[Dark Helmet]

"McAfee today announced anti-virus support for Intel-based Macs. McAfee VirusScan for Mactel 8.0 runs under Apple's Rosetta emulator to help protect Apple computer users from Macintosh and Windows-based viruses, Trojans and other malicious threats."

http://www.macminute.com/2006/05/04/mcafee/

How strange that a press release like this comes out a couple days after both Apple new ads regarding Virus' and this story:
http://www.cnn.com/2006/TECH/04/30/a....ap/index.html

[mduell]

They can't compile it natively (due to development environement or whatever), so they've come up with a PPC version that will run under Rosetta?

[Millennium]

I think I see what they're trying to get at. An Intel-based virus cannot meaningfully infect a PowerPC-based application, or vice versa. If it tried, the infected application would almost certainly just refuse to run. By running the application on a different architecture from the one it's scanning, they probably hope to gain some protection for themselves: the current crop of Intel-based viruses wouldn't be able to subvert the anti-virus app's own functionality. By this reasoning, if Apple were to create a Rosetta-like layer for PPC Macs, McAfee would probably make the next version of their program run through that layer on PowerPC-based Macs.

Unfortunately, this only really buys them time. Eventually, a clever virus author will get around this by coding a virus for two architectures. Once you know that a file is an application, it's usually not too difficult to tell what architecture it's for; you can be reasonably sure within the first few hundred bytes (not 100% certain, but close enough). Then, depending on what architecture you detect, infect the binary with the appropriate architecture's code, using the other architecture's code as a simple data payload. Both architectures' versions of the code would be set up to do basically the same thing.

This would not be an easy programming task, and it would certainly be beyond the abilities of most of the VB-based worm writers of today's generation. The older virus writers could probably have done it, however, and although those arts are very esoteric today they aren't completely lost.

[Dark Helmet]

Originally Posted by mduell

They can't compile it natively (due to development environement or whatever), so they've come up with a PPC version that will run under Rosetta?

Ya but how is that support for intel? Pretty much every PPC app runs under rosetta.

[rickey939]

McAfee....haha, yeah...McAfee.

[Apple Pro Underwear]

Originally Posted by Millennium

This would not be an easy programming task, and it would certainly be beyond the abilities of most of the VB-based worm writers of today's generation. The older virus writers could probably have done it, however, and although those arts are very esoteric today they aren't completely lost.

It's step harder and even if they did make it, it still has the same hurdles normal viruses have yet to crack

whatev, virus programmers get more for their buck making regular viruses for PCs

[ghporter]

I sorta agree with Rickey. McAffee has not impressed me, either on the personal level or the corporate level. Their interface is lame and they don't seem to integrate their (Windows) product with the OS nearly as well as Symantec does. I'd go with Symantec any day.

On the other hand, if they can show that this particular gadget actually works AND is useful, that may give them more traction in the market...

[Dark Helmet]

For YEARS i have seen every mac virus app do more harm than good.

Heck even the worst OSX worm has never done as much damage as these virus scanning apps have.

[ghporter]

Originally Posted by Dark Helmet

For YEARS i have seen every mac virus app do more harm than good.

Heck even the worst OSX worm has never done as much damage as these virus scanning apps have.

Over the past 2 1/2 years, I've had Symantec AntiVirus for Mac running on my wife's iBook with ZERO issues. I have not used the "Norton" Mac AV product. Maybe the consumer level products are just not good, but the one I'm using has worked fine.

[Dark Helmet]

Originally Posted by ghporter

Over the past 2 1/2 years, I've had Symantec AntiVirus for Mac running on my wife's iBook with ZERO issues. I have not used the "Norton" Mac AV product. Maybe the consumer level products are just not good, but the one I'm using has worked fine.

Well I am not making it up, check MacFixit. Heck even Apple stopped bungling the crap with .Mac after this garbage was deleting email inboxes and stuff.

[Millennium]

Originally Posted by Dark Helmet

Heck even the worst OSX worm has never done as much damage as these virus scanning apps have.

I'm inclined to agree on this, actually. Back in the OS9 days, virus-scanning apps on the Mac were actually quite good: thorough, unobtrusive, and rock-solid reliable. But for some reason, around the time of OSX, the quality of the major virus-scanning applications suddenly went way downhill, to the point where they did much more harm than good. Some of this is, of course, attributable to bugs that appeared when the apps had to be rewritten for OSX. But that can't account for everything, because even the OS9 versions -apps built off of what had been very solid and mature codebases- suddenly went completely to hell in the space of a single version.

I don't claim to know why this happened. I doubt anyone knows; I'm not even sure the makers of these apps know. But around March of 2001, something went very wrong in the Mac maintenance application community, and it's not something we ever really recovered from.

[Dark Helmet]

Make me a list of the worst OSX virus'/worms whatever and then I'll show you a list of problems virus scanning apps have cause. You'll see the virus scanning apps do more damage.

[hayesk]

Originally Posted by Millennium

I think I see what they're trying to get at. An Intel-based virus cannot meaningfully infect a PowerPC-based application, or vice versa. If it tried, the infected application would almost certainly just refuse to run. By running the application on a different architecture from the one it's scanning, they probably hope to gain some protection for themselves: the current crop of Intel-based viruses wouldn't be able to subvert the anti-virus app's own functionality.

I don't think that's quite right. A scanner doesn't need to run in the same architecture as other code. It scans for scripts and compiled code. A scanner running on Intel can easiler search for PPC code. Just like gcc running on Intel can compile PPC native code.

