Should Mac Users Run Antivirus Software?

adamengst sends in an article from TidBITS in which Macintosh security expert Rich Mogull explains why he doesn't use antivirus software on the Mac, and why most Mac users shouldn't bother with it either. The article also touches on the question of when an increasing Mac market share might tip it over an inflection point into more active attention from malware writers. (Last month Apple had 14% of PC sales, but 25% of dollar value.)

Nay!

Last month Apple had 14% of PC sales, but 25% of dollar value.

Say it isn't so. Everyone knows macs are just as cheap as PCs!

Re:Nay!

Say it isn't so. Everyone knows macs are just as cheap as PCs!

I know your just being funny, but I figured I'd explain it anyway...

An awful lot of PCs are those $300 dell specials. Apple doesn't make products that crappy, but Dell moves boatloads of them... so Dell picks up a lot of unit sales eroding Apples 'market share by unit', but because the price is so low and Apple hangs onto more of the higher value sales, the erosion effect of these low end units on their 'market share by price' is considerably less.

Lets compare apples and oranges ;)

I sell oranges at $1
I sell apples at $1
As you can see "Apples are no more expensive than oranges."

I also sell rotten oranges at 50 cents.
I don't sell rotten apples.

So if I sell 100 apples, 200 oranges, and 200 rotten oranges:

Apple has 20% of the market but 25% of dollar value.

market = 100/[100+200+200] = 1/5 = 20%,
dollars = 100/[100+200+200*0.50] = 1/4 = 25%

That's essentially whats happening here.

Re:Nay!

at lest that $300 dell uses desktop parts unlike the $600 mini.

You'd be assuming that someone who buys a mini would be pleased with a loud bulky cheaply built tower why?

And for $600 you can get a dell that is a lot better and it has slots to add video and other cards to it.

A lot better? Give me a break. I challenge you to put together a Dell for $650 (or $750 including monitor, since with a lot of their budget PCs you can't unbundle it) that matches the mini's specs. I challenge you.

It must have bluetooth, 802.11g wifi, firewire, at least 4 usb ports, gigabit, optical audio in and out, DVI video out, Core2Duo w/ 2MB cache, 1 GB of RAM.

The mac mini only has integrated video so GMA950 is what you need to meet or beat there, and the small slow laptop hard drive should be a nobrainer to beat too.

Since its a PC not a Mac, I'll forgive you leopard, but you'll need at least Home Premium, no Home Basic. And make sure it comes with a restore disk.

And even if you managed to do it, then ask yourself... can you also make it virtually silent and fit into a space about the same as a stack of 5 CD jewel cases?

I'm not saying you can't get a good value for $600 from a dell. And theres no question that $600 spent the right way can result in a PC that's better than a mac mini for, say, games, for example. But spec for spec, Apple is very good value, provided your needs line up with the features they offer.

I agree there are some big gaps in the apple line up... where is the fast core 2 duo tower that I can put expansion pci cards into for around $1200 for example. The imac is good value and the right specs, but the wrong form factor since I can't expand it... that's why I still use a PC tower. My laptop otoh, which I don't require to be expandable, is a mac.

With mac's expandability isn't their market; except at the extreme high end. That tends not to go over well with the 'tech crowd' like the one here, but in practice, joe sixpack never upgrades his PC anyway nor plays FPS shooters, so for them this gap is not much of an issue.

Eh, I don't know about that

Especially when you start talking upgrades they seem to be pricey. Looking at an iMac right now they want $500 to go from 1GB (the default and minimum) to 4GB. Hop over to Dell and going from 512MB (default and minimum) to 4GB is only $170. Now yes, I realise you can buy aftermarket parts, but that defeats part of the point of getting an OEM system and certainly an Apple: support. You get everything from the OEM, they are your one stop for support, particularly with Apple who also makes the OS. You start buying aftermarket, that is no longer the case.

Now that aside, the other problem I find is that while their prices are often comparable for a system at a given point, they don't actually offer what many want. The towers are a good example. Yes, actually, their towers are fairly competitive pricewise when you spec out a similar Dell workstation with dual quad cores, lots of registered ECC RAM capacity, and so on. However the problem is what if I don't want that? What if I want a single quad core (or dual core), non-ECC RAM, and so on? There's plenty of cases where this is a much better option.

Let's say I don't have software that scales up to 8 cores. This is fairly common these days. So let's say I'd like a quad core with 4GB of RAM. If I go the Apple tower route, $2800 is the price for that. That isn't unreasonable, since it is a single Xeon, with support for a second one, and registered, ECC RAM, which is really expensive. However, Gateway (or I suppose MPC now since they bought Gateway's business division) would be happy to sell me a E-6610Q with similar specs (HD, video, etc) for about half that ($1300).

