XYMer's Home away from Home

I hate to be cynical, but...

I recently was going through my OS's Receipts folder, and found a bunch of leftovers from VirusBarrier X5 – basically, a bunch of Receipts for the program's (overly) updated 'Virus Definitions'. But, the funny thing is, the last couple of them were exactly the same size (37,714 bytes).

Now, supposedly only a new 'threat' necessitates a new 'Virus Definition', and hence, a new download. So, common sense would bring one to the conclusion that it would be unlikely that totally different downloads would be exactly the same size.

Could anti-virus companies be recycling the same downloads, to make buyers think they're getting their money's worth from yearly, paid subscriptions; or is that a false, or incomplete, conclusion?

appler505

Damn right they do

Thanks for the concise reply! Oh, and I like your fiendishly feline avatar, rtmac – kind of like a cranky version of Snow Leopard :>)

appler505

The receipts aren't the virus definitions themselves, so it doesn't surprise me they're the same size. The updates should generally all be updating the same files and folders, so to the extent they do so, and to the extent the updates are roughly the same size, the receipts should be about the same.

Receipts in general are packages, special folders if you will, containing a couple files that describe the contents, a few things used by the Apple installer, and a file called Archive.bom. That last file is a bill of materials file to, in Apple's words, "determine which files to install, remove, or upgrade." You can interrogate a .bom file to find the files that were installed or modified. To do so, open your Receipts folder (/Library/Receipts) and find a you want to know more about. Then right-click the receipt and choose "show package contents." In the window for the package, open the Contents folder and you'll see the Archive.bom file.

Open the Terminal and type lsbom followed by a space, then drag the Archive.bom file in to the Terminal window and let go and you'll see the Terminal automatically types the path to that file, then press return.

For example, if I wanted to see what the CoreFP receipt modified, I'd enter:
lsbom /Library/Receipts/CoreFP.pkg/Contents/Archive.bom

(the computer would type /Library/Receipts/CoreFP.pkg/Contents/Archive.bom for me when I dragged the Archive.bom file to the Terminal.)

Upon pressing return, I'd see something like:

The important part is the first part, such as ./System/Library/PrivateFrameworks/CoreFP.framework/Versions/A/Resources/version.plist, which shows the path to the file that was written or modified.

At present, here aren't too many widespread threats targeting OS X. If Intego is only updating OS X threats, there shouldn't be much change. If, on the other hand, it also contains Windows threats (which may still be present in files on the Mac, even if the Mac can't be infected by them) there should be lots of updates.

That said, I may be more cynical than you. Definition based antivirus products may be too slow to do a very good job. The virus has to be "out there" for the antivirus software to detect, then they have to craft a definition, then you have to download it, then you have to scan for it, and by then you may already be infected and the damage done. With viruses being updated, released, or mutated on an hourly basis, this seems like a low level of protection. And while the software is running you have to endure miserable performance, bugs, flaws, incompatibilities, and even sometimes additional security holes; Symantec has seen some malware targeting security flaws in its security products.

Antivirus software is important for most Windows users, but for some sophisticated users it probably isn't worth the downsides. Given the threat environment for Macs, it very hard for me to recommend most Mac users install antivirus software.

- Anonymous

Thank you, Anonymous, for the educational reply; I learned a lot, and appreciate your time :>)

Here are the results:

The last two Receipts are completely identical, except for the second-to-last lines, which read:

./Library/Intego/virusbarrier.bundle/Contents/Resources/AntiviralLibX5.bundle/Contents/Resources/encyclopedia.dat 100664 0/0 4424767 924654084

./Library/Intego/virusbarrier.bundle/Contents/Resources/AntiviralLibX5.bundle/Contents/Resources/encyclopedia.dat 100664 0/0 4488837 1077043973

Do you happen to have any thoughts on this?

appler505

The last two numbers are the file size and the checksum of the contents. Those numbers having changed means the encyclopedia.dat file has been changed between the two installs.

Thanks, sarahbau, for the info! It's good to see Intego is selling a viable product.

We haven't proved that; rather only that they're apparently changing the definitions file.

Any judgment of whether the product is worthwhile or viable is something else entirely, although that judgment may be educated by the likelihood that it's definitions are being updated.

- Anonymous

Yes, I see what you mean!

I amend my former statement to: "It's good to see Intego is, at the very least, making the appearance of offering new 'Virus Definitions' with each V. Definitions Update."

Thanks, Anonymous, for correcting my inadvertently turbid syntax :>)

appler505

On a related note:

One aspect of anti-virus protection for the Mac, that may be under-rated, is the potential to pass on (a la Typhoid Mary) a Windows virus, despite our so-called virtual immunity.

Sharing an infected file (a trojan hidden inside that hilarious Foo.jpg.exe file you received from Aunt Ester, for example) can propagate malware even if it has zero impact on your Mac.

I'd guess that the percentage of contagious nasties doing their worst, propagated via end users on Macs, is relatively small. Though I do feel it's a good idea to have some sort of virus tool available for us.
I use Clam AV which is, of course, free. In the years of using it, it's only detected a single issue on my machine but it's there when I need to check something I feel may be of dubious origins.

I assume it's a viable program though not as snazzy as payware.

If you get lots of email from people who are likely to get infected or likely to pass on malware, it's worth having something IMO.

To download ClamXav

http://www.clamxav.com/index.php?page=dl

Thanks, WZZZ, and milhouse, for the good information.

appler505

Yeah I run ClamXav, specifically to prevent myself from spreading macro viruses to others. Doesn't really make a whole big impact on my system, it's updated fairly often, and more to the point, it's free. For a product you don't really need in the first place (except to prevent yourself from looking like an ass to a potential employer) it works fine for me.

The tricky part is the real time scanning bit, you want to stick all the places infected files may enter your system but not the entire system, otherwise it can impact your performance (e.g. scan /Applications, ~/Documents, ~/Downloads, etc.). Performance is the main reason I ditched Symantec Antivirus Mac all those years ago, it grew and grew and grew and grew until it was so bloated that it seemed your system existed solely to run SAM because it didn't have much CPU time left to do anything else. Which is a shame since it started out really good 'n lean.

EDIT: but not the entire system
EDIT #2: Listed places to scan, cleaned up some phrasing
I had an allergic reaction to Keflex yesterday (first allergy I know about besides a mild Latex allergy) and so I was a little off when writing this.

Thanks, MonkeyBoy.

appler505