Should Mac Users Run Antivirus Software?

adamengst sends in an article from TidBITS in which Macintosh security expert Rich Mogull explains why he doesn't use antivirus software on the Mac, and why most Mac users shouldn't bother with it either. The article also touches on the question of when an increasing Mac market share might tip it over an inflection point into more active attention from malware writers. (Last month Apple had 14% of PC sales, but 25% of dollar value.)

It's called a "Disk Image"

[StCredZero]

It's called a Disk Image. If you have it mounted, then you can scan it with any anti-virus program. There's no reason not to use anti-virus on Macs. ClamAV is free and works quite well.

Yes

[davidwr]

Short answer: Yes

Long answer:
If your Mac runs MS-Office software or other cross-platform software that has infectable data files, you are vulnerable to some Macro viruses.
If your Mac can run MS-Windows binaries you may be vulnerable to some Windows viruses.
If your Mac hosts files on a mixed network your Mac should protect itself from hosting infected files.

So, unless you've got an all-Mac/no-Windows network or your Mac doesn't run or host Windows files, AND you do not run any cross-platform files that have infectable data files, you should protect yourself and your network.

Re:Nay!

[imamac]

Mac have comparable prices for equivilent quality. Big difference. I'm glad my Mac isn't as "cheap" as a lot of the PCs I see.

I do

[supun]

I've been running ClamXav, http://www.clamxav.com/ [clamxav.com] , for a long time. I normally don't run full scans, but I do use the Sentry ability on any download directories. So anything I download is scanned. Nothing so far :)

Re:It's called a "Disk Image"

[datapharmer]

At the risk of being modded flamebait, I wanted to point out that when I tried ClamAV on mac it worked piss poor. There was little for it to find that affected me, so basically all it did was protect windows users from viruses passing through my computer to theirs and it did all sorts of screwy stuff with my system including making it so slow it was unusable. I kept it less than a week.

Use a tool like little snitch, up you security settings, don't run as administrator, don't run random programs you find on the net and you'll be fine.

Re:It's called a "Disk Image"

[clang_jangle]

There's no reason not to use anti-virus on Macs

Leave out the word "not", and you have a more accurate statement. The only time one should run AV on a Mac is when the Mac is serving files to windows machines, and even then it's just a kludge to accommodate the never-fixed flaws of windows.

Re:It's called a "Disk Image"

[corychristison]

I know what a "Disk Image" is. I own a Mac (not that I use OSX on it, though)

The point was that its still an Archive Format. It's a file that contains a virtual file system & files within.

I don't know about you, but every A/V I've used in the past has a daemon process that will scan a file the moment it saves to the hard disk. All it would take is one single download (and Safari saves 'Disk Images' to the desktop by default -- no confirm. You click, and it downloads) to kill the A/V, possibly even hijack the process (which is usually with elevated privileges). Voila! Instant botnet. (well, not really -- but is still scary).

Manually invoked A/V is still a risk, but not quite as bad... Unless you run as root.

Only if you'refrom the US

[jonnyj]

Last month Apple had 14% of PC sales, but 25% of dollar value.

This is just a teeny-weeny bit unreal. Close inspection reveals that the cited article refers to US-based PC retail sales.

There is more to the world than the US. And there's more to sales than retail sales. Apple has much lower sales penetration in Europe and Asia, and it has much lower sales in the commercial sector. Apple might be on enjoying a renaissance, but don't be fooled by inappropriate statistics.

Re:Nay!

[vux984]

Say it isn't so. Everyone knows macs are just as cheap as PCs!

I know your just being funny, but I figured I'd explain it anyway...

An awful lot of PCs are those $300 dell specials. Apple doesn't make products that crappy, but Dell moves boatloads of them... so Dell picks up a lot of unit sales eroding Apples 'market share by unit', but because the price is so low and Apple hangs onto more of the higher value sales, the erosion effect of these low end units on their 'market share by price' is considerably less.

Lets compare apples and oranges ;)

I sell oranges at $1
I sell apples at $1
As you can see "Apples are no more expensive than oranges."

I also sell rotten oranges at 50 cents.
I don't sell rotten apples.

So if I sell 100 apples, 200 oranges, and 200 rotten oranges:

Apple has 20% of the market but 25% of dollar value.

market = 100/[100+200+200] = 1/5 = 20%,
dollars = 100/[100+200+200*0.50] = 1/4 = 25%

That's essentially whats happening here.

Re:No

[rworne]

At the risk of losing my Apple "street cred": Apple also restores these machines from a disk image quite frequently. One employee I quizzed about it said they restore the machines from an image file just about every day.