[CharlesS]

Not to mention that a virus writer could just compile a piece of malware as a Universal Binary instead of making it Intel-only, making it quite possible to infect PPC or Intel apps. I think it's quite clear that the reason this app runs in Rosetta is most likely because the universal version isn't ready yet.

[Salty]

Yah I'm inclined to believe it's more because they don't have a universal one more so than wanting to be more secure.

[Millennium]

Originally Posted by hayesk

I don't think that's quite right. A scanner doesn't need to run in the same architecture as other code. It scans for scripts and compiled code. A scanner running on Intel can easiler search for PPC code. Just like gcc running on Intel can compile PPC native code.

Yeah, though I'm not sure I understand how this conflicts with what I was saying. Mac apps have been running on PPC and searching for x86-based malware for years. This is the first time I've seen running on a different architecture actually being touted as a feature, but I think I see why they're trying to do that.

The only real thing is that I don't

Originally Posted by CharlesS

Not to mention that a virus writer could just compile a piece of malware as a Universal Binary instead of making it Intel-only, making it quite possible to infect PPC or Intel apps.

That won't work for true viruses. Universal Binaries work on the level of complete binary files: apps, libraries, or whatever. Those files are then bound together into a bundle, so the result is basically two single-architecture binaries which act as one from an interface perspective. The concept isn't unlike the FAT-Binaries from the 68K-PPC switch, which Apple actually licenses from NeXT back in The Day. In fact, the only real difference between them is the container: Universal Binaries use multiple files in a package, while the FAT-Binaries used the data and resource forks to accomplish a similar task.

True viruses work on a lower level than that. They're implemented as snippets of code that are inserted into binary files. If anything, a virus trying to infect a universal binary would find its task more complicated, because it would have to determine which architecture was running, which file stored the code for that architecture, modify it, then find the file for the other architecture and modify that file, keeping in mind that it's a different architecture.

I think it's quite clear that the reason this app runs in Rosetta is most likely because the universal version isn't ready yet.

You might be right, in which case McAfee is just using the 'different architecture' thing as spin. Either way, it's a bunch of BS.

[ghporter]

Originally Posted by Dark Helmet

Well I am not making it up, check MacFixit. Heck even Apple stopped bungling the crap with .Mac after this garbage was deleting email inboxes and stuff.

I don't doubt it happens, and happens badly for a lot of people-but it hasn't happened to me. It's possible that installing and configuring the product is the problem, and since I have a lot of (very tedious) experience with installing all sorts of AV products, I just made the right choices and settings (it certainly wasn't the painless installation it should have been, and the last upgrade was no stroll in the park either), while most Mac users, used to stuff "just working" don't get it quite right. Interacting with the program is also a royal pain; even the scheduled update function is confusing, and to be truly effective, THAT should be crystal clear to small rodents...

I have yet to figure out the Symantec/Norton branding issue, but it confuses the heck out of most consumers, and that's bad for everyone. There should be ONE line of products, with versions for individuals and enterprises, and the products should be transparent, seamless and effective, as well as SAFE.

DH, you have me acting very cautiously when interacting with this stuff-maybe I should thank you a lot!

[ghporter]

Originally Posted by CharlesS

Not to mention that a virus writer could just compile a piece of malware as a Universal Binary instead of making it Intel-only, making it quite possible to infect PPC or Intel apps. I think it's quite clear that the reason this app runs in Rosetta is most likely because the universal version isn't ready yet.

How easy is it to get the tools to create a Universal Binary? How transparent is the install process? If it's easy to get the tools and invisible to the user when something installs, that's a BIG problem. But I get a lot of professional computer journals, and you'd think there'd be ads for compilers that produce UBs all over the place. Not yet...

[CharlesS]

Originally Posted by Millennium

That won't work for true viruses. Universal Binaries work on the level of complete binary files: apps, libraries, or whatever. Those files are then bound together into a bundle, so the result is basically two single-architecture binaries which act as one from an interface perspective. The concept isn't unlike the FAT-Binaries from the 68K-PPC switch, which Apple actually licenses from NeXT back in The Day. In fact, the only real difference between them is the container: Universal Binaries use multiple files in a package, while the FAT-Binaries used the data and resource forks to accomplish a similar task.

True viruses work on a lower level than that. They're implemented as snippets of code that are inserted into binary files. If anything, a virus trying to infect a universal binary would find its task more complicated, because it would have to determine which architecture was running, which file stored the code for that architecture, modify it, then find the file for the other architecture and modify that file, keeping in mind that it's a different architecture.

No, Universal Binaries use one file which happens to be in Mach-O format. This one file contains both the Intel and PowerPC code for the binary. The Mach-O format is completely documented, so it's not hard to find out where in the file the PowerPC and Intel code are. Before TrimTheFat and such utilities came out, I stripped a Universal Binary once by hand with a hex editor just to make sure I understand how the format worked.

With this knowledge, the virus writer can easily not only get to the individual PowerPC and Intel code snippets inside the virus, but the PowerPC and Intel portions of the code inside the app it's trying to infect. It can then stick its code into both the PowerPC and Intel sections of the app, infecting both. There would be no reason the virus would need to know which was running, and finding the code for each architecture is trivial.

For this reason, there's really no practical benefit to the antivirus app not being a Universal Binary.

Originally Posted by ghporter

How easy is it to get the tools to create a Universal Binary?

You mean gcc? It's on that "Developer Tools" disc that comes with OS X, and also freely available for download.

[Dark Helmet]

This software announcement is nothing more than to drum up press and business.

Following Apples new ad about "Not getting Virus'" McAfee has to show that they are needed.

So they come up with some stupid excuse to have a press release to make people scared again so they spend money.