Should Mac Users Run Antivirus Software?

adamengst sends in an article from TidBITS in which Macintosh security expert Rich Mogull explains why he doesn't use antivirus software on the Mac, and why most Mac users shouldn't bother with it either. The article also touches on the question of when an increasing Mac market share might tip it over an inflection point into more active attention from malware writers. (Last month Apple had 14% of PC sales, but 25% of dollar value.)

False Sense of Security Trumps Logic

[eldavojohn]

There's no reason not to use anti-virus on Macs.

Yet by and large it won't happen. If you do use it, you are an outlier.

What's my explanation for your perfectly good logic? Mac users have a false sense of security (see ensuing posts about Mac security totaling Herculean proportions).

I already *don't* run AV on a PC

[Bobb Sledd]

Ha. I already don't run AV on the PC either.

Well tell me why I really need to? I mean I have it installed, but I certainly don't have that stupid active scanning thing turned on. So when I open a file, my computer really needs to open it twice? Bull.

I get my mail from gmail (so attachments already scanned there). I use FireFox (so little chance of infection there). I do scan things that might possibly contain a virus -- anything from a usenet newsgroup or from P2P (which is only a few executables ever anyway); And I do let it scan the whole thing once a week (and never finds anything I didn't already know about, of course).

And you know what? My old computer running Win2K runs faster than most any new computers out there with AV turned on. To date, I've never been bitten by any viruses.

Depends on user

[warrior_s]

I think it depends what kind of user are you talking about.

If a user is careful about not downloading programs from random sites and installing those, as well as careful in opening email attachments.. i think one should be good to go without antivirus on most of the OS's not only OS-X

OTOH, if one just open every email attachment (s)he gets.. then even antivirus can not help sometimes (e.g. against some new vulnerability)

doesn't hurt

[gEvil (beta)]

I used to work at a computer lab that was all Macs at a school. For a short while we didn't run any AV software on the machines--until we started getting complaints from other departments that files that were coming from us had viruses. Turns out that Office for Mac is a perfect vector for all those pesky macro viruses that would find their way onto machines. It wasn't incredibly serious, but it was enough to get us to put AV software back on the Macs.

There are differences between Windows/*nix

[joeflies]

the primary difference is the elevation of privleges. Malware and viruses on Windows have no problem taking over the whole machine, because regardless of what user is running the malware, the whole box can be taken over because the user has full admin privleges.

For a *nix environment, even if malware got in through the user's browser, it still needs an escalation of privleges to do real bad harm. Without it, the damage is largely contained to the data in the user's directory.

Re:Then Rich Mogull Ain't No Security Expert

[DaphneDiane]

And how is the antivirus going to catch the problem when it first appears? When large scale OS-X viruses start appearing the existing AV software won't recognize them or know how to handle them. The software needs to have either a signature of known viruses or a heuristic that catches likely viruses. Without a large pool of OS X viruses it would be next to impossible for any AV software to protect against future threats. AV software is reactive security, not proactive. The only thing an AV program before then will do is protect against some older Mac OS virus and help avoid passing windows virus, that and decrease performance and increase energy usage. As the article says the best thing to do is be smart about how you use the computer and keep abreast of any changes. Because of their limited numbers any notable Mac viruses will get reported soon after they are found, at which point it may be worthwhile reconsidering the use of AV software. Just because there is not such thing as a secure computer doesn't mean that best way to balance the risks / cost ratio for all systems is the same.

Wrong Question

[bhima]

The right question is "Should Apple take security more seriously?" YES and "Should Apple be more proactive in dealing with security issues?" YES. "Should Apple be closely following the tactics of various malware propagators and bot net operators?" YES.

Bringing the Anti-virus & Registry Cleaner snake oil salesmen to the Mac isn't going to do anyone any good.

Having said all that I used to use clam but never reinstalled it when I move to Leopard...

OS X Server does by default

[BearRanger]

I note that Leopard Server runs ClamAV by default, and does so without user intervention. Of course the mission for the server release is different from that of the desktop, and there may be an expectation that you'll be interacting with Windows at some point. It's capable of supporting Windows clients, and for that you should have an AV suite. It would be beyond foolish not to have one.

Still, many people interact with Windows from their client Macs too, but not everyone. Windows is not a part of my life, for instance.

Apple obviously felt it necessary to include an AV suite for the server release. They've tailored it for the OS, so why not ship it by default with the client release as well? Perhaps because they feel it isn't necessary, and they're choosing to err on the side of fewer wasted cycles for the majority of their users? I suspect that if a bona fide threat to OS X ever does appear ClamAV will be made available for the client release via Software Update the next day.

