When Apple updates its XProtect anti-malware system in OS X with new definitions, it often means a new or updated threat has been found for OS X.
Earlier this morning, Apple issued an update to XProtect, which now includes a new definition for a malware package called “OSX.eicar.com.i,” that comes from Eicar.com. This update suggests the new definitions are for a novel malware package, but this is not so with this latest update.
“Eicar” stands for the European Institute for Computer Antivirus Research, which is a group that investigates malware and security issues, and maintains an anti-malware test file for testing various antivirus utilities. The testfile is a simple text file called “eicar.com” that contains the following ASCII string, which when saved and scanned with antivirus utilities, should show a positive result for malware:
This ASCII string is actually a DOS program that should print out the string “EICAR-STANDARD-ANTIVIRUS-TEST-FILE!” when run on a DOS system.
This test file is just one of many out there, which are generated by security companies to allow people to more safely test their software without using true malware.
Are definitions for the testfile needed?
The file is intended to serve as a test for antivirus utilities without the need to pass live threats back and forth between systems. Many security software vendors create such files for checking their software, as doing so is far safer than issuing live malware packages to be detected on a test system.
Since the file is simply a test, having definitions to single it out are not needed by a system like Apple’s XProtect. However, having the definitions available do allow a user to run the testfile through the XProtect system and see if the system is running properly. The file is ultimately available to be detected, so even though having static definitions for the file itself bypass any behavioral analysis features, it does serve to show XProtect is active and working.
Therefore, if you download the file from the Eicar Web site and try to open it in a program like TextEdit, XProtect will prevent you from doing so and issue a warning that the file will harm your system. Even though this is an incorrect assessment, it shows that XProtect is able to see the file, associate definitions to it, and properly block it from being opened.
Questions? Comments? Have a fix? Post them below or
Be sure to check us out on Twitter and the CNET Mac forums.