjacent XProtect.meta.plist file. This file lists the date of the last modification of the XProtect.plist file and its version number. This is where the Safe Download Version application draws its information.

The updating of the definitions is handled by a Unix application named, appropriately enough, XProtectUpdater. You can manually run this file via Terminal. At the prompt, type: sudo /usr/libexec/XProtectUpdater, press Return, and when prompted, enter your Administrator's password and press Return again. (I was able to enter the command without using sudo but others have reported issues when leaving out this command.) This is what Safe Download Version does for you when you click its Update Definitions button.

Updated 2:05 6/10/11 to include information about the sudo command.

Subscribe to the Apple @ Work Newsletter

Comments