Patrick Wardle – who has been investigating the issue of dylib hijacking of OS X – has just released a new security tool, Knock Knock, available free from here.
Knock Knock scans key files and folders on your Mac and checks to see what they are, whether they are correctly signed, and looks them up in the VirusTotal database. File types checked including launch items, login items, kernel extensions, browser extensions, and spotlight importers.
This is currently the best way that I can see of keeping a close watch to ensure that nothing bypasses Gatekeeper on your Mac and installs persistent malware on it. Patrick generously asked me to beta test Knock Knock, and I am very impressed by the valuable information that it provides. Unlike most of the commercial ‘anti-virus’ tools, it does not attempt to mess with sensitive components, but will give you an excellent insight into whether there is anything amiss on your Mac.
Patrick has also been diligent to ensure that it is both easy to use and friendly in use. Anyone who has browsed their logs, used Activity Monitor, etc., should find it an invaluable tool. It is also one that remains generic: it works just fine with old and future malware, if the malware exploits the currently known vulnerabilities in Gatekeeper and other protection mechanisms.
I would like to note that Patrick has made Knock Knock available completely free of charge, adverts, and other barriers.
Knock Knock will not stop malware from getting past the gates of Troy (only Apple can really address that), but at least it lets you know which horses are made of wood!