Should I get an antivirus for my Mac?

Question

There are some people saying that people should use an antivirus software on Mac. And there are thousands of people claiming that Macs don't get viruses (under this term I mean spyware / malware as well), some even say that it's just a trick from antivirus companies to say that there is a need for antivirus.

Honestly, I'm a bit confused. I don't want to waste resources on a possible unnecessary antivirus software, but I want to have my computer safe.

If it's common knowledge that Macs don't get viruses for quite some years now, shouldn't there be some bad people thriving to prove this wrong?

( Edit, here is a quite recent reference on people dismissing antivirus softwares on mac: https://discussions.apple.com/message/24714586. )

Answer 1

There is no clear evidence that third party anti-malware security software (AV software) is more effective than Apple's own security solutions to protect Macs. Rich Mogull on the Mac TidBITS blog explains:

Far less malware exists for Macs, but even there we see limited effectiveness across tools. For example, in a recent test by Thomas Reed, even the best Mac malware tool detected only 90 percent of the known malware samples used. This is a poor showing — we only see dozens of Mac malware variants per year, compared to 65,000 per day for Windows.

Despite Flashback being used as a call to arms to encourage people to adopt antivirus tools, most of those tools failed to detect Flashback for weeks — until it was highly publicized.

AV Vendors make a number of dubious claims with little real-world verification; if a widespread "zero day" attack did hit, there is no reason to expect third party software, which relies on signature databases, to be able to identify and stop it. Some third party Mac AV packages didn't recognize well documented Flashback variants for more than a year after it first hit.

More, Apple has its own security features, Xprotect and Gatekeeper, which do a good job of identifying and preventing known and potential malware from executing on your system. Apple keeps these up to date, and is generally good about patching known security issues quickly.

Third party AV software does have some (limited) utility in protecting non-Mac systems from infected files sourced from other non-Mac systems (sharing documents, etc.)

Answer 2

This is a little long but this exact argument has been rehashed for the last 14 years. I want to put it to bed.

I worked for Apple Tech support from 1992-2001 and have been an Apple developer since. So, I have a very good historical view of Apple ecosystem malware security.

My conclusion? 3rd party anti-malware software on the Mac is unnecessary and as Ari Trachtenberg noted, can cause more problems that it solves.

It's akin to swallowing a hand full of antibiotics whenever you get the slightest sniffle. The antibiotics are going to do more damage than they prevent. In my professional opinion, installing anti-malware on the Mac is far more likely to cause crashes, lost data, slowed workflows and security problems than they prevent.

If you ask Apple technical professionals like myself e.g. programmers and technical support types, you won't find more than few percent that bother with 3rd party anti-malware software. By contrast, you won't find any Microsoft technical professionals that don't. That alone says everything.

Apple operating systems are the most secure of all mass market operating systems. Why? Because Apple made the core design decision over 15 years ago to prioritize security over data flow openness. Microsoft and later Google set the opposite priority.

That's it. Whether that tradeoff is the right one or the right one for any particular user is matter of subjective opinion. What is not subjective is that Apple products are massively secure compared to their competitors.

They are so secure than they require no additional anti-malware protection except in certain very raw use cases.

Almost everything Lucas Kauffman said is true in the vaguely general but wrong in the specifics. And an analysis of the tradeoffs is in the details.

Macs do get viruses,

There's never been a an actual Mac OS X or iOS virus in the wild that infected any end user's computer. Viruses are malware that can auto replicate without human interaction. All the malware listed in the 10 years of Malware for OSX article are actually trojans. Trojans require that a human being intentionally install the malware and give it permissions to run.

The Mac already comes with Apple's File Quarantine system, which has a trojan blacklist built-in that Apple maintains and updates. Since most trojans now are encrypted, I doubt a 3rd party app will do a better job than the OS.

To use a 3rd party anti-malware program, you have to give that program itself the run of your system and that causes it's own problems and opens its own potential security holes. The tradeoff just isn't worth it in the vast majority of cases.

There have been numerous vulnerabilities published which affect both OS:X or software running on OS:X.

Don't mistake "vulnerabilities" for actual operating threats. Security companies and the media make a lot of noise about this or that "vulnerabilities" discovered on operating but that doesn't mean any end user actually gets hit by malware using the vulnerabilities.

Neither do the number of vulnerabilities have any relationship to threat potential they poise. One bad vulnerability can cause more damage than hundreds of minor ones. It's vulnerability of your front door that a rouge locksmith could pick the lock. That is not the same level of threat as someone malicious having your house keys.

