Patrick Wardle OS X security researcher and director of research at Synack and has now had a couple of presentations on Mac malware and how basically simplistic the samples are. He wrote some next level malware for OS X and by-passed all of Apple security software and all of every OS X AV vendor including Avast for Mac. Patrick stated that all current Mac AV programs have zero heuristics and are very simplistic compared the AV vendors PC based AV programs. Vlk, what can Avast do to up the game on adding advanced heuristics and other advanced features to Avast for Mac BEFORE the malware writers up their game? Why not be the leader in bring these advancements. Even Patrick has asked you guys to up your game in the first 6 min video. Here is a talk from Patrick on OS X malware and the ease of by-pass. He talks about it here in a quick 6 min pre-interview that I will post and then he gives his 1 hr presentation after. https://www.youtube.com/watch?v=yHZ9XGvNeik then his presentation https://www.youtube.com/watch?v=oT8BKt_0cJw .
Vlk, any chance of getting heuristics in Avast for Mac before the OS X malware writers start writing advanced code?
Well, interesting question. In short, I don't think heuristics would cut it -- but the cloud could. Let me explain this in a bit more detail: traditional heuristics is more about dynamic code analysis -- i.e. code emulation and things like this. And the purpose of that is to detect malware-like behavior, especially tricks that are known to bypass the other, more traditional detection techniques. Now, the "problem" is that there is not too many examples of such malware in the wild -- i.e., the bad guys writing malware for Mac haven't been very creative so far and so it is very difficult to come up with any heuristics that would be generic enough to detect stuff without any a priori knowledge of what such polymorphic Mac malware will actually look like. Now, with cloud, this is quite different. Even the most fundamental cloud detection techniques -- i.e. basic prevalence and emergence checks -- would make quite a difference. It is true that for some reasons today's Mac anti-malware products don't use the cloud too much, and it's an interesting opportunity to differentiate. One reason for that is that the cloud only really works if your user base has certain sufficient size, i.e. enough security sensors, while the user bases of most Mac-based anti-malware products today are still quite small. Avast is probably best positioned to do this, even though its Mac user base is still only about 2.5% penetration of the overall Mac install base (but even despite that, still probably the largest of all AV vendors). Thanks Vlk