Re:Then Rich Mogull Ain't No Security Expert

[prockcore]

When large scale OS-X viruses start appearing the existing AV software won't recognize them or know how to handle them.

So true. People don't seem to understand how antivirus software works.

A while ago, we were one of the first to be hit by those trojaned flash banner ads that have started popping up everywhere. Our users were posting comments like "don't you run antivirus?" Like there is a single AV product in the world that can identify a flash banner that was maliciously constructed.

I ended up writing my own antivirus flash banner inspector that decompiles the banner and checks for specific strings. It can only detect banner ads that match those strings I have put in there. It works just like any antivirus companies product would.

Eh, I don't know about that

[Sycraft-fu]

Especially when you start talking upgrades they seem to be pricey. Looking at an iMac right now they want $500 to go from 1GB (the default and minimum) to 4GB. Hop over to Dell and going from 512MB (default and minimum) to 4GB is only $170. Now yes, I realise you can buy aftermarket parts, but that defeats part of the point of getting an OEM system and certainly an Apple: support. You get everything from the OEM, they are your one stop for support, particularly with Apple who also makes the OS. You start buying aftermarket, that is no longer the case.

Now that aside, the other problem I find is that while their prices are often comparable for a system at a given point, they don't actually offer what many want. The towers are a good example. Yes, actually, their towers are fairly competitive pricewise when you spec out a similar Dell workstation with dual quad cores, lots of registered ECC RAM capacity, and so on. However the problem is what if I don't want that? What if I want a single quad core (or dual core), non-ECC RAM, and so on? There's plenty of cases where this is a much better option.

Let's say I don't have software that scales up to 8 cores. This is fairly common these days. So let's say I'd like a quad core with 4GB of RAM. If I go the Apple tower route, $2800 is the price for that. That isn't unreasonable, since it is a single Xeon, with support for a second one, and registered, ECC RAM, which is really expensive. However, Gateway (or I suppose MPC now since they bought Gateway's business division) would be happy to sell me a E-6610Q with similar specs (HD, video, etc) for about half that ($1300).

Now the thing is, the sort of system I listed is quite useful. We buy a good number of them here (that's why I know about it) for research. There's a lot of cases where someone wants a system that has a good processor, plenty of RAM (we often get 8GB even, which is still cheap) but just really doesn't have use for a full on workstation class system. This is even more true now that processors have gone multi-core. While 8 cores is great, there are just a lot of things that are hard to write to make use of that many. So if you aren't using more than 4, the second processor, and all the associated cost, isn't useful.

That is the main reason I'd say Apple isn't competitive on price. A mid range tower is something that there is a whole lot of market for, but they just don't sell. If you don't want an all in one, your only option is super high end. If you don't have a need for the extra hardware, that is just money wasted.

Same goes for people at home. For example I like to play games. An all in one wouldn't work for me. Sure, I could get a similar monitor (24" widescreen), CPU (Core 2 Duo) and RAM (4GB) to what I have. However I can't get the graphics card I have, and I can't ever upgrade it. That is a show stopper right there, since the core of the system will last a good deal longer than the video card. It'd be a waste to buy a new system when only one component needs updating. Likewise the monitor will outlast the system, again a waste to upgrade.

That's my objection to the argument that Apple is a good value for equivalent hardware. That is true in a narrow sense sometimes, but given that they don't have a solution for a large number of people, it isn't true over all.

Re:It's called a "Disk Image"

[crmarvin42]

I manage for my mother, step-father, 2 sisters, cousin, and maternal grandmother. The only people in my family that could be considered remotely in the same league with the average slashdotter would be me (mac guy), my older brother (CS degree from the Naval Academy, Windows exclusively), and my younger brother (CS degree from a vocational HS, Windows/little linux). The only ones in my family to have experienced infection are my grandmother (Can't understand the concept of not opening EVERY attachment) and my younger brother (can't leave the pr0n alone). Everyone else in my family uses macs and since my grandmother was upgraded to a second hand mac she's been free of viruses and trojans without changing her surfing habits.

I'm willing to concede the point that viruses and trojans will eventually hit the mac. However, I don't believe that the sense of security we feel is false. It's based on, in my families case, 12 years and counting without a single infected mac. whereas my younger brothers computer was loaded down and had to be reformatted and reinstalled 2x in the first year he had it.

Anecdotal? Yes! Compelling? Also Yes!