To actually cause harm to end users, Malware authors have to find the vulnerabilities, then come up with an economic model to exploit them, develop the malware and then distribute it, all before Apple patches the vulnerability. After 14 years, nobody has been able to do that.

...the main reason why there were historically so few viruses around for Mac is because their market share was so small.

That's a common assertion but its not true. In the mid-1990s, Macs running Mac OS Classic had a 2% marketshare and around 50% of the viruses. Before the internet got big, Macs exchanged files on disk a lot more than PCs which tended to be linked to specific big iron databases with little infection potential. Mac OS Classic had virtually no built security so when malware got in the mac went down like, "an Aztec sneezed on by a Spaniard" as one of colleques colorfully put it.

I worked at Apple Tech support back then and we all ran Anti-Virus and encouraged our customers to do so. Macs that came with software bundles shipped with 3rd party anti-malware software preinstalled.

We were getting hammered with viruses and worms and then the switch to MacOS X came and it all stopped cold. But we all believe that as soon as MacOSX had been around a year or so that the malware authors would hammer us again.

But it never happened.

I ran anti-viral software on my Macs for 5 years on MacOS X without a single active hit. (lots of .exe files from the internet though.) Finally, I just gave up.

It's implausible that after 14 and two platforms that not a single virus managed to hit an Apple OS and only a literal handful of trojans. Even if Apples has a smaller market share, there are still hundreds of millions of Apple devices out there 90% of them running no 3rd party anti-malware software. That's a big potential payday for anyone.

Moreover, because Mac users specifically don't run anti-virus, once a machine got infected, it would stay that way for longer than a Windows machine offering a much bigger payout per infected machine. Yet, still, nothing.

Clearly something technical happened in the shift form MacOS classic to MacOS X. MacOS X was simply more secure.

The low market share myth was utterly destroyed by the rise of iOS and Android. iOS dominated the smartphone market for 4-5 years at least, yet no one wrote successful viruses for it. When Android came out, viruses appeared almost immediately. Neither does the ratio of malware in the wild correlate with market share. Android has 2-3 times the market share of iOS but whopping 112 times the percentage (79% vs 0.7%) of the active malware.

Compared to iOS, Android at present is at present massively infected.

The simple truth is that Google, like Microsoft before them, made a design decision to emphasize openness of data flow more than security. That openness and freedom is pretty much like the openness and freedom of having a house, or worse a bank, with no locking doors. It has it's advantages but security isn't one of them.

Apple by contrast is rabid about security to the point where it is a severe headache for developers. Most Apple users are totally unaware how hard developers have to work to make apps share data and still comply with Apple's security requirements.

Even if the low market share myth were true, it would still mean that Mac end user was still more secure than a Windows users, it just wouldn’t be for technical reasons.

Remember there are numerous malware instances which will work as well on Mac as they work on Windows.

Well, no. You can pick up malware from Microsoft products but unlike on Windows, the infections remain isolated within the app. I've searched for proven losses from Windows cross platform infections and, somewhat to my surprise, can't seem to find them. In the real world worst case is that you pass the malware onto to someone with a Windows machine where it causes trouble.

Java malware are hard for 3rd party anti-virus programs to detect because may Java files are encrypted these days. The recent Java malware was a risk and it took Oracle so long to patch it that Apple choose to switch off Java by default just in case. Still, there don't seem to have been any serious losses associated with it on the Mac.

Likely because writing cross platform exploits is very hard, and increases the size of the piece of malware which makes it harder to spread and easier to detect. Even it you get it running on a faulty app on the Mac, it's unlikely that it do anything. For example, you can't hijack the Mac's mail app from Word the way you can hijack Entourage.

Still, if you deal with receiving and then resending a large number of Microsoft app files, then using a 3rd party anti-virus might be worth the while just to protect the people you resend to.

Generally OS:X, because of its architecture already has decent protection, but this does not mean it's completely safe.

Nothing is perfectly safe. This is about tradeoffs. On Windows, the tradeoffs are clear. Even with a thoroughly updated version of the OS, if you put a new clean unit online it will be infected in days, if not hours. 3rd party anti-malware is clearly worth the tradeoffs.

By contrast, if you put a clean new Mac online it can go for years or decades without being infected. Why bother with all the tradeoffs, including increased security risk, for a microscopic chance it will pay off despite all the evidence it won't?

There is already an increase in malware development for OS:X and the attacks are also becoming more advanced.

