Antivirus detection rate results update

Alright, it’s been a few months but I finally had some time to update the test.

A few changes have been made to the test environment:
- As the majority of Mac users now use 10.9 Mavericks the virtual machines were all rebuilt from scratch using the latest version of Mavericks (10.9.4). Upgrading the existing VM’s proved problematic and I was not happy with the results so starting fresh was the best option.
- In re-infecting the new VM’s I had a good chance to test Gatekeeper in it’s default setting too (Mac App Store & Identified Developers only). The results were added in a separate column next to XProtect. It shows that OS X does a decent job at blocking malware, 40% of all samples, but since it can easily be bypassed and malware has been seen signed with a valid developer ID Mac users should not rely on Gatekeeper to stay safe. The same goes for XProtect of course which does a lousy job in general.
- Flash Player, Java, Firefox, Chrome and Opera were installed and will be kept up to date with every test.
- VM resources remained the same. 4 CPU Cores, 4 GB RAM and ample drive space on a dedicated SSD.
- Little Snitch is no longer being used in the virtual environments as it may impact the behavior of certain malware. Instead VM’s now use their own ethernet cable that leads to a Mac with internet sharing enabled. On that Mac Little Snitch is active so connection attempts can still be monitored. As far as the VM knows it is connected to the internet and has no monitoring software present but on the other Mac I can still see exactly which types of connections are being made and where to. So far in testing this has worked well. For a more detailed analysis, if needed, this setup also allows me to utilize other tools without impacting the virtual environment.
- The older 10.8 virtual machines were updated with the latest samples and software and will be kept around if needed for testing.
- The applications that have a detection rate of 90% or higher has doubled since the test started. I felt this was a good time to make this the new standard. Whereas previous tests showed the top as being 80% or higher AV, this has now been raised to 90%. I might even make the top performing category 95% and better soon. Why should we not expect the best of applications that claim they protect us, right?

Some observations in this test:
- Avast kept running the virtual machine into the ground as soon as the installer was finished so I used the old 10.8 VM instead. This was also completely unresponsive and crashed after the Avast install. I used an archived installer from the beginning of the year, this installed without issues. From there I could update to their new version 9 and run the test. I don’t know if this is because of the virtual environment or if their latest installer behaves the same on actual Macs. Use caution.

- I’m very happy to see F-Secure finally released an actual application, it seems they take Mac users seriously now. Their previous products were not very stable and definitely did not run well in virtual environments, this has changed. The application has preferences that reside in the System Preferences window, the scan results are clear and the interface is neat. There are no options when it comes to scan settings. Whatever is found is trashed immediately, no questions asked, or labeled as riskware and left for you to clean. Real-time scanning can not be disabled. Apart from a few minor issues with the interface like the scan being completed but the progress bar being stuck at 98% the application performed well.

- Something I liked a lot about ESET version 6 was it’s notifications the operating system was out of date. The Vm did not have the latest iTunes update installed and, while not critical for the OS, this is a great feature to have. I have not seen this from any of the previous ESET products.

- MacKeeper was not willing to provide me with a trial license (needed to update virus definitions). A supervisor will let me know within a week if I can get one, they will also let me know if I should exclude them from the test going forward. I’m certainly not postponing the test for a week to wait for that license so their results were not updated.

- I was unable to get BitDefender (app store version) to scan. It downloaded ok, definitions updates and the app launched fine. However when I clicked any of the scan buttons the app would just sit there and do nothing. Reboots, reinstalls, fresh VM and even an actual Mac running OS X 10.9.4 all had the same result. As the app was last updated two years ago it may simply no longer be compatible with Mavericks. I’ll test some more in the near future. If I can not get it to work I will revert back to the 10.8 VM for this particular app and continue it’s testing.

- After ClamXav’s last sudden improvements I had high hopes for this test. Sadly it did not improve as much as I had hoped.

Other notes:
I’m considering making the trace detection results count towards the final percentage. Trace files are present on systems that are already infected and the original file that caused the infection may be long gone (an installer or downloaded file of some kind).

