Update: I’ve captured a video that shows the File Quarantine feature successfully blocking an attempt to automatically install the Mac Guard malware. See below.
After a month-long Mac Defender/Mac Guard malware attack, Apple has finally released the security update it promised last week. The update takes Apple one step closer to turning an obscure security feature into something very close to full-fledged antivirus software.
Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checkssoftware. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.
The two videos below show how Mac Guard (the current release of this malware) behaves before and after this security update.
Here’s a start-to-finish, unedited “before” video that shows how the Mac Guard fake AV program goes from a seemingly innocent Google search result to a full install in just three clicks, with no password required. This demo uses the latest version of OS X 10.6 and the default browser, Safari, with its default settings.
And here’s the “after” video. Notice how the File Quarantine feature identifies the downloaded file as malware and prompts the user to move it to the trash.