Should Mac Users Run Antivirus Software? 450
adamengst sends in an article from TidBITS in which Macintosh security expert Rich Mogull explains why he doesn't use antivirus software on the Mac, and why most Mac users shouldn't bother with it either. The article also touches on the question of when an increasing Mac market share might tip it over an inflection point into more active attention from malware writers. (Last month Apple had 14% of PC sales, but 25% of dollar value.)
It's called a "Disk Image" (Score:5, Informative)
Yes (Score:4, Informative)
Long answer:
If your Mac runs MS-Office software or other cross-platform software that has infectable data files, you are vulnerable to some Macro viruses.
If your Mac can run MS-Windows binaries you may be vulnerable to some Windows viruses.
If your Mac hosts files on a mixed network your Mac should protect itself from hosting infected files.
So, unless you've got an all-Mac/no-Windows network or your Mac doesn't run or host Windows files, AND you do not run any cross-platform files that have infectable data files, you should protect yourself and your network.
Re:Nay! (Score:4, Informative)
I do (Score:5, Informative)
Re:It's called a "Disk Image" (Score:5, Informative)
Use a tool like little snitch, up you security settings, don't run as administrator, don't run random programs you find on the net and you'll be fine.
Re:It's called a "Disk Image" (Score:2, Informative)
Leave out the word "not", and you have a more accurate statement. The only time one should run AV on a Mac is when the Mac is serving files to windows machines, and even then it's just a kludge to accommodate the never-fixed flaws of windows.
Re:It's called a "Disk Image" (Score:3, Informative)
The point was that its still an Archive Format. It's a file that contains a virtual file system & files within.
I don't know about you, but every A/V I've used in the past has a daemon process that will scan a file the moment it saves to the hard disk. All it would take is one single download (and Safari saves 'Disk Images' to the desktop by default -- no confirm. You click, and it downloads) to kill the A/V, possibly even hijack the process (which is usually with elevated privileges). Voila! Instant botnet. (well, not really -- but is still scary).
Manually invoked A/V is still a risk, but not quite as bad... Unless you run as root.
Only if you'refrom the US (Score:5, Informative)
This is just a teeny-weeny bit unreal. Close inspection reveals that the cited article refers to US-based PC retail sales.
There is more to the world than the US. And there's more to sales than retail sales. Apple has much lower sales penetration in Europe and Asia, and it has much lower sales in the commercial sector. Apple might be on enjoying a renaissance, but don't be fooled by inappropriate statistics.
Re:Nay! (Score:5, Informative)
I know your just being funny, but I figured I'd explain it anyway...
An awful lot of PCs are those $300 dell specials. Apple doesn't make products that crappy, but Dell moves boatloads of them... so Dell picks up a lot of unit sales eroding Apples 'market share by unit', but because the price is so low and Apple hangs onto more of the higher value sales, the erosion effect of these low end units on their 'market share by price' is considerably less.
Lets compare apples and oranges
I sell oranges at $1
I sell apples at $1
As you can see "Apples are no more expensive than oranges."
I also sell rotten oranges at 50 cents.
I don't sell rotten apples.
So if I sell 100 apples, 200 oranges, and 200 rotten oranges:
Apple has 20% of the market but 25% of dollar value.
market = 100/[100+200+200] = 1/5 = 20%,
dollars = 100/[100+200+200*0.50] = 1/4 = 25%
That's essentially whats happening here.
Re:No (Score:3, Informative)
You cannot expect this from a big box retailer. I've seen Macs at Fry's and CompUSA that were trashed. Not virus-ridden - but with deleted apps, desktop vandalism, and other local user asshattery.
Mac A/V needed !!! (Score:4, Informative)
You really don't need AV for Windows either... (Score:2, Informative)
Re:Nay! (Score:5, Informative)
You'd be assuming that someone who buys a mini would be pleased with a loud bulky cheaply built tower why?
And for $600 you can get a dell that is a lot better and it has slots to add video and other cards to it.
A lot better? Give me a break. I challenge you to put together a Dell for $650 (or $750 including monitor, since with a lot of their budget PCs you can't unbundle it) that matches the mini's specs. I challenge you.
It must have bluetooth, 802.11g wifi, firewire, at least 4 usb ports, gigabit, optical audio in and out, DVI video out, Core2Duo w/ 2MB cache, 1 GB of RAM.
The mac mini only has integrated video so GMA950 is what you need to meet or beat there, and the small slow laptop hard drive should be a nobrainer to beat too.
