AGENT FIXES IN MAC BUILD 9.0.1.31 - May 9th 2016

Wow. Looking at that, it'd be super easy for people to muck around in there.
 
Anyway, thanks so much for all the explanations and your time. Really appreciated.

here is a copy of the exclude list ( I had to change the file type to .pdf to attach it but just change it back to .plist), if you open it on windows then you will need something like notepad++ or the word wrap will be all over the place.  I dont know of anything that calls Apple for this process, Im sure I could write something but noone really wants to be the one poking the bear.

The AppleKextExcludeList.kext is a list of files/kernals that Apple allows to run without being signed.  (We are actually on the list as well)  Apple has never been one to take on PUAs and Keyloggers and therefore doesnt really care if they are on your system.  They actually have a built in app that is suppose to prevent malware from getting on the machine which is call MRT.app (MalwareRemovalTool.app) but they also left thier entire def base unencrypted. Any intelligent malware researcher or malware writer can just open it and see what they are looking for and adjust accordingly.  When I got into threat research, this was one of the things that I laughed about the most.  

John,
Scanning external drives is completely up to you.  By default the Agent does its job and scans external drives, however we are unable to determine what every customer that uses our client will name their backup.  For instance my backups are not called Time Machine but it will react in the same manner.  I am sorry that you feel that the product is not up to the par you would like, we are building out changes and advances for it everyday.  In certain instances such as this, where Apple builds out a list of known puas and keyloggers, that we are going to have to work with them in order to address it.  The detection that you posted was corrected six days after your client detected it.  I was able to work out a way to stop detecting that file and future updates of that file without the clients having to make adjustments.   These kinds of fixes are what we are trying to deliver.   As part of our Mac team I promise that we are listening to the feedback from our clients and building from that.  We are currently working on a 9.0.2 build that will help protect our clients even better.  I have been running it against sample feeds that our competitors are not able to detect and we are catching them everytime.  If you ever have feedback or ideas for the client please do not hesitate to message me directly and I will be happy to provided you with any information I can.  I am not only the Threat Research analyst but I assist with QA and the Development process to help build out a better product and provide feedback from the field to our team.
Regards,

@ wrote:
Here is one example:
 
Info.plist, Keylogger.SpectorPro.r, VolumesTime Machine BackupsBackups.backupdbSimon's MBP2016-04-06-025514.inProgress7051187E-C23D-40FD-8A68-4FB40DB72C30Macintosh HDSystemLibraryExtensionsAppleKextExcludeList.kextContents,  00000000000000000000000000000000, 6 hours 30 mins 29 secs This continuously breaks the Time Machine backups to an external drive.   

There are some exceptions in place to resove this but there isnt much that we can do about it because Apple thought it was a good idea to put a list of puas and keyloggers in plain text for the system to read.  The detection that you posted should no longer happen.  One other thing to consider is not scanning your time machine as there isnt anything that can be done with any file found in it by WSA.  The files located on Time Machine are locked by the os and require much more to remove.  Best setup for scanning on a Mac is to not scan mounted drives as the Real Time Shield will catch anything trying to run anyway. 

@ wrote:
"Bug Fixes" is a bit vague.
 
Have they fixed detecting all sorts of plist entries as malware?
 

We detect plist files on purpose, i am curious what you mean.