Maybe true, but they that doesn't mean the attacks are becoming more successful or that end users are being harmed more. The numbers just don't show actual real world harm.

Microsoft is like an army in a bunker which is constantly under attack and at high rate. They have been so for 10 years and this allowed them to increase their capabilities in responding to vulnerabilities. Apple, on the other hand, is more like a bunker which gets some pesky attackers every once in a while but nothing too serious.

Well, I'd say that Microsoft's design decisions put them in the place of Poland while Apple's put them in the position of Switzerland.

In any case, the analogy is flawed because there are quite a lot of vulnerabilities being constantly reported for Apple just like Microsoft and Google. If Apple were like an army that hadn't any battle expense, then those vulnerabilities would eventually translate into serious malware problems for end users. Yet, after 14 year they haven't.

The simple truth is that Apple is simply far more concerned about security and more adept at securing vulnerabilities than Microsoft or Google. Apple decided 14 years ago that when security and data openness conflicted, security would trump openness. In the last few years, they've emphasized it even more.

Like I said, I believe that this is going to shift soon.

Well, "soon" is obviously longer than 14 years because that's how long this exact same argument has been made. I gave up on the idea 9 years ago.

Remember, Apple isn't sitting still on security either. Apple has the most aggressive security design of any platform right now and its getting more secure with every release. The Mac is evolving to a system like iOS where apps are completely isolated by default. Moreover, the apps themselves are actually more and more composite applications themselves composed of isolated sub applications. You have to use at least two separate and unrelated exploits to penetrate a single app under this system (sandbox) and even then you've still only subverted a single isolated app.

Therefore, AV software might be also a good thing because they can often also help mitigate issues if Apple fails to address severe vulnerabilities fast enough.

Given Apples excellent track record, which is based on their core design decisions, I would bet on Apple based on 14 year of real world experience. I haven't been able to find a case in which 3rd party software defeated a problem before Apple did. Apple has the same information on emerging threats as 3rd party developers combined with the detailed knowledge of their operating system. Apple can usually patch any exploit before the anti-malware developers can roll out an update to merely detect the problem.

When you get a Mac, you lose some benefits of the Windows world, no doubt. But as a tradeoff you also get some benefits. One of those benefits is a huge boost in security so massive that most Windows users can’t even believe it. That’s were all this “any day now” prediction of a malware apocalypse for Apple comes from.

Based on Apples proven track record to date, if you use Macs, you can expect to go another 14 years without a malware problem. I'd say that obviates the need for the expense and hassle of additional software.

Just don't download installers from porn sites, then ignore the security warning, then run the installer and then give it your password, and you'll be fine.

Answer 3

I'll answer in the form of an anecdote.

Back in 2003, I was working in tech support for a Mac-based organisation. We were essentially a government contractor and, as such, nearly all our money came from sending Microsoft Word documents to the government to document what we had done and what we should be paid for.

Someone managed to bring a Word macro virus into the system. It executed only within Microsoft Word but the macro language is the same across Windows and Mac computers so it ran just fine. As well as documents, it could infect the preferences file and after that, any Word document you opened up on that same computer. As files were shared around, more and more computers were infected. Shortly, we found that we couldn't submit the Word documents to the government agency responsible for paying us because they were rejected at their email gateway.

On a Windows machine, the virus in question also attempted to deleted the C: drive. Of course, that didn't work on a Mac so we were unaware that we even had the virus. It didn't affect us until we sent it to the government.

The clean up was a big pain. The computers were spread from Cairns to Adelaide and there were only three of us in the IT department.

---

The key point here is that even malware that doesn't affect your Mac can still affect your life and/or business.

---

Native Mac malware is rare but is getting less so all the time. Many malware authors are creating cross-architecture payloads and targeting multiple vulnerabilities now because ignoring that portion of potential victims that don't use Windows is leaving money on the table.

However, antivirus is still a mixed bag. Both signatures and heuristics have their flaws (false positives and false negatives) and in some cases the antivirus software itself contains flaws that the malware can exploit. Even without malware to exploit flaws, anti-virus flaws can still cause problems on your computer.

In most cases, normal users are better off running some brand of antivirus.

(Note that this includes Apple's own File Quarantine system. If your version of Mac OS X has that, you already have anti-virus protection and I wouldn't recommend getting another one.)

