Security Experts:

VirusTotal Adds Sandbox Execution for OS X Files

Google-owned malware scanning service VirusTotal announced on Tuesday that Mac OS X files scanned by users will be executed in a sandbox in order to analyze their behavior.


As threats designed to target Apple devices become more common — recent examples include XcodeGhost and WireLurker —, researchers may want to analyze the behavior of OS X files that look suspicious.

Sandbox execution was first introduced by VirusTotal in 2012 for Windows PE files and the feature was expanded in 2013 to include Android applications (APKs). Now, users will also be able to view behavioral reports when scanning Mach-O and DMG files and ZIP archives containing a Mac application.

VirusTotal has pointed out that Mac files will be executed in a sandbox regardless of the scan method being used — behavioral reports are produced for files scanned via, the OS X Uploader utility, or the API.

The new “Behavioural information” tab introduced for OS X file scans provides a report on the actions and events performed by the targeted file or by the processes it launches or injects.

The information includes a list of opened, read, moved and written files, created processes, HTTP and DNS requests, and TCP connections. The malware scanning service has provided example reports for DMG files, Mach-O files, and ZIP archives containing a Mac app.

Customers with “allinfo” or private API privileges will see the behavior information in the API responses. The information is indexed and searchable for customers of VirusTotal Intelligence, the premium service that offers advanced features.

When it launched the sandbox execution feature in 2012, VirusTotal noted that its goal is not to replace existing online sandboxes, but to provide complementary reports that will further help the security community.

Earlier this year, the service announced the launch of a project dubbed “Trusted Source,” designed to allow major software developers to share their files in order to ensure that antivirus products don’t erroneously flag them as malicious.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.