Introduction
MacScan is an anti-spyware product for Mac OS X from SecureMac. It detects dozens of spyware programs for the Mac, including the recent trojan.osx.boonana.a trojan. From the product page,
Using advanced detection methods MacScan can detect, isolate and remove the program which could allow your privacy to be violated. ... MacScan by SecureMac—Leader in Macintosh information security—is designed specifically to detect and eradicate the threat to your Macintosh. MacScan protects your Mac from security risks like no other program can, filling the missing gap of security protection for the Macintosh.
MacScan has been featured in Brazil's Mac+ magazine as a top 50 must-have Mac application. The product seems to be doing well enough for SecureMac as they were able to exhibit the upcoming MacScan 3 at Macworld San Francisco last year, as well as show previous versions in 2008 and 2009.
A New Anti-spyware Solution: MacScam
MacScam is a new contender in the market of anti-spyware software for Mac. Weighing in at under 200 lines of Python code, MacScam offers state-of-the-art protection for your peace of mind. Best of all, it's completely free. Download it today!
MacScam is completely compatible with SecureMac's definitions file, and will even fetch them for you if you don't have the latest version. Just run python MacScam.py ~/ to scan your home directory. Like MacScan, you can extend your scan to include remote administration programs with the --remoteadmin option.
There is one feature that MacScam includes that its GUI-based cousin lacks: Throw the --gen option in, and MacScam will instead populate the given directory with files which match each of the signatures.
$ mkdir cases && python MacScam.py --remoteadmin --gen cases/ [+] Fetched spyware definitions from macscan.securemac.com ... [+] Loaded 614 spyware definitions (612 valid, 24 remote admin) [+] Generated false positive test cases in cases/ [*] Starting scan of cases/ [!] Found 'PokerStealer 1.0' in file cases/0 [!] Found 'DNSChanger 1.1b' in file cases/1 ... [*] Scan complete -- 612 threats found
You should get similar results if you scan that directory with MacScan, or any other anti-spyware product that utilizes SecureMac's "advanced detection methods"—even though every file in cases/ is completely empty.
How MacScan Detects Spyware
MacScan obtains its spyware signatures from a definitions file in property list format. Like any anti-malware product, every file on the disk is checked against these signatures to flag files which may be spyware.
Unlike most other anti-malware products, however, MacScan's spyware signatures are entirely based on file creation and modification dates, and in some cases, outmoded Mac OS creator codes.
(Amusingly, several of SecureMac's signatures aren't even valid. At the time of writing, 54 specified invalid creator codes, and 2 referenced dates never were, such as Tuesday, May 28, 2005.)
Not only is it blatantly misleading to call this an "advanced detection method," it is trivially easy to create false positives as well as negatives: MacScan can flag completely innocuous files that happen to have been created or modified with a blacklisted timestamp, and hiding genuine malware from MacScan is as easy as changing the dates.
Perhaps that is what SecureMac means when they say that "MacScan protects your Mac from security risks like no other program."
Conclusions
Readers are strongly cautioned away from using MacScan for spyware protection. The detection mechanism used is not only embarrassingly ineffective, it could mislead a user into damaging important files (including system files, if run in authenticated mode). MacScan offers virtually no protection against genuine spyware threats.
SecureMac has profited from the deception of its customers by grossly misrepresenting the benefits of its product through fraudulent marketing. Licensed users should contact support to demand a refund.
Finally, journalists should hesitate to endorse software purely based on its purported functionality, without performing a thorough investigation. This is especially true of security software, which is easy to misrepresent and has large consequences for forgery. Let's not have MacScam show up on any Top 50 lists.