I will be working on updating the rest of the application results in the upcoming week or two.

The results can be found here.

Posted in Security Tagged with: , ,

Antivirus test results updated tomorrow

When I was getting ready to upload the PDF and observations my internet decided to take the rest of the night off. Testing of the top performing AV (80% or higher detection rate) has been completed, the results will be uploaded tomorrow hopefully. Intego lost the number 1 spot in the list but judging from past performance they should bounce back pretty soon.

Some samples were added, some work on the VM’s was done and I may be excluding one of the products from the test soon. For all the details, check back tomorrow night!

Posted in Security Tagged with: , ,

OS X updated, Safari updated, iCloud enabled 2 factor authentication

It was a busy day for Apple. The following updates were released:

OS X 10.9.4
The OS X Mavericks 10.9.4 Update is recommended for all Mavericks users. It improves the stability, compatibility, and security of your Mac.
This update:

  • Fixes an issue that prevented some Macs from automatically connecting to known Wi-Fi networks
  • Fixes issue causing the background or Apple logo to appear incorrectly on startup
  • Improves the reliability of waking from sleep
  • Includes Safari 7.0.5

The update also contained some security patches which Apple believes, as usual, are not worth mentioning in the release notes. 19 security related issues were resolved and some of them, in my opinion, were quite nasty. Opening a maliciously crafted zip file could lead to arbitrary code execution (copyfile), remote attackers could gain access to another user’s session (curl), An attacker with access to a system may be able to recover
Apple ID credentials (iBooks Commerce) and A malicious application may be able to execute arbitrary code with system privileges (launchd). Also a not so minor issue with Secure Transport that allowed two bytes of memory could be disclosed to a remote attacker. Two bytes is not much but a few bytes disclosed to the wrong person can do a whole lot of damage, just think back to the Heartbleed fiasco. There is more to this list and if you want to read it you can find it here (this URL usually takes a while to be updated by Apple).

Safari  6.1.5 and 7.0.5
12 security issues were patched in Safari, all WebKit related. From memory corruptions that could be exploited to malicious websites being able to access local files on your Mac. The full list can be found here.

Apple also released updates for iOS 7. The update, 7.1.2, is available for iPhone 4 and later and squashed some nasty bugs too. All together 44 security related issues were addressed including fun stuff like someone being able to bypass Activation Lock or exceed the maximum number of failed passcode attempts. Someone could also gain access to the application that was open before the phone was locked. Mail attachments were not encrypted so they could be extracted and Find My iPhone could be disabled without an iCloud password. The full list can be found here.

An Apple TV update, 6.1.2, was also released containing security patches.

Last but certainly not least, Apple finally enabled two factor authentication for iCloud accounts. Something that was enabled for Apple ID’s in March 2013. This applies to iCloud.com and the web apps in it. Once enabled, attempting to access iCloud.com contents will require you to enter an additional code that is sent to a trusted device. To enable the feature, sign in with your iCloud ID on the Apple ID website. Once signed in go to “Password and Security” where you enable two-step verification.

I highly recommend you install all available updates mentioned and enable two factor (or two-step as Apple likes to call it) authentication sooner rather than later as well. Of course use common sense and back up all important data before applying updates. I have not had any issues but better safe than sorry :)

To get your hands on these updates use Apple menu > Software Update, Open the App Store and click the Updates tab or search for them on the Apple Downloads page. On your iDevices open Settings > General > Software Updates.

Posted in Security Tagged with: , , , , ,

Comcast starts to enable public WiFi Hotspots (using your modem)

I first learned about the Public Hotspot feature a year ago when I wrote about the Comcast modem I had and what a security nightmare it was. Since then I have owned and tested roughly 12 Comcast provided modems before finally purchasing my own. Public Hotspot enables users with XFinity modems to broadcast a second wifi signal, this signal can be picked up by other Comcast customers and joined for wifi anywhere they go. A few days ago this feature was enabled for 50,000 Comcast customers in Houston, Texas and will be enabled for millions of homes across the country by the end of the year according to Comcast.