You cannot expect this from a big box retailer. I've seen Macs at Fry's and CompUSA that were trashed. Not virus-ridden - but with deleted apps, desktop vandalism, and other local user asshattery.

Mac A/V needed !!!

[qwertphobia]

The only reason I require folks to run antivirus software on the Mac is because of Microsoft products. We have had several macro viruses spread across campus through the sharing of Microsoft Office documents.

You really don't need AV for Windows either...

[roxtafari]

I stopped using AV on Windows machines about 10 years ago, and have not had any malware problems since then. (aside from some opt-in spyware that used to come with free software, which I promptly removed myself) The performance hit from the large AV footprint was to onerous to handle anymore. I used to work in a computer shop, and the AV software really didn't seem to be protecting any of my users anyways. Fully patched and updated systems would still come in riddled with trojans and spyware. The newest class of malware is simple too evasive, using multiple attack vectors and social engineering to overcome most system protections. The only thing I do now is follow 'best practices'. Don't click on links in unfamiliar emails, pay attention to the the URLs that links are taking you to, close or endtask dialogue boxes from websites (and acutally read them), and use a resident registry modification monitor to see if something is changing startup files(I use Spybot). And most of all, have multiple backups of anything you have that you don't want to lose forever. If you are still getting viruses, you probably are doing something stupid.

Re:Nay!

[vux984]

at lest that $300 dell uses desktop parts unlike the $600 mini.

You'd be assuming that someone who buys a mini would be pleased with a loud bulky cheaply built tower why?

And for $600 you can get a dell that is a lot better and it has slots to add video and other cards to it.

A lot better? Give me a break. I challenge you to put together a Dell for $650 (or $750 including monitor, since with a lot of their budget PCs you can't unbundle it) that matches the mini's specs. I challenge you.

It must have bluetooth, 802.11g wifi, firewire, at least 4 usb ports, gigabit, optical audio in and out, DVI video out, Core2Duo w/ 2MB cache, 1 GB of RAM.

The mac mini only has integrated video so GMA950 is what you need to meet or beat there, and the small slow laptop hard drive should be a nobrainer to beat too.

Since its a PC not a Mac, I'll forgive you leopard, but you'll need at least Home Premium, no Home Basic. And make sure it comes with a restore disk.

And even if you managed to do it, then ask yourself... can you also make it virtually silent and fit into a space about the same as a stack of 5 CD jewel cases?

I'm not saying you can't get a good value for $600 from a dell. And theres no question that $600 spent the right way can result in a PC that's better than a mac mini for, say, games, for example. But spec for spec, Apple is very good value, provided your needs line up with the features they offer.

I agree there are some big gaps in the apple line up... where is the fast core 2 duo tower that I can put expansion pci cards into for around $1200 for example. The imac is good value and the right specs, but the wrong form factor since I can't expand it... that's why I still use a PC tower. My laptop otoh, which I don't require to be expandable, is a mac.

With mac's expandability isn't their market; except at the extreme high end. That tends not to go over well with the 'tech crowd' like the one here, but in practice, joe sixpack never upgrades his PC anyway nor plays FPS shooters, so for them this gap is not much of an issue.

Re:I think slashdot Mac users are more vulnerable

[Bert64]

I don't generally double click on files, i would usually right click and choose what app to open them in... If the menu displayed didn't give the expected options i would see immediately that it was malicious.
Aside from the fact that downloading a random binary from a website would not have execute permission, thats why mac apps are usually distributed in archives or disk images, even if they contain only a single file.

Re:OS X Server does by default

[singularity]

Why does Slashdot not have a "-1; Factually Incorrect" mod when you need one?

You, sir, are incorrect. ClamAV is indeed *included* with OS X Server, but it is most certainly not "running by default". It is used as part of the mail server. It is an option you can turn on in the mail server settings, and it automatically checks email for viruses (SpamAssassin is also included) if activated.

This is because people use OS X Server to serve non-Macintosh clients, including Windows machines.

It does not check every file on the machine. It is meant to protect clients it is serving, not to protect the OS X Server itself.

Re:Nay!

[timmarhy]

"A lot better? Give me a break. I challenge you to put together a Dell for $650 (or $750 including monitor, since with a lot of their budget PCs you can't unbundle it) that matches the mini's specs. I challenge you."