Since its a PC not a Mac, I'll forgive you leopard, but you'll need at least Home Premium, no Home Basic. And make sure it comes with a restore disk.
And even if you managed to do it, then ask yourself... can you also make it virtually silent and fit into a space about the same as a stack of 5 CD jewel cases?
I'm not saying you can't get a good value for $600 from a dell. And theres no question that $600 spent the right way can result in a PC that's better than a mac mini for, say, games, for example. But spec for spec, Apple is very good value, provided your needs line up with the features they offer.
I agree there are some big gaps in the apple line up... where is the fast core 2 duo tower that I can put expansion pci cards into for around $1200 for example. The imac is good value and the right specs, but the wrong form factor since I can't expand it... that's why I still use a PC tower. My laptop otoh, which I don't require to be expandable, is a mac.
With mac's expandability isn't their market; except at the extreme high end. That tends not to go over well with the 'tech crowd' like the one here, but in practice, joe sixpack never upgrades his PC anyway nor plays FPS shooters, so for them this gap is not much of an issue.
Re:I think slashdot Mac users are more vulnerable (Score:3, Informative)
Aside from the fact that downloading a random binary from a website would not have execute permission, thats why mac apps are usually distributed in archives or disk images, even if they contain only a single file.
Re:OS X Server does by default (Score:3, Informative)
You, sir, are incorrect. ClamAV is indeed *included* with OS X Server, but it is most certainly not "running by default". It is used as part of the mail server. It is an option you can turn on in the mail server settings, and it automatically checks email for viruses (SpamAssassin is also included) if activated.
This is because people use OS X Server to serve non-Macintosh clients, including Windows machines.
It does not check every file on the machine. It is meant to protect clients it is serving, not to protect the OS X Server itself.
Re:Nay! (Score:3, Informative)
I accept.
let's compare shall we. http://www1.ap.dell.com/content/products/features.aspx/desktops_good?c=au&cs=audhs1&l=en&s=dhs [dell.com]
vs
http://store.apple.com/133-622/WebObjects/australiastore.woa/wa/RSLID?nnmm=browse&mco=7B723681&node=home/shop_mac/family/mac_mini [apple.com] for $50AUD more then the mini superdrive, the dell gives you an extra gig of ram, 170gigs of extra hd space, a 256meg 3d card, 20" wide screen lcd and a 2.25ghz 2m cache core 2 duo.
that's a much much faster machine for the same price point.
lets look at the base line mini "combodrive". for $50 less dell gives twice the hd space and a 19" monitor
so all you are paying for is the wank factor, thank you very much. please stop spouting nonsense about mac's competing with pc's on price.
Re:Bad analogy (Score:3, Informative)
Re:Eh, I don't know about that (Score:5, Informative)
Now this isn't critical, and I'm certainly not saying we've never bought aftermarket upgrades. However, it is a real consideration since one of the reasons people try to sell you on Macs is support. They say it is easier since the whole deal comes from one vendor. Ok, there's a lot to that, but you start to break that if you add aftermarket hardware. It isn't that you'd invalidate the warranty on the existing Apple hardware, but that if the aftermarket piece breaks, they can't help you.
Not a major issue when you have a single computer, but when you have 500, it can get problematic. Much better to have a single point for support as often as possible. However if you are having to order aftermarket upgrades for every single box due to the cost, well you don't get to have that.
Re:OS X Server does by default (Score:3, Informative)
My bad for not being as clear as I should have been. I trust folks with mod points will do the right thing here...
Re:Then Rich Mogull Ain't No Security Expert (Score:5, Informative)
Yes there is a risk of getting a virus on the internet. However, in my opinion, it only helps people who are prone to clicking omgponies.exe.
Re:Nay! (Score:4, Informative)
Are you trying to act stupid or can you really not see the point in having a small PC? A mini comes in a small, neat, quiet package. You think if I can afford a nice large living space, I'm going to fill it with monstrosities just for the hell of it?
Re:I think slashdot Mac users are more vulnerable (Score:3, Informative)
Re:I think slashdot Mac users are more vulnerable (Score:5, Informative)
Secondly they'd need to not realise that their
Thirdly they'd then need to enter in a username and their password(if they are even the account holder who knows it/remembers it) to give the software permission to alter critical files on their system - all while not seemingly realising that their file isn't opening in Word/text editor.
This kind of virus is akin to dragging all your files to the trash, emptying it and claiming it was a virus.