Now the thing is, the sort of system I listed is quite useful. We buy a good number of them here (that's why I know about it) for research. There's a lot of cases where someone wants a system that has a good processor, plenty of RAM (we often get 8GB even, which is still cheap) but just really doesn't have use for a full on workstation class system. This is even more true now that processors have gone multi-core. While 8 cores is great, there are just a lot of things that are hard to write to make use of that many. So if you aren't using more than 4, the second processor, and all the associated cost, isn't useful.

That is the main reason I'd say Apple isn't competitive on price. A mid range tower is something that there is a whole lot of market for, but they just don't sell. If you don't want an all in one, your only option is super high end. If you don't have a need for the extra hardware, that is just money wasted.

Same goes for people at home. For example I like to play games. An all in one wouldn't work for me. Sure, I could get a similar monitor (24" widescreen), CPU (Core 2 Duo) and RAM (4GB) to what I have. However I can't get the graphics card I have, and I can't ever upgrade it. That is a show stopper right there, since the core of the system will last a good deal longer than the video card. It'd be a waste to buy a new system when only one component needs updating. Likewise the monitor will outlast the system, again a waste to upgrade.

That's my objection to the argument that Apple is a good value for equivalent hardware. That is true in a narrow sense sometimes, but given that they don't have a solution for a large number of people, it isn't true over all.

Re:Eh, I don't know about that

It's not a matter of voiding the warranty, it is a matter of who fixes things when it breaks. That's the whole reason why we buy something from one vendor around here (MPC for PCs). Our staff is fully capable of building systems form parts, and fully capable of diagnosing problems. However doing so would get in to a support nightmare. If something goes wrong with one of the PCs and all the hardware is from one company, we just tell them what we need replaced. It is easy to see if it is under warranty and so on. Also, if it is a strange issue that might be more than one part, it isn't a problem to get multiple parts. You don't have the maker of one part blaming the maker of another part.

Now this isn't critical, and I'm certainly not saying we've never bought aftermarket upgrades. However, it is a real consideration since one of the reasons people try to sell you on Macs is support. They say it is easier since the whole deal comes from one vendor. Ok, there's a lot to that, but you start to break that if you add aftermarket hardware. It isn't that you'd invalidate the warranty on the existing Apple hardware, but that if the aftermarket piece breaks, they can't help you.

Not a major issue when you have a single computer, but when you have 500, it can get problematic. Much better to have a single point for support as often as possible. However if you are having to order aftermarket upgrades for every single box due to the cost, well you don't get to have that.

I do

I've been running ClamXav, http://www.clamxav.com/ [clamxav.com] , for a long time. I normally don't run full scans, but I do use the Sentry ability on any download directories. So anything I download is scanned. Nothing so far :)

Good idea

One thing that worries me is I see a lot of Mac users who have the "Macs can't have bad things happen to them," attitude. This is dangerous in general, but particularly with Macs becoming more popular. In general it is just bad because it leads to lax security policies. For example we got a notice here that a computer was doing bad things. Tracked it down, it was a Mac. We disconnected it and found the owner. Their response? "But Macs can't be hacked!" Ya well turns out they can if you are dumb enough to have a world writable FTP server with the root directory of /, which is what this idiot had done. I don't even know that it was being used for anything other than a public warez FTP, but still, the point is MacOS couldn't defend against extreme stupidity.

So I think it is a good idea for Mac users to run AV scanners, and other security tools, just in case. Even if you've never found anything, better to have a good security policy than to end up being sad later on.

Think of it like having a house in a good neighbourhood: Just because your place has never been broken in to, doesn't mean you should leave the door unlocked. Sure it might not be common where you live, but that doesn't mean it is impossible. Practise good security and it isn't a problem.

I take the same view with computer security. I mean for that matter I've never had a virus on my Windows system, and I don't find it likely that I will. I don't do the sorts of things that are going to get you infected. However, I am going to be safe about it, rather than being sorry that I was arrogant in assuming my knowledge made me invincible.

No

I don't use AV for Windows, either. At least not in "resident" mode. I have a scanner I use occasionally on stuff I download that I don't fully trust.

15 years of no viruses, no malware, etc. The secret? No secret, just avoid being stupid. AV software is like driving a car with the intention of crashing it all the time, but wearing a seatbelt and thinking everything's OK.

Re:No

I don't use AV for Windows ... 15 years of no viruses, no malware, etc.