Comcast has been replacing older modems with their new all-in-one boxes for a few years now. These little black towers usually manufactured by Arris and Technicolor have built-in wifi capabilities, allow connection of phones and faxes, have a battery backup and a firewall. Wifi is on by default and all a user has to do to join is connect to the preset network with a password that is on a sticker on the back or bottom of the modem. No other settings have to be tweaked, it’s connect and enjoy your internet/phone. The public hotspot feature will be enabled remotely by Comcast, you don’t have to do anything and may not even be aware of it happening.

My XFinity modem was an Arris and after writing about it a year ago I started doing a few tests. One of these tests was to see if wifi was really disabled when Comcast support told me it was. Turns out, it wasn’t. I found it dodgy that I could not disable wifi myself, I had to call Comcast support to have it done. Why would I not be allowed to disable wifi myself? Once Comcast disabled the built-in wifi I noticed the little wifi light on the front of the modem turned off, this means the wifi is disabled according to Comcast. I grabbed an RF meter and reading were off the charts! It was not my AirPort Extreme because it was off, it was not my house phone because I turned that off, same for cellphones, bluetooth devices and wifi on the computers. There was no source of RF radiation in my house. Yet here it was a strong wifi signal pumping out of my modem that blanketed the entire house. I could faintly pick up the neighbors cordless phones and wifi routers and the smart meter outside was quite strong too but this signal was by far the strongest. I unplugged the modem and the signal kept going, I pulled the battery from the modem and finally the signal stopped.

I called Comcast and they assured me wifi was off. I asked them if it may be the public hotspot feature (I saw no other explanation) but they said that feature had not been activated in my area yet. I scanned the wifi bands and found no networks I could join yet the signal was there and it was stronger than my AirPort Extreme when it’s enabled. Comcast had no explanation so they sent me a new modem. The new modem had the same issue. I went through 7 modems and they all had the same issue. Then modem 8 arrived and once wifi was disabled there was no rogue signal. This was a Technicolor model TC8305. However the modem dropped the connection several times a day and would take hours to reconnect after a power drop (the Technicolors do not come with a battery whereas the Arris models do). Comcast support admitted the Technicolors are a nightmare with their wonky firmware and changing a single settings usually requires multiple restarts or resets. So modem 9 was sent which was an Arris and of course had the same rogue signal issue. Modem 10 was another Technicolor (no rogue signal) but was worse than the first, it bricked completely after Comcast tried to change a setting. Modems 11 and 12 were Technicolors (models TC8305 and TC8305C) which functioned so poorly I gave up and purchased my own modem instead. A modem I have complete control over, doesn’t have built-in anything that can go rogue on me and takes up a lot less space. A Motorola SURFboard eXtreme Cable Modem SB6141. The Comcast provided modems also re-enabled wifi after a reboot or if unrelated settings were changed.

I have several reasons not to trust Comcast but this rogue wifi signal business was it for me. Now they started enabling the public hotspot feature and though they tell people it is secure and won’t impact your speed, I do not believe it. I guess time will tell. The wifi is generated by the same hardware box as your own wifi (if you use XFinity’s preset wifi) so access to that public wifi means access to your modem. I can think of a few scenarios where this can go wrong and as more homes have this public signal enabled it will become easier for those with ill intent to start poking and prodding at it until a vulnerability is found. Also, this signal may interfere with your own wifi, impacting range and or speed. Not to mention this will be a nightmare for those that are sensitive to RF radiation and/or simply want to stay away from wifi for health reasons.

You can disable the public hotspot feature by following the steps posted here. If it will truly be disabled and stay disabled I don’t know, you’ll have to check with an RF meter to be sure. You certainly can’t take their word for it is what I have found.