Now take the case of windows. "www.porn.com" is a perfectly accepted file name for an executable. It too can have a little icon of something pornographic. Meanwhile, all a Windows person need do is double click it and it's game over. (Or if you're a Vista user, you'd need to choose accept from a dialog window - which the OS has already trained you to click blindly.)
If you're comparing Vista to Mac OS 10.5, then the moment you received this ".doc" file, whether from an email attachment, chat or website, the OS will alert you when you're opening it to where the file has come from, what time you received it, from what program and even what user sent it to you - and most importantly what kind of file it -really- is. This particular attack vector has been addressed extensively. It will as a minimum stall or prevent the creation of a botnet using Mac OS computers.
Mac Antivirus Isn't As Good As Windows Antivirus (Score:2, Informative)
The antivirus software for OS X just isn't of the same quality as the antivirus software for Windows. I'm not going to make any judgments on the overall quality of Windows antivirus software, and I'm not saying this to disparage those who write antivirus software for OS X, but I don't think the antivirus vendors treat security on OS X seriously. I can't really blame them for this. After all, the OS X market is much smaller than the Windows market, OS X users are less likely to purchase antivirus software, and they're barely keeping up with the current Windows malware as is.
As a result, the OS X antivirus products tend to be buggy. A few years ago I was supporting customers who were running Norton on OS X. I commonly ran into two problems with the software. First, the uninstaller which shipped with the software didn't work. It failed to detect the presence of Norton on the system, even though it had been installed using the installer program on the same CD. Luckily the manual removal process wasn't that hard. This wouldn't have been a problem if I didn't have to uninstall it so often. The software would occasionally decide to take up all of the available RAM and CPU time. I can only assume that it was scanning either network traffic or running processes, because this did not correspond to hard disk activity. In one particularly nasty case, a user with both Limewire and Norton set to open at login on an iBook could not use the computer at all. It took an excess of fifteen minutes to log in, open a Finder window, navigate to the Utilities folder, and open Activity Monitor. Turns out that Limewire was doing something that Norton didn't like, but it was Norton that was causing the problem.
Norton also had a particularly nasty false positive [theregister.co.uk] which hit many of my users. Most of them kept their cool and called in for advice, but some of them hit the panic button and started reformatting their systems. Because of the performance problems, the fact that the users didn't really see any benefit to the antivirus software to begin with, and other small problems like this one, users would frequently install Norton and then come back a month later and ask it be uninstalled because it kept slowing down their system.
Switching them to McAfee didn't really resolve the issue. McAfee would launch at login and try to update the current virus definitions. More often than not, this would fail. McAfee initially claimed that this was due to their update servers' poor availability. The Windows version of McAfee was having update issues as well, so it was a plausible explanation. However, the OS X machines continued to not get new updates for months after the availability issues subsided. Turns out that updating didn't work correctly in what was then known as Virex. A few months later, McAfee issued a patch which had to be manually installed to fix the issue. The uninstaller for McAfee actually works, but isn't very user friendly. It's just a shell script which uses sudo to perform some actions. From a tech support point of view, I love how quick and easy it is. If I have remote access to a machine, I can uninstall McAfee. However, it's not a very good soloution for normal users. I've had to field a fair amount of support calls which basically boiled down the users, not seeing bullets being displayed when they entered their passwords, assumed that their passwords were not being entered. So while McAfee doesn't have as many annoying problems as Norton had, they didn't throughly test their updating code, took a long time to come out with a patch, and didn't bother to put together a GUI installer.
Because OS X antivirus software just isn't a priority for the antivirus vendors, it's hard to advise a user to install an antivirus product on their Mac. Considering that every solution I've tested seems incomplete, I find it hard to believe that the designers of these products have sat down and had a hard look at how malware would take advanta
Re:I think slashdot Mac users are more vulnerable (Score:3, Informative)
And before that we had column view. Column view shows you a bunch of metadata (yes, including file type) on the selected item - unless that item is a folder, than it shows it's file list in the next column over.
And before THAT we had list view. In list view you have a bunch of columns showing us a bunch of selectable metadata (inclusing - you guessed it - it's file type) on all visible files. List view has existed in some form or another on the macintosh since 1984. If you slow down and pay attention to the metadata that is being presented to you, you might notice that it tells you when you're about to open an application!
And? (Score:3, Informative)
Don't run programs of which you don't know the origin (commercial games from big store - yes, hacked games from random illegal Internet site, no)
Don't let programs run automatically ever (autorun, activex in browser without prompts, email attachments etc.)