And you presumable know this because you've never had a virus detected. Wait a minute... :-)

I already *don't* run AV on a PC

Ha. I already don't run AV on the PC either.

Well tell me why I really need to? I mean I have it installed, but I certainly don't have that stupid active scanning thing turned on. So when I open a file, my computer really needs to open it twice? Bull.

I get my mail from gmail (so attachments already scanned there). I use FireFox (so little chance of infection there). I do scan things that might possibly contain a virus -- anything from a usenet newsgroup or from P2P (which is only a few executables ever anyway); And I do let it scan the whole thing once a week (and never finds anything I didn't already know about, of course).

And you know what? My old computer running Win2K runs faster than most any new computers out there with AV turned on. To date, I've never been bitten by any viruses.

Just like Linux

IMHO Mac users who send out files to people should probably use a virus checker. It's just polite. The fact that something can't cause damage to your machine doesn't mean you shouldn't check it to make sure it won't hurt someone else's I'm kinda being hypocritical here, seeing as in my years running Macs and Linux boxes, I've rarely run virus checkers, but then again, I hardly forward email and almost never deal with attachments.

Just because it won't effect you doesn't mean it won't effect someone you know. Now here's where everyone will start saying, "it's teh windoze uzer's own fault! Dey shouldn't be so dumb!" but seriously people, if you want to show people that Unix is a better choice, show them by helping, not by hurting.

doesn't hurt

I used to work at a computer lab that was all Macs at a school. For a short while we didn't run any AV software on the machines--until we started getting complaints from other departments that files that were coming from us had viruses. Turns out that Office for Mac is a perfect vector for all those pesky macro viruses that would find their way onto machines. It wasn't incredibly serious, but it was enough to get us to put AV software back on the Macs.

Only if you'refrom the US

Last month Apple had 14% of PC sales, but 25% of dollar value.

This is just a teeny-weeny bit unreal. Close inspection reveals that the cited article refers to US-based PC retail sales.

There is more to the world than the US. And there's more to sales than retail sales. Apple has much lower sales penetration in Europe and Asia, and it has much lower sales in the commercial sector. Apple might be on enjoying a renaissance, but don't be fooled by inappropriate statistics.

Wrong Question

The right question is "Should Apple take security more seriously?" YES and "Should Apple be more proactive in dealing with security issues?" YES. "Should Apple be closely following the tactics of various malware propagators and bot net operators?" YES.

Bringing the Anti-virus & Registry Cleaner snake oil salesmen to the Mac isn't going to do anyone any good.

Having said all that I used to use clam but never reinstalled it when I move to Leopard...

OS X Server does by default

I note that Leopard Server runs ClamAV by default, and does so without user intervention. Of course the mission for the server release is different from that of the desktop, and there may be an expectation that you'll be interacting with Windows at some point. It's capable of supporting Windows clients, and for that you should have an AV suite. It would be beyond foolish not to have one.

Still, many people interact with Windows from their client Macs too, but not everyone. Windows is not a part of my life, for instance.

Apple obviously felt it necessary to include an AV suite for the server release. They've tailored it for the OS, so why not ship it by default with the client release as well? Perhaps because they feel it isn't necessary, and they're choosing to err on the side of fewer wasted cycles for the majority of their users? I suspect that if a bona fide threat to OS X ever does appear ClamAV will be made available for the client release via Software Update the next day.

Running AV to tick off a checkbox.

A lot of companies run antivirus software even on their high end Solaris and AIX machines. Not because there is a likelihood of a RTM worm repeating itself, but because of legal reasons. A lot of corporate clients require their vendors to "have antivirus protection on all computers", a very wide and sweeping statement.

One reason I can see putting AV on a Mac is so people (and companies) can check this box, saying that all their machines that handle customer data have antivirus protection installed, even if the utility is just triggered from a cronjob that does a scan down the filesystem for infected Windows files every so often.

Historically, before OS X, Macs did have some viruses, although relatively few of them were malicious. Before Word macro viruses became common, John Norstead's Disinfectant was one of the more used anti-virus utilities that offered not just scanning, but in memory protection.

It's called a "Disk Image"

It's called a Disk Image. If you have it mounted, then you can scan it with any anti-virus program. There's no reason not to use anti-virus on Macs. ClamAV is free and works quite well.

Re:It's called a "Disk Image"

At the risk of being modded flamebait, I wanted to point out that when I tried ClamAV on mac it worked piss poor. There was little for it to find that affected me, so basically all it did was protect windows users from viruses passing through my computer to theirs and it did all sorts of screwy stuff with my system including making it so slow it was unusable. I kept it less than a week.