Posted in Security Tagged with: , ,

Macworld UK reviews several Mac AV applications

A little while ago I received an email from Andrew Harrison, technical editor for Macworld and several other publications. He mentioned how he was putting together a test of Mac security software and wanted to know if my AV test results could be used. Naturally I gave the OK but in the back of my head I was a little concerned. I rarely agree with security software reviews. They are usually written by people with little to no understanding of the product, the market, the way testing should be done or they just go at it half-assed. Others are biased and/or paid to write a favorable review about a certain product and end up with a page full of nonsense. Come to think of it, I don’t recall reading a Mac AV/Security review I agree with at all.

After a few emails back and forth my mind was put at ease. Mr. Harrison asked the right questions and even found a small flaw in my test results PDF I was not aware of (kudos for going through that entire Numbers document, his eyes must have stung by the time he was done. And that flaw in the results PDF will be fixed asap).

Last week the reviews started to find their way onto the Macworld UK website. On my way to work I spotted the first one “Avast Free AntiVirus for Mac 8.0 review”. I read it and let out a sigh of relief, it was a good and to the point review! Yes, I got excited. To read the reviews have a look at the following links:
Avast Free AntiVirus for Mac 8.0 review: Comprehensive AntiVirus suite for Mac users
Avira for Mac review: Good malware-spotting skills with a tidy user interface
ClamXav 2 review: Free and open-source AntiVirus solution for Mac, Windows and Linux
ESET Cyber Security for Mac review: Sophisticated security application with good malware detection
Intego Mac Internet Security X8 review: Consistently scores highly for spotting malware
Kaspersky Internet Security for Mac review: Relatively capable in Malware protection

Or read the full piece with the reviews included here.

They mention the good and the bad and focus on the things that matter: Company background, Application history, design, features and performance. These are the reviews I’d want a Mac user to find online. The vast majority of Mac users still believe Macs can’t be infected by malware mostly because that’s the most prevalent myth in Mac history. Unfortunately most people don’t question this and when they do they are likely to run into someone that believes in the same myth. The small amount of people that are determined to find out if this myth is true or not will dig deeper and find sites like mine and reviews like those I just mentioned. Freshly unplugged from the Matrix, that’s the kind of content I want them to find first. Of course it’s a battle that is far from over. It’s the internet after all and sad as it is, bullshit and misinformation outnumber the good stuff by many petabytes. Fortunately the Macworld UK reviews may find their way to the printed magazines as well. This should get the information to a good amount of users and at least create some awareness.

Check out the reviews and keep an eye out for others that may follow. A fun fact, the review Mr. Harrison wrote for the Crucial M550 SSD is the one that made me order a Crucial drive. That same drive currently hosts the virtual machines that are used for the antivirus testing :)

Posted in Security Tagged with: , , ,

Avast forum hacked, user names, email addresses and passwords compromised.

Earlier tonight I received the following email:

Dear Jay,

The AVAST forum is currently offline and will remain so for a brief period. It was hacked over this past weekend and user nicknames, user names, email addresses and hashed (one-way encrypted) passwords were compromised. Even though the passwords were hashed, it could be possible for a sophisticated thief to derive many of the passwords. If you use the same password and user names to log into any other sites, please change those passwords immediately. Once our forum is back online, all users will be required to set new passwords as the compromised passwords will no longer work.

This issue only affects our community-support forum. No payment, license, or financial systems or other data were compromised.

We are now rebuilding the forum and moving it to a different software platform. When it returns, it will be faster and more secure. This forum for many years has been hosted on a third-party software platform and how the attacker breached the forum is not yet known. However, we do believe that the attack just occurred and we detected it essentially immediately.

We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you. However, this is an isolated third-party system and your sensitive data remains secure.

All the best,

Ondrej Vlcek
COO AVAST Software

I applaud the fast response and notification of their users, something many other companies don’t do unless they are caught or criticized. By now you should know better than to use the same password on different sites but if you do, and you also had an account on the Avast forums, change the passwords immediately.Using tools like 1Password to have a random and strong password generated for you is recommended. A one-way encryption without salt is easy to break with moderately powerful hardware so before this week is over the majority of stolen passwords will be decrypted by the hackers.