Comment removed

[account_deleted]

Comment removed based on user account deletion

I think slashdot Mac users are more vulnerable

[megaditto]

Since they are less aware of their system's vulnerabilities... And the odd quircks of Mac OS X where a file can be named Document.doc and have a Word icon, yet be a perfectly valid double-clickable executable, or have a malicious resource fork attached to it...

Running AV to tick off a checkbox.

[mlts]

A lot of companies run antivirus software even on their high end Solaris and AIX machines. Not because there is a likelihood of a RTM worm repeating itself, but because of legal reasons. A lot of corporate clients require their vendors to "have antivirus protection on all computers", a very wide and sweeping statement.

One reason I can see putting AV on a Mac is so people (and companies) can check this box, saying that all their machines that handle customer data have antivirus protection installed, even if the utility is just triggered from a cronjob that does a scan down the filesystem for infected Windows files every so often.

Historically, before OS X, Macs did have some viruses, although relatively few of them were malicious. Before Word macro viruses became common, John Norstead's Disinfectant was one of the more used anti-virus utilities that offered not just scanning, but in memory protection.

Re:AV madness

[beegle]

The whole signature based approach to AV seems so bizarre. Imagine trying to get into a nightclub.. The bouncer has a list. If you want to get in, he checks the list. If you're *not* on the list, then you can get in.

This is exactly how many bars, nightclubs, and restaurants operate. They have a list of "undesirables" (usually with pictures) who have caused problems in the past who aren't allowed in. Bouncers and maître d's are supposed to know the faces on the list.

It's not perfect, but blocking 95% of the problem is better than blocking nothing.

Re:Good idea

[605dave]

There's a reason I have a "bad things can't happen to me" attitude. I've been using the Mac for twenty years, and have never had a virus. Or adware. Or malware. Or any of that other stuff everyone else apparently has to worry about. I've been online constantly since the early 90s, I even surfed bareback in Mac OS 9. Nothing.

Recently I converted a friend to the Mac. She was at her brother's house, and wanted to download pictures off his camera. He offered to get the CD for drivers, and she said she didn't need it. His reply was that she had become "one of those smug Mac users." She said she then realized why people like me are always dismissed by people like you. Its like you can't believe that my reality is what it is, and has been for a long time. Do I take security seriously, yes. Strong passwords, SSL connections, and other ways. A good security policy does not have to include AV ware. And until there is some report somewhere of an actual in the wild Mac virus/adware/malware attack, I will continue to run my Macs without any third party "solutions" that often do far more harm than good to your mac.

So don't worry about me too much.

oh, and there is a reason to leave to doors unlocked. to remind yourself to not always live in fear.

Re:AV madness

[RAMMS+EIN]

``No one wants the Microsoft solution where applications need to be certified to run.''

Actually, I do want that solution, and I've advocated it before. What is important, though, is that you can choose your own trust providers (so that the control is not all in a single entity's hands).

Interestingly, this is pretty much what things like apt-get give you. Provided you only install software through apt-get, you get to choose your trust providers (by adding repositories to sources.list), and you can then only install software that has been approved by them.

It works for me. I have about 20000 packages to choose from. They cover my needs. All of them are free software, and none of the ones I have installed have displayed malicious behavior. Did I mention that apt-get also graciously handles dependencies, and makes keeping the system up to date really easy and quick?

Re:It's called a "Disk Image"

[Sancho]

But the Mac OS is the only one I always do run as admin, since 1987 in fact, and never once have I had any malware or been hacked. That's twenty-one years without a breach in security!

...that you know of. I'm not trying to troll, here, but it's not possible to prove that you had no infections or hacks.

Re:Nay!

[slashdotlurker]

Typical pseudo-elitist crap I have come to expect from a Mac user over the years. Don't bash me, my wife is one.
I am yet to come across a single case of Dells (or IBMs for that matter) being "cheap" in the sense you mean to use here. They last as long as Macs do. In fact, my home file server is an eight year old Dell running Debian with a stack of USB drives. We have done upgrades over the years - new USB card, bigger USB drives as our storage needs have expanded, etc. But it is yet to cost me an arm and a leg like my wife's Mac cost her when she tried to "upgrade" her Powerbook. Turned out it was cheaper to buy a new machine than do a hardware upgrade. For the same specs, Macs are consistently more expensive, even now when they use same / similar Intel chips as the rest of us. And don't even get into hardware upgrades - its not even funny.
I would have bought your argument if we were windows users - Mac OSX beats windows XP hollow in terms of stability, etc. But our household converted to a complete non-windows situation years ago, and Linux, as far as apps I need in my work are concerned, beats Mac OSX. GNU apps are updated as an afterthought in fink and the entire idea of a closed source OS that could be spying on you for commercial purposes is so last century.
So, if being funnily snooty is what floats your boat while trying to hide the hurt of overpriced hardware that Steve sells, go ahead, but don't think for a second that you are fooling too many of us. My father taught me long ago that paying more for less or the same to appear cool to some shallow friends is adolescent stupidity and most rational people want no part of that.
Mac being higher quality than the competition is an argument strangely akin to the experience that Hillary claims as her own. False, accepted by the uncritical and self-serving at the same time.