Don't run programs just because something in an email, on a webpage, on a game, tells you to - double check first.
Use only trusted, well known mediums to obtain the things you want, whether that's a game magazine or a download site.
You DO NOT NEED something running 24/7 and taking up CPU all the time, intercepting every disk access to stop you getting a virus. You just need to follow some simple rules. My girlfriend manages them with little to no training - never had a virus. If in doubt, you ask someone in the know. They will tell you if something is safe and should be able to do so over the phone or IM it's that easy. They don't even need to SEE the file itself or its contents, they can tell from your description of where it came from.
You only need antivirus if you run a network where the users deliberately "forget" their training. Unfortunately, that's most corporate networks. Therefore most corporations do "need" it. That's their own problem for running systems that allow execution of arbitrary programs for normal users. It shouldn't be required EVER in a corporate environment unless they are on the development team. Bring back the good old days of "Press 1 for receipts, 2 for stock control, 3 for staff databases"... by restricting the interface, you restrict the possibilities.
Number of viruses I've had - zero. Number of viruses witnessed first-hand - hundreds of thousands. Number of machines cleaned for other people - hundreds. Number of antivirus programs installed on those computers - hundreds. Number of effective antivirus programs when used on novice user's computers? Zero. Number of antivirus programs installed on any OS on my own personal machines - zero.
What do I do when I need to check someone's computer? Free virus checkers RUN FROM KNOWN-GOOD, CHECKSUM-VERIFIED executables stored on READ-ONLY media of my own. See. The rules apply even then. Amazing, isn't it?
I have seriously removed more antivirus programs than the number of computers I've fixed. They are an absolute waste of time as they are only "after-the-event" - they hardly detect any "real" viruses, if they do detect them, they can't clean them or remove them effectively. And, besides, it's too late by the time an antivirus program spots something - it's already running. Most AV are easy for viruses to disable or fool anyway, so they are just false psychological reinforcement for novice users. Once users are SHOWN that the AV did absolutely nothing to stop the virus they just got, I ask them if they want to renew it next year (so that they remember come the time). I have dozens of people who ask me to remove it there and then and put something "that works" on. I tell them it doesn't work like that, but I can install a free antivirus and at least save them some money, if not save them completely from viruses.
It's amazing the amount of people I've dealt with who are shocked that:
1) The expensive antivirus that they've been paying every year for has never really worked properly and they've had viruses all along. Or hasn't updated in five years. Or says it's updating and isn't. Or says it's running and isn't.
2) The same expensive antivirus is useless at detecting some stuff and useless at removing anything (the amount of times I've run "clean" only to have the same message pop up again on another file, repeated ad inifitum). Cleaning from within an infected operating system is very difficult (I've done it successfully many times but never with an automated antivirus tool) and is only really any good if you absolutely CANNOT get the virus off any other way without losing data.
3) The same
Cheap? Not at all. (Score:5, Informative)
By any reasonable definition, no, they don't. There have been a couple of extremely limited proof-of-concept viruses in the past few decades, which have infected approximately no one.
But it's not cheap. The cost is, in fact, huge.
Antivirus software is incredibly invasive, mucking about to do secret things in kernelspace, inserting itself into nearly every action performed by a machine. It takes substantial resources to accomplish this dubious goal, and alters the system in unpredictable ways.
The "more security is always better" rationale that you propose is too simplistic. Security measures must always be evaluated by comparing their benefits against their costs. Your estimation wildly exaggerates the (nonexistent) benefits of antivirus software while completely glossing over its substantial costs.
Antivirus software is categorically a foolhardy and dangerous thing to ever run on one's machine at all. The only strange edge case in which it represents an improvement is if one is using software like Windows, which is so wildly hole-ridden that security is expected to come from third parties. But even there, the correct solution is not to add more layers to shore up a quicksand foundation, but to simply replace it with a sane operating system.
Re:Then Rich Mogull Ain't No Security Expert (Score:3, Informative)
The "virus" to which Sophos refers was an incredibly obscure little trojan that affected a vanishingly small number of people, required explicit user action to spread, was very quickly patched by Apple, and never did anything in the first place other than attempt (mostly unsuccessfully) to spread itself. Total harm done: zero.
In fact Symmantec's own alarmist page describes the total number of infections as "0 - 49".
So, really? That's your supporting evidence? Really? I should install incredibly invasive software that will chew up resources in order to do undocumented things in kernelspace because one time two years ago fewer than fifty people were not actually harmed at all?