On june 17th I received the following email:

A few days ago we informed you that the AVAST forum was attacked and because of that, we took the forum offline to improve its structure and security. It is now back up and more secure.
We decided to rebuild the forum on the same software platform we used before, but we enhanced the security on our side. We added our own login technology with SSL encryption. With this encryption, passwords will not be saved in our forum database. This means that your password cannot be compromised.
The AVAST forum is an extremely important part of our business. Our members not only solve issues identified by other members, but give us valuable insight that helps us improve our business and our products. We are extremely grateful for your participation, and we hope that you will rejoin the forum and continue providing your unique insight.
To start using the new AVAST forum, please create a new password at link. We recommend that you use a different password from the one you used for the old forum.
Again, we regret any inconvenience this may have caused you and thank you for your contributions.
All the best,
Ondrej Vlcek
COO AVAST Software

Posted in Security Tagged with: , ,

Updates for iTunes, Server and Safari

Last week Apple released updates for OS X Mavericks and iTunes. The Mavericks update, 10.9.3, has finally given us back the ability to sync contacts and calendars over USB and as far as I can tell it works without issues. The update can be installed through Software Update in the App Store or you can download the update from Apple’s website directly using the following links:
OS X Mavericks 10.9.3 Update (461.7 MB)
OS X Mavericks 10.9.3 Combo Update (947.2 MB)

The iTunes update did not come without issues though. It messed up permissions of users home folders if certain conditions were met that allowed unauthorized users access. Home folders would also go invisible after a reboot. Apple quickly released a 11.2.1 update and kept the details of this massive screw-up tucked away in the fine print. If you had updated iTunes already, make sure to check for updates again. Seeing another iTunes update is not a glitch, it’s a fix you need.
You can also download the update here directly from the Apple website (235.1 MB).

An update to OS X Server, 3.1.2, was also released and has the following fixes and improvements:

  • Fixes for Profile Manager deploying profiles containing variables when code signing is enabled
  • Improved Profile Manager reliability for sending Volume Purchase Program invitations
  • Fixes to enable Profile Manager to manage Device Enrollment Program systems with long descriptive names
  • Improvements to Messages Server stability when using Chat Rooms
  • Improved delivery of messages to Mail groups. Note: the Mail service cannot deliver messages that contain unencoded 8-bit data to a group.

The update requires the above mentioned 10.9.3 update to be installed first. Security wise not much was done in this update.

Finally, today Apple released updates for Safari. The update is available for OS X versions Lion, Mountain Lion and Mavericks and fixes 22 WebKit security issues. The full list can be found here.

In unrelated news, eBay was hacked a few months ago and just found out recently. They finally released a statement today urging users to change their passwords. I recommend doing this sooner rather than later as it appears passwords were not stored properly. They were encrypted but not hashed so the hackers that obtained them most likely have most of the passwords decrypted by now. Look out for phishing emails and treat every email from eBay that asks for account details with suspicion.

Posted in Security Tagged with: , , , ,

World Password Day 2014

It’s back! Today is World Password Day. The day where websites and organizations world wide urge people to change their passwords. I was asked to cover world password day by one of the organizers about a month ago and while I was happy to do so, I did express some concerns. One of my concerns was the recently discovered heartbleed bug. Urging people to change their passwords everywhere may not be a great idea since a lot of websites are still vulnerable to this bug. I asked if they would take this into account and today I’m happy to see they did. Their website, https://passwordday.org, shows a big heartbleed warning along with other useful tips.