Use a tool like little snitch, up you security settings, don't run as administrator, don't run random programs you find on the net and you'll be fine.

It's called a waste of time and cycles.

There's no reason not to build a nuclear bomb shelter either, except that most people don't need it, it won't work and it's a waste of money. Now that I think about it, there are more reasons to build a shelter than there are to run AV on modern *nix derivatives. AV programs are a terrible performance drain on the one system that needs it but is never really protected by it.

Re:Yes

But computing feels so much better without antivirus.

Re:Then Rich Mogull Ain't No Security Expert

Mac users really should stop being so blase about anti-virus software on their Macs because they should run it.

snip

Switch to a Mac, and you still have a population of similar-enough machines across which a virus can also propagate and it is very dangerous to assume anything otherwise.

Why? How dangerous? And how is it dangerous to assume otherwise?

Why should I spend my time, money, and CPU cycles on running AV on a system that has an essentially 0 rate of virus infection? I've got a firewall on my network, *and* I've got the host firewall running on my Mac. I read my email in GMail and almost never open documents in Office, except those that come thru my work mail (via Entourage), which is scanned at the corporate level anyway.

I back up my files, so I'm not at (too much) risk for data loss.

Maybe once there are *real* viruses out there for the Mac, I will reevaluate. Maybe I will be unlucky, be one of the first ones to be hit by a Mac virus in the wild and have to spend a few hours reinstalling all my apps and restoring from backups. But so far, if I ran AV, I'd just be investing real time and money into defending against an all-but-nonexistent threat. The cost/benefit just isn't there.

Re:Then Rich Mogull Ain't No Security Expert

And how is the antivirus going to catch the problem when it first appears? When large scale OS-X viruses start appearing the existing AV software won't recognize them or know how to handle them. The software needs to have either a signature of known viruses or a heuristic that catches likely viruses. Without a large pool of OS X viruses it would be next to impossible for any AV software to protect against future threats. AV software is reactive security, not proactive. The only thing an AV program before then will do is protect against some older Mac OS virus and help avoid passing windows virus, that and decrease performance and increase energy usage. As the article says the best thing to do is be smart about how you use the computer and keep abreast of any changes. Because of their limited numbers any notable Mac viruses will get reported soon after they are found, at which point it may be worthwhile reconsidering the use of AV software. Just because there is not such thing as a secure computer doesn't mean that best way to balance the risks / cost ratio for all systems is the same.

Re:Then Rich Mogull Ain't No Security Expert

Any computer expert doesn't need anti-virus. As a matter of a fact, anyone remotely computer savvy doesn't need anti-virus. As long as you keep your patches up to date you're basically as secure as you can be from viruses assuming you don't allow the virus in.

If a virus is sophisticated enough to spread without user interaction chances are it spreads faster than definition files (e.g. SQL Slammer).

I have run without anti-virus for about 15 years or so and I have only been infected with two viruses. One from the MS-DOS days by leaving a disk in a computer and another that wasn't strictly a virus but malware from mistyping a domain. Malware that anti-virus wouldn't have detected or prevented anyway.

It seems like there are only two cases both of which anti-virus is pretty much useless for sophisticated users: 1) The virus is old. In which case it would require manual intervention to install into your system since a patch has been released. or 2) The virus is new. In which case the definition files won't catch it anyway. (yeah, I know heuristics.. but come on they never really work beside throwing false positives).

Re:Then Rich Mogull Ain't No Security Expert

Deal with it Macs are very secure compared to PCs.

PS. If you mean "Windows" then say "Windows" rather than "PCs". I'm not getting into a "my brother is bigger than your brother" argument but my Linux PCs are probably far more secure than your Mac. That's because security is my job, I've a decade of Linux experience with an additional 15 years of UNIX experience and I am forever fiddling about with the bloody things to make them as secure as possible. If you do the same with your Mac(s) then good on you.

PPS. And before I get called a zealot, I also run a number of XP PCs with AVG Antivirus on them that also never get viruses because I watch where I surf, never install pirated software and never open an email attachment that I'm not 100% confident about.

Re:There are differences between Windows/*nix

Yes/no. While you can run as a non-admin user on Windows, many apps won't work this way. At a minimum many require Power User access (I think that is the group). I set up my in-laws to use a non-Admin and they cannot access their Kodak camera unless they switch to Administrator (which they do and tell it to download, and then switch back to their regular user). They rarely install apps, but if they need to, again, they just switch to Administrator (showing them how to "Run As" is harder than just having them switch users). I can't recall the rest of the apps, but a number of customers cannot run as a non-local administrator.