Answer 4

Despite the common wisdom, I would not recommend running anti-virus for two reasons:

1. Anti-virus does not really work. Though it might catch trivial or well-known viruses, it mostly just gives you a false sense of security.
2. Anti-virus can cause problems. In order to function, anti-virus programs have to situate themselves quite low on the computer abstraction hierarchy, often below the operating system. This means that when they malfunction, they cause problems that you cannot necessarily fix simply by deleting or reinstalling the program. These problems might even not be easily attributable to the programs (e.g. random crashes, slowing down of your system).

The bottom line is that there is a cost to using inadequate security, and, in my opinion, anti-virus is inadequate.

Answer 5

Macs do get viruses, the main reason why there were historically so few viruses around for Mac is because their market share was so small.

When someone writes a virus, most of the time they want to infect as many targets as possible. So 10 years ago this would result in almost only Windows viruses since they had such large market share. Recently, however, the market share for Mac has been growing, which means sooner or later it will start attracting even more attention from malware developers. Remember there are numerous malware instances which will work as well on Mac as they work on Windows. Ladadadada already talked about Word macros, but there are also Java applets which get loaded into the browser that can be used by an attacker to execute commands on your machine.

There have been numerous vulnerabilities published which affect both OS X or software running on OS X. Generally OS X, because of its architecture already has decent protection, but this does not mean it's completely safe. There is already an increase in malware development for OS X and the attacks are also becoming more advanced. A good read on this is the 10 years of Malware for OS X article.

So do you need AV software? Yes!

There is also another reason you should take into account. This is my personal opinion:

I always make the comparison between two armies and their bunkers. Microsoft is like an army in a bunker which is constantly under attack and at high rate. They have been so for 10 years and this allowed them to increase their capabilities in responding to vulnerabilities. Apple, on the other hand, is more like a bunker which gets some pesky attackers every once in a while but nothing too serious. Like I said, I believe that this is going to shift soon. Therefore, AV software might be also a good thing because they can often also help mitigate issues if Apple fails to address severe vulnerabilities fast enough.

Answer 6

For all the tl;dr people,

No.

What you should do though is this:

1. Install nifty browser plugins like AdBlock, FlashBlock, and Disconnect.me
2. Set restrictive Flash and Java permissions
3. Firewall: on
4. prevent execution of non-identified Applications (and whitelist apps at your discretion)
5. stop telling your friends Windows is bad because it gets viruses and Macs don't

Answer 7

Here was my situation about 3 months ago. Processor running at 95C, fans on full. Puzzled I start trying to dig into whats doing it. Google Chrome had web workers (6) running at 100%. I had installed a series of colored themes for the browser so I could run profiles for contracts I had. Personal, Work, and Work2. One of the themes I had installed was malicious via googles own theme site and was using some key logging action.

I didn't find this out until after I decided to try out Kaspersky for the mac. At the same time it also found a series of malicious .htaccess files that were a sign one of the customers I had was also infected. All the re-directs to porn sites, cache modifications etc .. for a web server to essentially fall victim to. Since this content is deployed to schools it was kind of a big deal.

I reported the malicious activity by the theme (rather pretty beach scene), and was able to alert the customer there server and or one of there staff's computers had obviously become infected.

So in my respects I think it was worth it, but I had ran for 6 years prior without any. I still continue to have the web workers overheating my computer using Chrome so I just dropped it altogether.

Answer 8

I don't see anyone bringing up this explanation yet so I will. You may or may not already know that the Mac OSX kernel started as a fork of the BSD kernel. Over the years, the Mac OSX kernel has evolved into a hybrid kernel. The BSD and GNU kernels are considered Monolithic. The difference between a monolithic kernel and hybrid kernel is basically that the kernel varies (usually depending on the distro) whereas the hybrid stays the same. With that said, this difference causes how software can be executed.

If you downloaded the same exact binary/executable file (in ELF format) on a couple different Ubuntu systems, you would not be able to execute it on all of them. This is because of the fact that the executable requires the exact modules it was compiled with in order for it to work. This is an advantage and a reason why running an OS with a monolithic kernel is more secure and some what unnecessary to have antivirus software.

Now, if you downloaded the same exact binary/executable file (in APP format) on a couple different Mac OSX systems, you would see that it can be executed on all of them. This also goes with EXE files on Windows. It may also not work if its a 64 bit program trying to be run on a 32 bit system (or vise versa). This is a disadvantage and makes it easier for hackers to write and distribute viruses for these systems.

I should note too that the monolithic kernels with the highest privileges, whereas, the hybrid kernels don't and are more protected. Now on to my point. The advantage and a reason why people running an OS with a monolithic kernel