This came in from SANS yesterday afternoon:
One of the not-much-talked-about new features in Snow Leopard aka OS 10.6 was a build in anti virus tool. However, up to now, the tool only looked for a small number of old malware samples, hardly ever found in the wild. This changed with today's OS X security update (2011-003). This latest update includes the ability to automatically download new signatures, just like for other anti malware software. In addition, signatures got added for the recent set of fake AV tools spreading for the Mac (Mac Defender).
XProtectUpdater, the new component downloading these updates, it configured using the system preferences according to some reports. But so far, I have not been able to find the configuration in either of the systems I installed the update on. (I will keep looking and maybe will update this later)
Update: Found it. The item is called Automatically update safe downloads list. It can be found in the Generaltab of the security settings. Iguess this is the least malicious sounding naming Apple could come up with. It is enabled by default.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter (c) SANS Internet Storm Center. http://isc.sans.org
Creative Commons Attribution-Noncommercial 3.0 United States License.