The only thing I don’t like on their site is the password tester. While this particular password tester may be safe to use, I do not recommend using any online password testers in general. Getting people in the habit of using these online testers can and probably will backfire one day as there are a lot of malicious ones out there. I mentioned it last year when I covered world password day:

Password strength checkers.
They pop up all over the place, specially on days like this. Some reputable companies will host one on their website and of course there are a lot of fake ones appearing that are controlled by folks with malicious intent. No matter where you find a password strength checker/tester, do NOT use it!! Yes the company hosting it may be reputable but come on, every major corporation has been hacked or compromised in the past so there is no reason to think a password checker hosted by Intel or McAfee is safe. (Intel didn’t even bother securing their password check site with https so everything typed there is sent in plain text!!) On days like these, if i was a hacker, i’d go after these reputable sites with everything i got and try to compromise their password checker so it sends all the information to me. If that fails i’ll build my own and send people to it using social engineering / advertising. “The strongest password wins a new MacBook Air!”. As folks want to either test their current password and/or prove their password is uncrackable, these online password checkers generate enormous amounts of traffic. Though the legit ones warn not to use your actual password, most do (what’s the point of checking a fake password that you don’t use?), and most will pick the wrong website to do it on. Don’t use online password checkers!

Instead, use the tools that are built in to OS X:

If you want a safe, secure method of checking your password strength, use the tools built into your Mac OS. Go to Applications > Utilities and open Keychain Access. Once open, go to the File menu and select “New Password Item”, this will cause a small window to appear in which you can type any password and check it’s strength. Ignore the ‘Keychain Item Name’ and ‘Account Name’ fields as you won’t actually be adding anything to your keychain but do use the ‘Password’ box. Type in a password and it will tell you in real-time if your password is any good. You want the strength to be “Excellent” at least and the bar to be 70% green.
keychain keychain 1

If you use 1Password you can also use their Password Generator. This can be accessed straight from the menu bar, browser extensions or the application itself.
PasswordGenerator
In closing, I’ll just mention what I said last year (slightly modified):

While days like these are a good idea, it often ends up to be a fail for the user and a win for the hackers. If you changed your passwords today please do the following:
- Make sure the site/service is not vulnerable to the heartbleed bug.
- If you used any online password strength checkers, permanently discontinue any password(s) you have entered in them. If the checker was compromised it means your password is now in the hands of a stranger.
- Do not re-use old passwords.
- Do not cycle passwords between services.
- Have a look here.

Posted in Security Tagged with: ,

New Flash flaw could let attackers control Macs, Adobe urges users to update

Adobe on Monday disclosed a new vulnerability in its Flash platform that may allow attackers to remotely take over and control Macs, PCs, and Linux machines and advised users to update their system as quickly as possible.

The bug affects Flash Player 13.0.0.201 and earlier on the Mac, Flash Player 13.0.0.182 and earlier on Windows, and Flash Player 11.2.202.350 and earlier on Linux. Adobe says that attacks exploiting this flaw have been discovered “in the wild,” so users are strongly urged to apply the latest updates sooner than later.

Mac owners and those on Windows-based PCs should update to Flash Player 13.0.0.206, while users running Linux should update to Flash Player 11.2.202.356. Those using the versions of Flash installed alongside Google’s Chrome browser or Microsoft’s Internet Explorer 10 and 11 will receive updates automatically.
Continue reading “New Flash flaw could let attackers control Macs, Adobe urges users to update” »

Posted in Security Tagged with: , , , ,

iOS and OS X updates with security fixes released.

Today Apple released updates for iOS and OS X. The iOS update, 7.1.1, contains bug fixes for Touch ID, keyboard responsiveness and 19 security patches and the OS X update focusses on just security.

The Apple TV got a similar security update today.

All the updates fix a rather important SSL bug that allows a man-in-the-middle attacker to intercept secure SSL traffic. The update is available for Lion, Mountain Lion and Mavericks users and should be installed as soon as possible.

This is not related to the now famous heartbleed bug. Apple products and software is not, and wasn’t at any point, vulnerable to this bug unless a custom version of OpenSSL was installed by the user or came bundled with user installed software.

On iOS devices go to Settings > Software Update or connect the device to iTunes. Mac users can get the update through the Software Update menu or the App Store.

Update: A base station firmware update was also released for AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. This update also addresses an SSL bug.

Posted in Security Tagged with: , , , ,

Malware Detection Rate Results

Last updated:
Tuesday July 15th, 10:39PM EST
430 Samples, 43 Applications
#1 Avast
#2 Intego
#3 ESET
Get it here.

Previous posts