I accept.

let's compare shall we. http://www1.ap.dell.com/content/products/features.aspx/desktops_good?c=au&cs=audhs1&l=en&s=dhs [dell.com]

vs

http://store.apple.com/133-622/WebObjects/australiastore.woa/wa/RSLID?nnmm=browse&mco=7B723681&node=home/shop_mac/family/mac_mini [apple.com] for $50AUD more then the mini superdrive, the dell gives you an extra gig of ram, 170gigs of extra hd space, a 256meg 3d card, 20" wide screen lcd and a 2.25ghz 2m cache core 2 duo.

that's a much much faster machine for the same price point.

lets look at the base line mini "combodrive". for $50 less dell gives twice the hd space and a 19" monitor

so all you are paying for is the wank factor, thank you very much. please stop spouting nonsense about mac's competing with pc's on price.

Re:Bad analogy

[snowwrestler]

Running AV all the time is like walking around all the time wearing a condom, just in case you have sex with a hooker.

Re:Eh, I don't know about that

[Sycraft-fu]

It's not a matter of voiding the warranty, it is a matter of who fixes things when it breaks. That's the whole reason why we buy something from one vendor around here (MPC for PCs). Our staff is fully capable of building systems form parts, and fully capable of diagnosing problems. However doing so would get in to a support nightmare. If something goes wrong with one of the PCs and all the hardware is from one company, we just tell them what we need replaced. It is easy to see if it is under warranty and so on. Also, if it is a strange issue that might be more than one part, it isn't a problem to get multiple parts. You don't have the maker of one part blaming the maker of another part.

Now this isn't critical, and I'm certainly not saying we've never bought aftermarket upgrades. However, it is a real consideration since one of the reasons people try to sell you on Macs is support. They say it is easier since the whole deal comes from one vendor. Ok, there's a lot to that, but you start to break that if you add aftermarket hardware. It isn't that you'd invalidate the warranty on the existing Apple hardware, but that if the aftermarket piece breaks, they can't help you.

Not a major issue when you have a single computer, but when you have 500, it can get problematic. Much better to have a single point for support as often as possible. However if you are having to order aftermarket upgrades for every single box due to the cost, well you don't get to have that.

Re:OS X Server does by default

[BearRanger]

Thank you for the clarification. You are of course correct, and I could have been more specific. The point remains, if you start mail services (which are enabled by simply clicking a check box) ClamAv starts without the administrator explicitly asking for it. The scanning rules are predefined and no user interaction is explicitly required. Extending it to check other files could still be enabled via Software Update.

My bad for not being as clear as I should have been. I trust folks with mod points will do the right thing here...

Re:Then Rich Mogull Ain't No Security Expert

[z4ce]

You aren't protected from zero day expliots by anti-virus either. The new virus won't have a definition. Even some existing viruses can get past anti-virus using encryption. I saw a computer not long ago infected with a nasty Zlob variant with new definitions. I then tried to use several different vendors to remove it. Guess what, not symantec, mcafee, or nod32 could get rid of it. It took me using hijackthis along with mounting the file system from a linux live CD to get rid of the bugger.

Yes there is a risk of getting a virus on the internet. However, in my opinion, it only helps people who are prone to clicking omgponies.exe.

Re:Nay!

[serviscope_minor]

if you can afford shit like mini's, you can afford a large enough living area to put a pc. seriously they aren't fucking mobility device.

Are you trying to act stupid or can you really not see the point in having a small PC? A mini comes in a small, neat, quiet package. You think if I can afford a nice large living space, I'm going to fill it with monstrosities just for the hell of it?

Re:I think slashdot Mac users are more vulnerable

[PenguSven]

safeguards? sure. whenever you launch a third party app for the first time, you get a simple prompt, telling you its the first time you've run it, and giving you options to continue, cancel or show the application in finder.

Re:I think slashdot Mac users are more vulnerable

[catwh0re]

It's because you need a perfect storm of failures to make this work. First the user needs to double click the file, which might be displaying a .app extension if the user has extensions visible.(Meaning they'd realise it wasn't a .doc file.)

Secondly they'd need to not realise that their .doc file isn't opening in Word or a similar program, but rather in a new program that is for some reason asking them to authenticate.

Thirdly they'd then need to enter in a username and their password(if they are even the account holder who knows it/remembers it) to give the software permission to alter critical files on their system - all while not seemingly realising that their file isn't opening in Word/text editor.

This kind of virus is akin to dragging all your files to the trash, emptying it and claiming it was a virus.

Now take the case of windows. "www.porn.com" is a perfectly accepted file name for an executable. It too can have a little icon of something pornographic. Meanwhile, all a Windows person need do is double click it and it's game over. (Or if you're a Vista user, you'd need to choose accept from a dialog window - which the OS has already trained you to click blindly.)

