This is a little long but this exact argument has been rehashed for the last 14 years. I want to put it to bed.
I worked for Apple Tech support from 1992-2001 and have been an Apple developer since. So, I have a very good historical view of Apple ecosystem malware security.
My conclusion? 3rd party anti-malware software on the Mac is unnecessary and as Ari Trachtenberg noted, can cause more problems that it solves.
It's akin to swallowing a hand full of antibiotics whenever you get the slightest sniffle. The antibiotics are going to do more damage than they prevent. In my professional opinion, installing anti-malware on the Mac is far more likely to cause crashes, lost data, slowed workflows and security problems than they prevent.
If you ask Apple technical professionals like myself e.g. programmers and technical support types, you won't find more than few percent that bother with 3rd party anti-malware software. By contrast, you won't find any Microsoft technical professionals that don't. That alone says everything.
Apple operating systems are the most secure of all mass market operating systems. Why? Because Apple made the core design decision over 15 years ago to prioritize security over data flow openness. Microsoft and later Google set the opposite priority.
That's it. Whether that tradeoff is the right one or the right one for any particular user is matter of subjective opinion. What is not subjective is that Apple products are massively secure compared to their competitors.
They are so secure than they require no additional anti-malware protection except in certain very raw use cases.
Almost everything Lucas Kauffman said is true in the vaguely general but wrong in the specifics. And an analysis of the tradeoffs is in the details.
Macs do get viruses,
There's never been a an actual Mac OS X or iOS virus in the wild that infected any end user's computer. Viruses are malware that can auto replicate without human interaction. All the malware listed in the 10 years of Malware for OSX article are actually trojans. Trojans require that a human being intentionally install the malware and give it permissions to run.
The Mac already comes with Apple's File Quarantine system, which has a trojan blacklist built-in that Apple maintains and updates. Since most trojans now are encrypted, I doubt a 3rd party app will do a better job than the OS.
To use a 3rd party anti-malware program, you have to give that program itself the run of your system and that causes it's own problems and opens its own potential security holes. The tradeoff just isn't worth it in the vast majority of cases.
There have been numerous vulnerabilities published which affect both
OS:X or software running on OS:X.
Don't mistake "vulnerabilities" for actual operating threats. Security companies and the media make a lot of noise about this or that "vulnerabilities" discovered on operating but that doesn't mean any end user actually gets hit by malware using the vulnerabilities.
Neither do the number of vulnerabilities have any relationship to threat potential they poise. One bad vulnerability can cause more damage than hundreds of minor ones. It's vulnerability of your front door that a rouge locksmith could pick the lock. That is not the same level of threat as someone malicious having your house keys.
To actually cause harm to end users, Malware authors have to find the vulnerabilities, then come up with an economic model to exploit them, develop the malware and then distribute it, all before Apple patches the vulnerability. After 14 years, nobody has been able to do that.
...the main reason why there were historically so few viruses around
for Mac is because their market share was so small.
That's a common assertion but its not true. In the mid-1990s, Macs running Mac OS Classic had a 2% marketshare and around 50% of the viruses. Before the internet got big, Macs exchanged files on disk a lot more than PCs which tended to be linked to specific big iron databases with little infection potential. Mac OS Classic had virtually no built security so when malware got in the mac went down like, "an Aztec sneezed on by a Spaniard" as one of colleques colorfully put it.
I worked at Apple Tech support back then and we all ran Anti-Virus and encouraged our customers to do so. Macs that came with software bundles shipped with 3rd party anti-malware software preinstalled.
We were getting hammered with viruses and worms and then the switch to MacOS X came and it all stopped cold. But we all believe that as soon as MacOSX had been around a year or so that the malware authors would hammer us again.
But it never happened.
I ran anti-viral software on my Macs for 5 years on MacOS X without a single active hit. (lots of .exe files from the internet though.) Finally, I just gave up.
It's implausible that after 14 and two platforms that not a single virus managed to hit an Apple OS and only a literal handful of trojans. Even if Apples has a smaller market share, there are still hundreds of millions of Apple devices out there 90% of them running no 3rd party anti-malware software. That's a big potential payday for anyone.
Moreover, because Mac users specifically don't run anti-virus, once a machine got infected, it would stay that way for longer than a Windows machine offering a much bigger payout per infected machine. Yet, still, nothing.
Clearly something technical happened in the shift form MacOS classic to MacOS X. MacOS X was simply more secure.
The low market share myth was utterly destroyed by the rise of iOS and Android. iOS dominated the smartphone market for 4-5 years at least, yet no one wrote successful viruses for it. When Android came out, viruses appeared almost immediately. Neither does the ratio of malware in the wild correlate with market share. Android has 2-3 times the market share of iOS but whopping 112 times the percentage (79% vs 0.7%) of the active malware.
Compared to iOS, Android at present is at present massively infected.