Yes, I have anti-virus apps on my Macs.

[Neanderthal Ninny]

I have both Norton AV and Clamav running on Mac systems. There are only a few pieces of malware for Macs (non-potent) now but since we have share files and data between other OS we need to scan files that we get from them which can be infected even they won't really affect the Mac. If you have virtualization programs like Parallels or VMware and have Windows, an piece of malware can infect the virtual OS. Remember the recently VMware announced an vulnerability in VMware where the guest OS can affect host OS.
http://www.vmware.com/security/advisories/VMSA-2008-0005.html [vmware.com]
The worst stuff from email with sends all of us junk that hopefully that the mail server will filter out most malware but your system will need to filter any leakers that pass through the mail server.
We have been under the radar of most of the malware writers but as Mac gets more popular we will get a dose of Windows malware pain sooner or later.

Re:Nay!

[Nexum]

You don't have to look very far to see how the cheaper Dell models are cheaper in build quality also.

My girlfriend's Dell laptop for example - the plastic feels cheaper, it's bigger and clunkier than more expensive systems, there is some kind of high-pitched inductor/capacitor chirp when you move the mouse around which is incredibly irritating, the screen has a very poor viewing angle, the speakers are too quiet to watch a DVD with when there's traffic on the road outside, etc. etc. I'm not saying it's not worth the money that it costs, it was a very cheap model - but if you think you are somehow getting a no-compromise high quality product at the very cheap end then you're simply not looking hard enough at the products you're buying.

Re:Eh, I don't know about that

[Lally Singh]

The apple warranty's still good if you get 3rd party RAM. As long as you clearly didn't break the machine from installing it yourself, you're good to go.

I'm speaking from years of experience here.

As for price competition, they are competitive. What you're talking about is selection. They aren't competitive in selection. Often a lack of finding what you want ends up with you either spending money on stuff you don't need or getting less than you wanted. Hence the complaints.

OTOH, there's a lot to be said about less selection -> better OS stability. Microsoft's been complaining about the variety of machines they've had to support for decades now.

The selection's the price you pay for a Mac. The price argument is unfair and inaccurate. But on selection, I doubt any mac user's going to argue with you :-)

Re:I already *don't* run AV on a PC

[Atario]

You seem to be in good company. [codinghorror.com] I haven't stopped using it, but I have switched from one bloated AV package [wikipedia.org] to a supposedly-less-bloated one [wikipedia.org], to a free one [wikipedia.org] that the chart on that first link seems to say is one of the less egregious ones in relation to slowdown.

Still not confident enough to go commando like you, though.

Re:No

[ceoyoyo]

Oh? I work in a hospital (in an all Mac lab, coincidentally). The hospital is protected by an absolutely draconian firewall. No USENET. If you want to check your e-mail, the server and port has to be specifically requested and allowed. No outside requests at all.

So one of the doctors brings his Windows notebook in and plugs it into the hospital network. It's infected by a worm, which quickly infects all the Windows machines in the hospital, no user interaction required. Instant nightmare. The virus more or less took down the network (the only effect us Mac users noticed). Diagnostic imaging was in a shambles. All without anyone even getting the chance to exercise some self control.

Re:Running AV to tick off a checkbox.

[ceoyoyo]

Yup. Hospital IT requires everybody to have antivirus software. So it's officially installed, and if you're a smart user you turn it off as the first thing you do when you get your new computer.

Virus scanners really are awfully invasive. If there's ever a virus signature for it to match then you can turn it back on.

The problem is

[Sycraft-fu]

That it isn't that I don't like it. There are two big problems:

1) There is a major segment of the market that Macs don't cover. Basically anyone who doesn't want an all-in-one, but doesn't want or can't afford a high end workstation. They have no offerings for that market. If I was the weirdo for wanting that, I'd be ok with it, but that is the major market out there. There's a whole lot of reason to want a computer like that. For example in our instructional labs, we can't afford high end workstations, not when we are getting 50 computers, nor do we have a need for that power. However an all-in-one is a bad idea. Why? Because monitors last a lot longer than computers. One of our labs has undergone two upgrades to the computers but is still using the same monitors. Eventually they'll have to be replaced, but LCDs last a good long time.