If you're comparing Vista to Mac OS 10.5, then the moment you received this ".doc" file, whether from an email attachment, chat or website, the OS will alert you when you're opening it to where the file has come from, what time you received it, from what program and even what user sent it to you - and most importantly what kind of file it -really- is. This particular attack vector has been addressed extensively. It will as a minimum stall or prevent the creation of a botnet using Mac OS computers.

Mac Antivirus Isn't As Good As Windows Antivirus

[MichaelBuckley]

The antivirus software for OS X just isn't of the same quality as the antivirus software for Windows. I'm not going to make any judgments on the overall quality of Windows antivirus software, and I'm not saying this to disparage those who write antivirus software for OS X, but I don't think the antivirus vendors treat security on OS X seriously. I can't really blame them for this. After all, the OS X market is much smaller than the Windows market, OS X users are less likely to purchase antivirus software, and they're barely keeping up with the current Windows malware as is.

As a result, the OS X antivirus products tend to be buggy. A few years ago I was supporting customers who were running Norton on OS X. I commonly ran into two problems with the software. First, the uninstaller which shipped with the software didn't work. It failed to detect the presence of Norton on the system, even though it had been installed using the installer program on the same CD. Luckily the manual removal process wasn't that hard. This wouldn't have been a problem if I didn't have to uninstall it so often. The software would occasionally decide to take up all of the available RAM and CPU time. I can only assume that it was scanning either network traffic or running processes, because this did not correspond to hard disk activity. In one particularly nasty case, a user with both Limewire and Norton set to open at login on an iBook could not use the computer at all. It took an excess of fifteen minutes to log in, open a Finder window, navigate to the Utilities folder, and open Activity Monitor. Turns out that Limewire was doing something that Norton didn't like, but it was Norton that was causing the problem.

Norton also had a particularly nasty false positive [theregister.co.uk] which hit many of my users. Most of them kept their cool and called in for advice, but some of them hit the panic button and started reformatting their systems. Because of the performance problems, the fact that the users didn't really see any benefit to the antivirus software to begin with, and other small problems like this one, users would frequently install Norton and then come back a month later and ask it be uninstalled because it kept slowing down their system.

Switching them to McAfee didn't really resolve the issue. McAfee would launch at login and try to update the current virus definitions. More often than not, this would fail. McAfee initially claimed that this was due to their update servers' poor availability. The Windows version of McAfee was having update issues as well, so it was a plausible explanation. However, the OS X machines continued to not get new updates for months after the availability issues subsided. Turns out that updating didn't work correctly in what was then known as Virex. A few months later, McAfee issued a patch which had to be manually installed to fix the issue. The uninstaller for McAfee actually works, but isn't very user friendly. It's just a shell script which uses sudo to perform some actions. From a tech support point of view, I love how quick and easy it is. If I have remote access to a machine, I can uninstall McAfee. However, it's not a very good soloution for normal users. I've had to field a fair amount of support calls which basically boiled down the users, not seeing bullets being displayed when they entered their passwords, assumed that their passwords were not being entered. So while McAfee doesn't have as many annoying problems as Norton had, they didn't throughly test their updating code, took a long time to come out with a patch, and didn't bother to put together a GUI installer.

Because OS X antivirus software just isn't a priority for the antivirus vendors, it's hard to advise a user to install an antivirus product on their Mac. Considering that every solution I've tested seems incomplete, I find it hard to believe that the designers of these products have sat down and had a hard look at how malware would take advanta

Re:I think slashdot Mac users are more vulnerable

[Hes Nikke]

Actually, my basic complaint is that in the default view for each OS, it's not intuitively obvious which icons represent files or links to files which are directly executable. None of the three OS has this as a feature, to the best of my knowledge.

With leopard, one feature you have is called Quick Look [apple.com]. QL shows you a preview of the selected file if it can read it. if it can't, it shows a bunch of metadata about the file, including it's type (Application, vs Microsoft Word Document to use the example mentioned earlier).

And before that we had column view. Column view shows you a bunch of metadata (yes, including file type) on the selected item - unless that item is a folder, than it shows it's file list in the next column over.

And before THAT we had list view. In list view you have a bunch of columns showing us a bunch of selectable metadata (inclusing - you guessed it - it's file type) on all visible files. List view has existed in some form or another on the macintosh since 1984. If you slow down and pay attention to the metadata that is being presented to you, you might notice that it tells you when you're about to open an application!

And?

[ledow]

This isn't news, and especially isn't news for nerds... Windows, Linux, MacOS, it doesn't matter...

Don't run programs of which you don't know the origin (commercial games from big store - yes, hacked games from random illegal Internet site, no)
Don't let programs run automatically ever (autorun, activex in browser without prompts, email attachments etc.)
Don't run programs just because something in an email, on a webpage, on a game, tells you to - double check first.
Use only trusted, well known mediums to obtain the things you want, whether that's a game magazine or a download site.