The simple truth is that Google, like Microsoft before them, made a design decision to emphasize openness of data flow more than security. That openness and freedom is pretty much like the openness and freedom of having a house, or worse a bank, with no locking doors. It has it's advantages but security isn't one of them.
Apple by contrast is rabid about security to the point where it is a severe headache for developers. Most Apple users are totally unaware how hard developers have to work to make apps share data and still comply with Apple's security requirements.
Even if the low market share myth were true, it would still mean that Mac end user was still more secure than a Windows users, it just wouldn’t be for technical reasons.
Remember there are numerous malware instances which will work as well
on Mac as they work on Windows.
Well, no. You can pick up malware from Microsoft products but unlike on Windows, the infections remain isolated within the app. I've searched for proven losses from Windows cross platform infections and, somewhat to my surprise, can't seem to find them. In the real world worst case is that you pass the malware onto to someone with a Windows machine where it causes trouble.
Java malware are hard for 3rd party anti-virus programs to detect because may Java files are encrypted these days. The recent Java malware was a risk and it took Oracle so long to patch it that Apple choose to switch off Java by default just in case. Still, there don't seem to have been any serious losses associated with it on the Mac.
Likely because writing cross platform exploits is very hard, and increases the size of the piece of malware which makes it harder to spread and easier to detect. Even it you get it running on a faulty app on the Mac, it's unlikely that it do anything. For example, you can't hijack the Mac's mail app from Word the way you can hijack Entourage.
Still, if you deal with receiving and then resending a large number of Microsoft app files, then using a 3rd party anti-virus might be worth the while just to protect the people you resend to.
Generally OS:X, because of its architecture already has decent
protection, but this does not mean it's completely safe.
Nothing is perfectly safe. This is about tradeoffs. On Windows, the tradeoffs are clear. Even with a thoroughly updated version of the OS, if you put a new clean unit online it will be infected in days, if not hours. 3rd party anti-malware is clearly worth the tradeoffs.
By contrast, if you put a clean new Mac online it can go for years or decades without being infected. Why bother with all the tradeoffs, including increased security risk, for a microscopic chance it will pay off despite all the evidence it won't?
There is already an increase in malware development for OS:X and the
attacks are also becoming more advanced.
Maybe true, but they that doesn't mean the attacks are becoming more successful or that end users are being harmed more. The numbers just don't show actual real world harm.
Microsoft is like an army in a bunker which is constantly under attack
and at high rate. They have been so for 10 years and this allowed them
to increase their capabilities in responding to vulnerabilities.
Apple, on the other hand, is more like a bunker which gets some pesky
attackers every once in a while but nothing too serious.
Well, I'd say that Microsoft's design decisions put them in the place of Poland while Apple's put them in the position of Switzerland.
In any case, the analogy is flawed because there are quite a lot of vulnerabilities being constantly reported for Apple just like Microsoft and Google. If Apple were like an army that hadn't any battle expense, then those vulnerabilities would eventually translate into serious malware problems for end users. Yet, after 14 year they haven't.
The simple truth is that Apple is simply far more concerned about security and more adept at securing vulnerabilities than Microsoft or Google. Apple decided 14 years ago that when security and data openness conflicted, security would trump openness. In the last few years, they've emphasized it even more.
Like I said, I believe that this is going to shift soon.
Well, "soon" is obviously longer than 14 years because that's how long this exact same argument has been made. I gave up on the idea 9 years ago.
Remember, Apple isn't sitting still on security either. Apple has the most aggressive security design of any platform right now and its getting more secure with every release. The Mac is evolving to a system like iOS where apps are completely isolated by default. Moreover, the apps themselves are actually more and more composite applications themselves composed of isolated sub applications. You have to use at least two separate and unrelated exploits to penetrate a single app under this system (sandbox) and even then you've still only subverted a single isolated app.
Therefore, AV software might be also a good thing because they can
often also help mitigate issues if Apple fails to address severe
vulnerabilities fast enough.
Given Apples excellent track record, which is based on their core design decisions, I would bet on Apple based on 14 year of real world experience. I haven't been able to find a case in which 3rd party software defeated a problem before Apple did. Apple has the same information on emerging threats as 3rd party developers combined with the detailed knowledge of their operating system. Apple can usually patch any exploit before the anti-malware developers can roll out an update to merely detect the problem.
When you get a Mac, you lose some benefits of the Windows world, no doubt. But as a tradeoff you also get some benefits. One of those benefits is a huge boost in security so massive that most Windows users can’t even believe it. That’s were all this “any day now” prediction of a malware apocalypse for Apple comes from.
Based on Apples proven track record to date, if you use Macs, you can expect to go another 14 years without a malware problem. I'd say that obviates the need for the expense and hassle of additional software.
Just don't download installers from porn sites, then ignore the security warning, then run the installer and then give it your password, and you'll be fine.