This is a real good thing, because generally it is a situation like "You have $50,000 to spend on the lab." Ok, that's $1000 per computer. Well, $150 not spent on a monitor is $150 that can be spent on a faster processor or more memory and so on. No reason to replace a perfectly good monitor just because the computer is out of date. It is a non-trivial part of the budget that would have to be spent on even a fairly small monitor.

2) All the arguments that macs are "good value for the money." No, they aren't for most people. Most people don't want a workstation, if they did, that'd be the big sales from most companies. However there is very little software that can even make use of all that, let alone people who use it. It isn't a good value to most people so the argument is bogus. It is like trying to argue that an BMW R8 is a "good value" for a normal car. No, it's not. It may be a good value for a performance luxury car, however most people aren't after that. While it may well justify it's $100,000+ price tag, that doesn't change the fact that it is $100,000 and more car than most people need or can afford.

That has always been one of Apple's value problems is this bundling of things people don't need. It isn't that nobody needs them, just that most peopel don't need them. However it raises cost a lot and thus makes it not a good deal for the majority of people. I wouldn't call a Precision Workstation a good deal over all either. If you need those features, ok you get a good price for them, but it still is high priced. You pay a big premium for things like 2 processors and more than 8GB of RAM. It isn't a case where 8GB = $X and 16GB = $2*X. It is more like 16GB = $5*X or $8*X. You aren't doubling the cost to get these things, you are more than doubling it. What's more, they don't double performance. 8 cores are not twice as fast as 4 other than very special cases. As I said, there's precious little that can use all that, and even some of the apps that can (like say a good DAW) don't really have a use for it in most situations. Likewise getting more RAM doesn't help performance unless you actually have apps that need it. Just having more sitting there doesn't help.

There are plenty of cases with PCs where I give the advice of "Don't go above this unless you really need it because it incurs a big premium." The problem with Macs is, you just don't have that option. You want a tower? You get a bunch of expensive hardware, need it or not. Thus it really isn't a good value for most people.

Re:Nay!

[MacWiz]

The Mac I'm using right now was manufactured in July 1998 and purchased very shortly thereafter.
At the time I bought it, my band mate purchased a Windows machine because it was more economical. He saved somewhere between $350 - $500, compared to my Mac purchase, which was $1300.

In the 10 years that have passed, he has purchased at least four or five new computers, plus sound cards, video cards, it's always something. Don't know how many weeks a year he spends re-installing his system, running antivirus, trying to keep up with the Security Patch of the week, etc. Whenever I asked him if he had a copy of a song that we were working on, his system was inevitably crashed.

I'm still using the same machine. Use it every day. Do a lot of multi-track audio, graphics, web development and the occasional cross-platform client-server relational database development. Bought a bigger hard drive, went through a few monitors, maxed out the RAM (and no, this does NOT void your Apple warranty). It has never required service, although I do open it every third year or so just to blow out the dust. It does 100% of what I need it to and 97% of what I want it to. Ran an antivirus on it once this decade, but I've been using Macs since 1986 and I've never seen an infected Mac.

Never had a single day of downtime in 10 years. I gave the beta version of OSX a shot when it first appeared, didn't like the way it ran on that machine and reinstalled OS9. Never had any real system problems prior to that event or since. Haven't bought any software since 2000, except for ProTools, which I got for half-price from my friend because it just didn't work right on his Windows machine. Five albums worth of material later, no problems to report.

I'm really not trying to be a fanboy, not trying to be smug. If you prefer PCs, then buy them. I'm not going to try to convince you to come over to the "think different" side. You either want to or you don't. Business compatibility issues might also dictate the choice.

The price comparison between Macs and PCs changes drastically when you consider the lifespans of the two machines. Then factor in the time spent trying to keep them running (almost zero for the Mac). Time is money, you know. Unless you can buy at least four budget PCs for less than the price of a Mac, you're going to spend far, far more than the "rich guy".

This is why Apple's market share has always remained so low. They last forever. Truly dead Macs are almost as rare as virus-infected Macs. If you're basing your decision solely on cost, a Mac is much cheaper in the long run. Good tools cost more and last longer.

I'd think it comes down to whether you intend to play games or do some kind of work where your data is important and downtime is an expense, as opposed to an inconvenience.