You DO NOT NEED something running 24/7 and taking up CPU all the time, intercepting every disk access to stop you getting a virus. You just need to follow some simple rules. My girlfriend manages them with little to no training - never had a virus. If in doubt, you ask someone in the know. They will tell you if something is safe and should be able to do so over the phone or IM it's that easy. They don't even need to SEE the file itself or its contents, they can tell from your description of where it came from.

You only need antivirus if you run a network where the users deliberately "forget" their training. Unfortunately, that's most corporate networks. Therefore most corporations do "need" it. That's their own problem for running systems that allow execution of arbitrary programs for normal users. It shouldn't be required EVER in a corporate environment unless they are on the development team. Bring back the good old days of "Press 1 for receipts, 2 for stock control, 3 for staff databases"... by restricting the interface, you restrict the possibilities.

Number of viruses I've had - zero. Number of viruses witnessed first-hand - hundreds of thousands. Number of machines cleaned for other people - hundreds. Number of antivirus programs installed on those computers - hundreds. Number of effective antivirus programs when used on novice user's computers? Zero. Number of antivirus programs installed on any OS on my own personal machines - zero.

What do I do when I need to check someone's computer? Free virus checkers RUN FROM KNOWN-GOOD, CHECKSUM-VERIFIED executables stored on READ-ONLY media of my own. See. The rules apply even then. Amazing, isn't it?

I have seriously removed more antivirus programs than the number of computers I've fixed. They are an absolute waste of time as they are only "after-the-event" - they hardly detect any "real" viruses, if they do detect them, they can't clean them or remove them effectively. And, besides, it's too late by the time an antivirus program spots something - it's already running. Most AV are easy for viruses to disable or fool anyway, so they are just false psychological reinforcement for novice users. Once users are SHOWN that the AV did absolutely nothing to stop the virus they just got, I ask them if they want to renew it next year (so that they remember come the time). I have dozens of people who ask me to remove it there and then and put something "that works" on. I tell them it doesn't work like that, but I can install a free antivirus and at least save them some money, if not save them completely from viruses.

It's amazing the amount of people I've dealt with who are shocked that:

1) The expensive antivirus that they've been paying every year for has never really worked properly and they've had viruses all along. Or hasn't updated in five years. Or says it's updating and isn't. Or says it's running and isn't.

2) The same expensive antivirus is useless at detecting some stuff and useless at removing anything (the amount of times I've run "clean" only to have the same message pop up again on another file, repeated ad inifitum). Cleaning from within an infected operating system is very difficult (I've done it successfully many times but never with an automated antivirus tool) and is only really any good if you absolutely CANNOT get the virus off any other way without losing data.

3) The same

Cheap? Not at all.

[Onan]

Please Google for OS X viruses, they do exist.

By any reasonable definition, no, they don't. There have been a couple of extremely limited proof-of-concept viruses in the past few decades, which have infected approximately no one.

As to why you should deploy AV? Because it's a cheap way of adding another level of security protection to your machine.

But it's not cheap. The cost is, in fact, huge.

Antivirus software is incredibly invasive, mucking about to do secret things in kernelspace, inserting itself into nearly every action performed by a machine. It takes substantial resources to accomplish this dubious goal, and alters the system in unpredictable ways.

The "more security is always better" rationale that you propose is too simplistic. Security measures must always be evaluated by comparing their benefits against their costs. Your estimation wildly exaggerates the (nonexistent) benefits of antivirus software while completely glossing over its substantial costs.

Antivirus software is categorically a foolhardy and dangerous thing to ever run on one's machine at all. The only strange edge case in which it represents an improvement is if one is using software like Windows, which is so wildly hole-ridden that security is expected to come from third parties. But even there, the correct solution is not to add more layers to shore up a quicksand foundation, but to simply replace it with a sane operating system.

Re:Then Rich Mogull Ain't No Security Expert

[Onan]

And we all know that companies selling antivirus software are the most impartial authorities on the risks of viruses, right?

The "virus" to which Sophos refers was an incredibly obscure little trojan that affected a vanishingly small number of people, required explicit user action to spread, was very quickly patched by Apple, and never did anything in the first place other than attempt (mostly unsuccessfully) to spread itself. Total harm done: zero.

In fact Symmantec's own alarmist page describes the total number of infections as "0 - 49".

So, really? That's your supporting evidence? Really? I should install incredibly invasive software that will chew up resources in order to do undocumented things in kernelspace because one time two years ago fewer than fifty people were not actually harmed at all?